hoakley February 28, 2021 Macs, Technology

Last Week on My Mac: Users are losing out against Big Sur’s sealed System

Big Sur’s sealed System volume seemed like a good idea. Although the read-only version in Catalina may look impregnable, guaranteeing integrity using a Merkle Tree of hashes, then locking the whole lot in a snapshot, looks even more robust. Like other good engineering ideas, though, it also needs thinking through thoroughly.

Even in a perfect macOS development cycle, there are normally at least five substantial updates. In addition, there are often compelling reasons for urgent patches. The recent sudo bug is a good example in which no one is at fault, although everyone might be to blame for not spotting this in a decade. Even in non-pandemic times, rolling that fix into 11.2 would have been disruptive, hence the need for 11.2.1, which works so much better in the new version numbering.

Then Apple must have received reports of a severe hardware/firmware problem which was actually damaging recent Mac models, and a firmware update for the affected Macs was even more pressing. So came 11.2.2, just over two weeks after 11.2.1, which was a mere eight days after 11.2.

In macOS past, those two patches could have been small, whether installed by the system or using a downloadable Installer package. Several factors now conspire to turn a few kilobytes of changes into several gigabytes of update:

Firmware updates are only provided as part of a macOS update, and Apple deems it necessary for every macOS update to include a complete set of current firmware for Intel models. This contributes around 600 MB to every update, perhaps more now to cater for T2 and M1 models too.
The dyld cache, nine files occupying about 4 GB when compressed in /System/Library/dyld, which contains a dynamic linker cache of all the system-provided libraries. These fall within the SSV, and appear to have to be freshly provided in every macOS update.
Full support for both Intel and ARM-native code, with the exception of Rosetta 2, which only resides on the Data volume of Apple Silicon models and is managed separately.

The Big Sur 11.2.2 update is a good example of what’s almost a null change, yet requires 2.6 GB of installer files to be downloaded for an Intel Mac, and 3.1 GB for an M1 model. For comparison, a minimal update to Catalina required less than 1.2 GB, and for Mojave less than 1 GB, much of which were the seemingly obligatory set of firmware for every supported Mac.

The time required to install these much larger updates has also increased substantially. Before the installation can even start, Big Sur updates now require a minimum of 15 minutes ‘preparation’, just as those for iOS/iPadOS do. The similarities here are made more obvious by a typo in log entries during this ‘preparation’ phase, which refers to the “BRAIN” being used not as macOS but “iOS 11.2.1 20D74 (Customer)”, for instance.

Minimising download time with a local Content Caching Server, second and subsequent updates still require a minimum of around 40-45 minutes, to which M1 models have an additional 1 GB which has to be downloaded from Apple’s servers, and can’t be obtained from the local cache.

As Jeff Johnson has reminded us, Apple still claims that Big Sur has “Faster updates. Once macOS Big Sur is installed, software updates begin in the background and complete faster than before — so it’s easier than ever to keep your Mac up to date and secure.” Anyone who has been keeping Big Sur up to date over this last month knows that’s simply not true, and its reasoning is flawed. Whether updates are downloaded in the background or not, when a null update like 11.2.2 takes more than half an hour to install in addition to its 15 minute ‘preparation’, today’s updates are far more time-consuming than ever before.

What this month has demonstrated, reiterated and rubbed in until the wounds bleed again, is how massive and debilitating updating Big Sur has become. Fixing an issue in the firmware of a few models now requires that everyone running Big Sur downloads 2.6 to 3.1 GB of installer files, then waits as their Mac is unusable during the preparation and installation process of more than forty minutes. For most users with high-bandwidth internet connections, that comes to a total of at least an hour, which is longer than major updates took in Mojave and earlier.

Worse still, if you have the misfortune to be running from an external bootable SSD on your M1 Mac, chances are that you can’t even update macOS, and that can apply to Big Sur running in VMs too.

Had Apple explained these costs and penalties of the SSV at last year’s WWDC, wouldn’t it have been booed from the virtual stage? To make this work for users, rather than its own engineers, Apple needs a radical approach. Instead of every update being based around a universal set of data files, the installer brain needs to work more intelligently. Why does every Mac need a copy of the firmware for every model? How can the burden of dylds be minimised?

If Apple can’t come up with a better solution designed to accommodate the needs of users around the world, many are not going to keep updating, and Big Sur will become the lemon it doesn’t deserve to be.

35Comments

Add yours

1

EcleX on February 28, 2021 at 8:20 am

Thanks. And security updates like MRT and XProtect not being shown at all in “Apple – About This Mac – Software Update” and not being installed by macOS updaters either. Yet, SilentKnight sees them! Hopefully, Apple will fix all that.

LikeLiked by 1 person
2

brightlondon on February 28, 2021 at 12:43 pm

Thank you Howard, you have summed up my own frustrations with Big Sur precisely. I’m very much in favour of changes that enhance security. Running a computer from a read-only snapshot of a cryptographically verified system volume seems like a great idea on the face of it. But the huge overheads this creates for updates, backups and restoration from backup, not to mention the considerable additional complexity (and reduced flexibility) in these processes, seem like too heavy a price to pay on a desktop/laptop computer.

Yesterday I started setting up a new M1 MacBook Pro. Bringing it up to date (from 11.2, I think) took well over an hour. Even the download took forever, I assume because all over the planet M1 Macs were downloading a multi-gigabit update from an Apple CDN that is struggling to cope with this new demand. I could have done a complete re-installation of the OS or a major version upgrade in less time with earlier iterations of macOS. I agree with you that this will put off many people (and small organisations) from updating, which then exposes them to greater security risks.

And don’t get me started on the latest the UI!! Riccardo Mori has already provided a detailed analysis of its ergonomic failings (https://morrick.me/) so I won’t repeat those gripes here!

LikeLiked by 2 people
- 3
  
  hoakley on February 28, 2021 at 4:27 pm
  
  Thank you.
  I’m actually not so concerned about the UI. It can and will change in the future. That’s the nature of the UI. But unless Apple does something to improve macOS updates, it’s going to lose a lot of users, and those who remain will increasingly opt for older versions of macOS, not Big Sur. Given many other improvements which Big Sur does bring – and I’m still a supporter of the concept of the SSV – that would be a tragedy for macOS 11.
  Howard.
  
  LikeLike
4

Joel Bruner on February 28, 2021 at 3:30 pm

So it’s “not just me” then, eh? Thanks for sharing your thoughts as always. The update process too seems to love repeatedly asking for my password on my M1 Air. It’s like “Did I stutter macOS!? Yes, update already!” first a password so it can update “later tonight” but then when I want it to run immediately it asks again. And if that gets interrupted, to run it again, it needs a password, again. Aye.

LikeLiked by 1 person
- 5
  
  hoakley on February 28, 2021 at 4:28 pm
  
  Thank you.
  Keeping four Macs up to date is a nightmare, and has stolen so much time and effort this month.
  Howard.
  
  LikeLike
6

Tudorminator on February 28, 2021 at 4:49 pm

Thank you. I’m not getting nowhere near Big Slur. Partly because my 2014 Mac mini was left behind, and partly because of all your findings. Where I beg to differ is that I think it very much deserves to be a lemon because of all the user hostile changes it brings.

LikeLiked by 1 person
7

jlforrest on February 28, 2021 at 5:01 pm

As someone who has nothing at stake in MacOS itself, but who is interested in the new Apple Silicon processors, this is all very discouraging. I’ve decided to wait until a production quality version of Linux for Apple Silicon comes out before considering buying a new Mac. I realize that might take a while, or might even never happen.

LikeLiked by 1 person
8

Bruce Michel on February 28, 2021 at 5:03 pm

Big Sur updates continue the tradition of the infamous “Less than one minute remaining” message. Last update to 11.2.1, I timed it at four minutes plus. Most of the other time estimates are also way off.

LikeLiked by 1 person
9

Robin K on February 28, 2021 at 7:15 pm

Of course, everyone wants enhanced security. Unfortunately, there is no objective measure of how much more secure Big Sur is than Catalina. Or Mojave. The risk assessment in my view is completely opaque.

I stood on the sidelines while the teething problems of Catalina were slowly resolved. Big Sur is even more problematic. I don’t see moving to Big Sur at all, even though I was looking forward to an Apple Silicon Mac. Our 2018 MBPs work just fine as they are. Your assessment is correct: lots of folks will avoid these issues by standing with older Apple hardware or finding alternatives.

LikeLiked by 1 person
10

Steve Roggenkamp on February 28, 2021 at 7:49 pm

I bought my first Mac about two years ago, a MacBook Pro, after using Linux based systems for many years, primarily Ubuntu and Debian distributions. Most Debian and Ubuntu updates are very painless with just a few minutes of downtime but only when when kernel or system software is involved. The Mac update is very painful and has becoming increasingly frequent. It seems Apple does not have its system software engineering processes together. I have not installed Big Sur installed yet and probably will not for quite some time. i will not partake of Apple’s new M1 system, so this will probably be my first and last Mac.

LikeLiked by 1 person
11

Mauro on February 28, 2021 at 8:12 pm

I regret to have update to Big Sur.
Beside all already mention I own a dockstation, DELL WD15 precisely, and become Just useless since I update, but on a less personal note the amount of issues reported on flickering display is absurd.
And these are just some of the issues I stumble on…

LikeLiked by 1 person
- 12
  
  Beau Gunderson on March 1, 2021 at 9:16 am
  
  That dock was likely rendered permanently unusable by the bug just fixed in 11.2.2. In the last six months my 16″ MBP has killed 5 docks (including a CalDigit and a Dell) and a MOTU M4 audio interface. It wasn’t until the CalDigit and the Dell died in the same day, followed by 11.2.2 coming out the day after that I figured it all out.
  
  LikeLiked by 1 person
  - 13
    
    hoakley on March 1, 2021 at 11:29 pm
    
    I’m sorry to hear that. I trust that you have raised this with Apple?
    Although Apple hasn’t release any details, I was under the impression that this was a new bug, no older than 11.2. But you suffered it in Catalina too? That’s worrying, as I don’t think that 10.15 has any fix.
    Howard.
    
    LikeLike
14

Joe R. on February 28, 2021 at 8:54 pm

I feel vindicated for staying on Mojave every time I hear these type of stories. Unfortunately this short lived victory will be meaningless if I can’t move up at some point in the future, which will be very sad since the alternatives are not very appealing.

LikeLiked by 2 people
- 15
  
  ericrfmwp on March 1, 2021 at 1:54 am
  
  You took the words right out of my mouth… After hearing how horrible Catalina was, I did not have much hope for Big Sur being developed for a new architecture. So I’m also at Mojave and holding.
  
  LikeLiked by 1 person
16

EcleX on February 28, 2021 at 9:21 pm

Does SSV stand for Systems Software Verification?

LikeLiked by 1 person
- 17
  
  hoakley on February 28, 2021 at 9:25 pm
  
  No. As I explain in many articles here, it’s Sealed System Volume, as opposed to Catalina’s regular System volume, which isn’t sealed, or a snapshot.
  Howard
  
  LikeLike
18

Rocky on March 1, 2021 at 1:50 am

Piggybacking on earlier comments: recent major and now minor Mac updates (and iOS updates, but out-of-scope here) repeatedly ask for different input at misleading intervals (“only 5 minutes remaining … only 50 minutes remaining.” What the ….). Updates are never a “click OK and walk away” experience.

You must babysit the process, waiting an unpredictable time, for an unpredictable input (passwords or poorly explained button clicks), an unpredictable number of times. And too often, the process fails for poorly-explained reasons, so you must start the whole thing over.

Not just user-unfriendly, user-hostile.

Never thought I’d use that phrase with Apple products.

LikeLiked by 1 person
19

Authun on March 1, 2021 at 11:22 pm

The travail of Apple’s macOS has been a boon for the open-source GhostBSD project (www.ghostbsd.org). The consistent upward trend in monthly donations appears to indicate more individuals seek out projects, like GhostBSD, to solve their computing needs for stability and privacy.

LikeLiked by 1 person
20

gastropod on March 2, 2021 at 12:02 am

It’s far worse if you have a slow connection. I have DSL, and it’s not possible to download it at all. It takes 2 hours per GB download at best so in principle, it would take a day. But I’ve tried it several times since the beta came out (giving up all other internet to let it max out the connection), and it never finishes–it aborts part way through. I was able to resume it once, but it stopped again and after that it stayed stuck. I have the same problem trying to download anything from apple tv+, and imazing has troubles downloading the larger ios apps so I often have to try several times.

Even when I have access to a ‘faster’ connection such as at the library, I can’t take advantage of it. I couldn’t find a way to download the BS installer onto an ipad and all of my laptops are too old to run it, so I can’t download it on those either.

Apple has always been mediocre at large downloads, but over the last year or two it’s as though they don’t particularly want to bother with customers that don’t have gigabit connections. They certainly don’t bother to test anything at slow speeds.

I’m so glad that retirement is looming, so I won’t have to support any of the current debacle.

LikeLiked by 1 person
- 21
  
  hoakley on March 2, 2021 at 12:04 am
  
  You have my sympathy – although my connection is rather faster than that, I have to download Xcode overnight.
  Howard.
  
  LikeLike
22

Scott on March 2, 2021 at 4:12 am

People with slow connections sincerely have my sympathy with these 3GB updates. It shouldn’t be the case that every computer requires firmware for every Mac still under support. Apples (sorry bad joke) to oranges, when Linux distributions update firmware it’s a considerably smaller update limited to blobs that come with the kernel. That said, that firmware update also includes firmware not needed by the system, just not loaded. Apple’s practices are therefore not unusual with Unix-like systems. The only thing that’s unusual is that a single OS is updating files for two different completely different architectures plus their respective firmware in a single monolithic blob. I’m sure this could be handled better than it currently is.

This is my first brush with Macs. Literally my first Mac is a MBP M1 and it’s only 3 months old. I got it for delving into Mac forensics. Yet because of my personal circumstances: I live in town, my internet connection is reasonably wide, and my MBP is not my primary computer, I don’t feel any concern with waiting 15 minutes for it to update. Windows 10 on my desktop is reasonably speedy (less than 5 min most months) in monthly updates, but it’s not entirely fair to compare it as such. The way Apple has chosen to update MacOS is closer to the biannual feature updates which do take 15-20 min on Windows 10. I think only time will show if Apple’s method of sealed capsule updates will keep MacOS safer in the evolving security threat environment. The jury is out. Can this method keep root kits out of the Mac ecosystem? Maybe. Will it keep Mac users safer from data thieves? Probably not. Those are separate questions. You don’t need root or root kits to steal user information.

Hopefully Apple will figure out M1 (or Intel) Macs don’t need firmware, drivers, and binaries that only Intel Macs have and vice versa resulting in smaller updates, but I won’t hold my breath. News reports over the years points to a consistently stubborn Apple in nearly all areas.

LikeLiked by 1 person
- 23
  
  hoakley on March 2, 2021 at 11:45 pm
  
  Thank you.
  There are very few platform-specific files in macOS. One which springs to mind is Rosetta 2, which isn’t installed to the System volume, as it’s updated separately from macOS, and isn’t installed by default either (only on demand). That of course only ships on Apple Silicon.
  Although the overall savings of cutting out Universal apps and binaries might be significant, it would greatly complicate using macOS – for instance, external bootable disks which could only boot Intel Macs, or M1 models.
  There’s a great deal in what software update downloads which isn’t universal, though, like the complete set of firmware updates for every single Mac. That accounts for around 600 MB of each update.
  Howard.
  
  LikeLike
24

Dio Gratia on March 3, 2021 at 9:15 pm

We seem to be getting new bugs faster than they are retired due to changes in releases. While not a big user what happened to Fast User Switching? Seems that week between releases isn’t enough to do comprehensive testing either.

Now all the sudden when using Optimized battery charging 95 percent and higher becomes 100 percent when connected to a power adaptor. Yet third party tools can tell you what the actual charge state of your battery is without disconnecting the power adaptor.

One irksome example of update ‘efficiency’ is the Xcode Command Line Tools getting mostly removed every update, and that’s bloated too. The installed packages database is ignored by updates. Where are all those SDKs pkgutil reports?

The Migration Assistant App should have grown in complexity or refused to migrate system items. You’re going to end up reinstalling all that anyway. Save us from all those printer drivers and VBox kexts.

The good news is if you brick your M1 Mac you can get it going again.

LikeLiked by 1 person
- 25
  
  hoakley on March 3, 2021 at 10:36 pm
  
  Thank you.
  Howard.
  
  LikeLike
26

Blog101 on March 10, 2021 at 4:36 am

The update didn’t fix the widespread Thunderbolt/USB speed issues that people are having when either attaching SSD’s directly to an M1 Mac or through a Thunderbolt 4 or Thunderbolt 3 dock. What a mess. My OWC TB4 dock gets 150 MB/s vs my TB3 dock which get 600 MB/s with SansDisk SSDs that get 900 MB/s when attached directly to the M1. I’ve read some people with Samsung SSD’s have the opposite problem and experience degraded speed when attached directly to the M1.

LikeLiked by 1 person
- 27
  
  hoakley on March 10, 2021 at 6:42 am
  
  Thank you.
  I haven’t come across any such issues, despite testing a wide range of external SSDs and writing my own disk benchmarking app.
  However, there are several problems which users can encounter, from requiring firmware updates on the SSD (e.g. Samsung T7), through cables (not all ‘TB3’ cables are Intel-approved), to the benchmarks they’re using.
  I’m not sure which docks you’re referring to when you write about “TB4” docks. I don’t see any “Thunderbolt 4” docks from OWC, for example, but surely the first thing to do if you have unexpected performance problems is to check with the supplier. What does OWC say about this?
  Which benchmarking software are you using to measure ‘performance’? What results do you get using my own utility Stibium, for example?
  (Noting that none of this has anything to do with this article, though, and I do have plenty of articles here about the topic of SSD performance with M1 Macs.)
  Howard.
  
  LikeLike
28

Michael Tsai - Blog - Mac Software Updates Open Up sshd on March 15, 2021 at 8:24 pm

[…] couple of weeks ago, I read a post about how the “sealed system” on Big Sur was hurting people. I kind of skimmed through […]

LikeLike
29

gym on March 16, 2021 at 4:14 pm

Wait until you upgrade to 11.2.3…size is 12.2GB takes a good 45-60 mins to upgrade..lost count on the reboots.

LikeLiked by 2 people
- 30
  
  hoakley on March 16, 2021 at 7:48 pm
  
  Thank you. I did that long ago. It didn’t take any longer than 11.2.2 or 11.2.1, but it’s getting a bit wearing doing this on 4 Macs every couple of weeks.
  Howard.
  
  LikeLiked by 1 person
31

markbot2zero on March 24, 2021 at 7:03 pm

Dear Howard,

I just noticed this:

“What is a signed system volume?”

Which states:

[SSV] “also allows software updates to complete in the background while you work, which reduces the time it takes for your Mac to restart and complete updates.”

This sounds like marketing moonshine. Or “spirited optimism” from drinking too much Cupertino water. Or maybe it’s true in theory, but somehow not in practice.

Just curious what you (or anyone) might think.

-Mark

LikeLiked by 2 people
- 32
  
  hoakley on March 24, 2021 at 7:29 pm
  
  Thank you.
  First, macOS updates can’t “complete” in the background. They complete by installation, which currently takes around 40 minutes for a minimal (null) update, as we saw in 11.2.2.
  Second, you’ve always been able to download macOS updates in the background. That hasn’t changed, although maybe Big Sur puts this more in the background, which only prolongs the time required.
  Third, Big Sur has added 15 minutes “preparing” time. Although you can continue to use your Mac during that time, and it’s no longer downloading, any more prolonged or intense tasks become subject to rapid termination once that preparation is complete. You’re working against the clock.
  Fourth, see my article on the size of updates in Big Sur. The larger the update, the longer it takes to install. Thus increasing size of updates increases the time it takes for your Mac to complete updates, and it certainly doesn’t reduce it as claimed.
  So, it’s total bullshit and flies in the face of experience with Big Sur, whether on Intel or (even worse) on Apple Silicon.
  Howard.
  
  LikeLiked by 1 person
33

markbot2zero on March 24, 2021 at 7:03 pm

Aargh! I keep forgetting not to put URLs in brackets:

https://support.apple.com/guide/mac-help/what-is-a-signed-system-volume-mchl0f9af76f/mac

LikeLiked by 2 people
34

jbrickley on March 27, 2021 at 9:58 pm

Knowing how Apple operates it won’t be until the next macOS major release or the one after that before you get to a point where they will actually fix the software updates to only download what’s absolutely necessary. They already distribute different updates for different models of Mac. Surely they can determine if your particular Mac requires a firmware update or not and only download if it’s necessary. They did shrink iOS / iPadOS updates in some manner so perhaps they can do the same for macOS.

LikeLiked by 1 person
- 35
  
  hoakley on March 27, 2021 at 10:10 pm
  
  Thank you.
  Currently, there appear to be only two variants of each update: one for Intel Macs (all models, including those with a T2 chip), and one for M1 Macs. Since Apple rolled firmware updates into macOS updates, every macOS update has included a firmware updater which can update any supported model. The only change to this has been with the M1 models, which have very different firmware. But that imposes a relatively small overhead of around 600 MB.
  It is noticeable how much smaller iOS/iPadOS updates are – I believe that they are more model-specific.
  Howard.
  
  LikeLike