> That's why Apple has the Developer and Public Beta releases for iOS/OSX so that external users can provide feedback. And on this occasion just like on many other they will take action if necessary.
Except that Apple did not take action. Firewall developers such as Little Snitch did become aware of the issue during the beta releases and gave feedback to Apple, which Apple ignored and shipped it anyway to the public. https://blog.obdev.at/a-hole-in-the-wall/
It's not up to customers to assume the good intentions of a large organization. Apple has internal decisions and processes that result in them not communicating in a timely manner. Whatever fallout from that is on them.
There was a ContentFilterExclusionList key in the /System/Library/Frameworks/NetworkExtension.framework/Versions/Current/Resources/Info.plist file. macOS 11.2 beta 2 removed the ContentFilterExclusionList. Does that take 6 months?
Noticing the issue, discussing it, setting meetings to agree to revert, and handling all other higher priority stuff before an eminent GM release and the most pressing x.1 update release, can take more than 6 months.
Not to mention that "removing the ContentFilterExclusionList" is a hacky fix suggestion. Doesn't mean it's the actual hollistic fix, and there weren't other under the hood changes for this issue.
> Not to mention that "removing the ContentFilterExclusionList" is a hacky fix suggestion.
You've got in backwards. The ContentFilterExclusionList was itself a hack. It never should have existed.
Some people are handwaving about a mysterious vague problem that calls for a ContentFilterExclusionList, but Little Snitch has existed for many many years on the Mac and has been able to block everything, including Apple services. There was no problem with that until Apple decided to exempt itself from getting blocked.
>You've got in backwards. The ContentFilterExclusionList was itself a hack. It never should have existed.
It might or might not be a hack, but that's orthogonal to the functionality or whether it uses a ContentFilterExclusionList.
The fact that it wasn't there before, or that it is a misguided feature idea, doesn't mean it was done as a quick and dirty implementation or that it's hastily made feature done via cutting corners.
If you accept the need for your own apps to bypass user application filtering (eg. because you consider your traffic/apps integral to the OS operation) then that's the kind of thing you'd implement -- and you could do it with a team of 100, working for months with fine specs, to deliver the same thing.
There's nothing inherently hacky about it.
>There was no problem with that until Apple decided to exempt itself from getting blocked.
That's neither here nor there though, as to whether it was done as a hack - or, to get back to the point, as to whether they could just rip it off trivially.
People forget this is not just a single feature, but part of a change to how network filtering is done (not through a third party kernel extension anymore), accompanied with new APIs.
> doesn't mean it was done as a quick and dirty implementation or that it's hastily made feature done via cutting corners.
I wasn't implying that. The ContentFilterExclusionList was already present in the first WWDC beta and could have been there internally for many months prior, who knows. I was using "hack" more in the sense of bypassing a security system. I said "It never should have existed", which is not a comment on the quality of the design of the thing that did exist.
> People forget this is not just a single feature, but part of a change to how network filtering is done (not through a third party kernel extension anymore), accompanied with new APIs.
I'm not "people". I'm well aware and haven't forgotten. I've been a professional Mac developer for 15 years. I've used the Network Extension API myself. You may remember me from such news stories as the Mac OCSP appocalypse. https://techcrunch.com/2020/11/15/apple-responds-to-gatekeep... It's incredibly tiresome when HN commenters try to "Macsplain" to me.
>It's incredibly tiresome when HN commenters try to "Macsplain" to me.
Isn't it also tiresome when people on HN assume we know who they are from their handle, or that we are somehow obliged to have followed them outside HN, and remember/know who they are?
I might recognize pg, or patio11, or tptacek, and a few more, but not everybody. And most handles, I just glaze over, they are not the important part in the discussion. I'm pretty sure most of us on HN have dozens of HN handles that we don't otherwise know who they are, or even keep tabs on from one HN thread to another.
I wouldn't try to "Macpslain" if your comment didn't seem to me to imply that this is just some an isolated thing with ContentFilterExclusionList, that can just be reversed like that, or if it mentioned that this is part of an extensive change to how network filters / kernel extensions work (or rather, don't work anymore) in Big Sur.
> Isn't it also tiresome when people on HN assume we know who they are from their handle
No, I don't expect people to know who I am. However, I do expect people to avoid assuming that I'm ignorant of the subject at hand. This ought to be the default approach you have toward anyone.
In this same thread, I was referred to as "My sweet summer child", as if I didn't understand software development at all. This shouldn't happen, regardless of whether you know me or not. https://news.ycombinator.com/item?id=25771925
If this one change is in a pool with tens of thousands of other possible changes, and it also has to go through one or more QA cycles? Sure, why not 6 months?
Because the first WWDC preview version of Big Sur was released to developers on June 22, 2020, and Big Sur was released to the public on November 12, 2020, so Apple needs to be able to fix issues identified during the beta period much quicker than in 6 months.
Apple doesn't have to "fix issues identified during the beta period" much quicker than the release date.
No OS does, including FOSS distros / OSes.
Apple just has to fix "the most important issues" with the most bang for the buck identified during the beta period before release.
Which they do.
The ones they consider less important are put in a backlog.
You can find "issues identified during beta releases" still open and unfixed for all OSes, some even going 10 years back, long after the release was out...
> The ones they consider less important are put in a backlog.
True, but this just proves my point. It still doesn't take 6 months to fix this issue... if they wanted to fix it. Deprioritizing it was a deliberate choice by Apple. The reason the exclusion list shipped to the public in Big Sur wasn't technical, the reason is that Apple's priorities are messed up.
From my perspective, the explanation is simple: ContentFilterExclusionList wasn't a "bug", it was a deliberate "feature". So from Apple's perspective, there was nothing to "fix". At least one developer was told it "behaves as intended": https://twitter.com/david_ddw/status/1329017113709842437
Only the public backlash caused Apple to remove it.
>True, but this just proves my point. It still doesn't take 6 months to fix this issue... if they wanted to fix it.
Just because it was reported as an issue doesn't mean it was thought as a bug (or an issue to fix) by Apple. That's what they wanted to do. People coded it explicitly.
>Deprioritizing it was a deliberate choice by Apple.
Of course. Why wouldn't it be?
>From my perspective, the explanation is simple: ContentFilterExclusionList wasn't a "bug", it was a deliberate "feature".
Again, of course. Some people complained this was a bug, Apple thought it wasn't, the issue remained on the back burner, until some time it was given more consideration and was decided to fix.
What I'm saying is "why this took 6 months" doesn't make much sense as a question. Why wouldn't it? Unless something is a show stopper or high impact bug, it would take time. Even to be accepted as an issue to fix in the first place will take time. Plus all the internal red tape.
> What I'm saying is "why this took 6 months" doesn't make much sense as a question. Why wouldn't it?
For the 2nd or 3rd time in this thread, I have to remind that I was replying to a comment saying this: "That's why Apple has the Developer and Public Beta releases for iOS/OSX so that external users can provide feedback. And on this occasion just like on many other they will take action if necessary." So, maybe you should argue with that comment instead of with me?
My point was that developers filed feedback about this issue during the betas, yet Apple did not address that feedback, and thus "That's why Apple has the Developer and Public Beta releases for iOS/OSX" is not a valid point in this context.
>My point was that developers filed feedback about this issue during the betas, yet Apple did not address that feedback, and thus "That's why Apple has the Developer and Public Beta releases for iOS/OSX" is not a valid point in this context.
You're assuming that changing that list is the only thing they needed to do. Have you thought about why they felt they needed that list to begin with? Maybe because they wanted to quality control that all their core services could graceful handle being blocked by a firewall first? That is, the job wasn't changing the list. The job was probably quality control of everything potentially blocked by that list.
Or they just didn't think it was such an important issue. Most MacOS users by far probably don't care.
> You're assuming that changing that list is the only thing they needed to do.
No, you're assuming that I'm making that assumption. Why would you assume that?
> Most MacOS users by far probably don't care.
It's frustrating that people keep ignoring the fact that I was directly replying to this comment: "That's why Apple has the Developer and Public Beta releases for iOS/OSX so that external users can provide feedback."
If feedback during the betas does not make Apple take action, then the comment I was replying to was wrong.
Your response seems a bit ironic, though, because public backlash is exactly what caused Apple to backtrack.
My sweet summer child I hope you never have to develop or schedule software releases at a level of complexity where 6 months sounds anything less than luxurious.
Why do you think Apple should've solved this issue immediately? I'm sure you (and the other people in this thread) care a lot about the firewall exception, but from the perspective of Apple this must've been a non-critical issue at best. I don't understand why you assume Apple should've dropped everything and fixed this as soon as it was reported. And clearly, as opposed to what you say, they did take action - otherwise they'd never have removed it.
> from the perspective of Apple this must've been a non-critical issue at best.
From the perspective of Apple, this wasn't even an issue at all. It "behaves as intended". https://twitter.com/david_ddw/status/1329017113709842437 So that's why Apple didn't fix it. You don't fix something that you don't think is broken.
It's reasonable not to take action based on the feedback from a developer who sells an app-level firewall - it's neither a broad nor disinterested constituency. Big Sur's been out for less than two months - for a bigass company, it's decent turnaround.
Who else would Apple take feedback from during the betas? Who else would even notice that there was a hole in the firewalls except the firewall developers?
The gigantic majority of users who are not firewall developers as well as the gigantic majority who never touches the betas both seem like sensible and important sources of feedback.
> the gigantic majority who never touches the betas
I was replying to a comment that literally said, "That's why Apple has the Developer and Public Beta releases for iOS/OSX", so maybe you should argue with that comment instead of with me.
Except that Apple did not take action. Firewall developers such as Little Snitch did become aware of the issue during the beta releases and gave feedback to Apple, which Apple ignored and shipped it anyway to the public. https://blog.obdev.at/a-hole-in-the-wall/