Last Week on My Mac: Trust Apple

One of my first tasks writing for Mac magazines, in those days Felix Dennis’s original British title MacUser, was to summarise Apple’s release notes for updates to classic Mac OS. These days, not only has MacUser long since ceased publication, but Apple seems determined to stop us from knowing anything about macOS updates.

Last week, on 11 August, Apple released a surprise ‘patch’ update to Big Sur, bringing it to version 11.5.2. As I write this on the evening of 14 August, almost exactly three days later, Apple has told us next to nothing about that update.

Glance at Apple’s compilation of Big Sur release notes for users, and 11.5.2 doesn’t even exist. The latest update listed there is 11.5.1. What also strikes you from glancing down through previous release notes is how they have been detailed – 11.3 is an excellent example – but seem to have lost interest more recently.

Moving on to Apple’s normally extensive Security Release Notes, all we see is “This update has no published CVE entries”, although at least that list acknowledges the existence of 11.5.2. It does, though, leave open the question as to whether there are any security fixes which aren’t covered by published CVEs.

Apple also produces a separate series of release notes for “enterprise”, which list changes in “the enterprise content” of Big Sur updates. That stops short at 11.5, and has no entries at all for 11.5.1 or 11.5.2.

For its many developers, Apple produces a set of release notes which detail “changes to the macOS SDK”, which is extremely important for those trying to develop using it. Here too there’s no mention of either 11.5.1 or 11.5.2. Indeed, developers are only informed of two resolved issues in SwiftUI for the whole of 11.5, which seems somewhat scant. There is a link to Xcode 12.5.1 release notes, but according to those the current release version of Apple’s development tools only includes SDKs for macOS 11.3 anyway.

Having visited five of Apple’s documentation sites, we’re left with nothing more informative than the words offered by software update, that the 11.5.2 update “includes bug fixes”.

For several years now, I’ve been performing my own analyses of Apple’s macOS updates. Unfortunately they’re limited, as Apple doesn’t attach any version or build numbers to most of its standalone executable files such as command tools, and now deliberately obfuscates datestamps on files in the Sealed System Volume by setting them all to 1 January 2020 at 0800. However, it does still provide version and build numbers in the mandatory Info.plist file in bundles. What I therefore check are all the bundles in two folders, /System/Applications, which contains most of the bundled apps except for Safari, and /System/Library, which contains many other important items such as the 549 or so kernel extensions required for Big Sur.

As I’ve already reported in fuller detail, 11.5.2 increments Safari’s build number from 16611. to 16611., and those for several major frameworks, notably:

  • AppKit, which is one of the most extensively used by third-party apps.
  • JavaScriptCore, which is important to some third-party apps.
  • QuartzCore, which is also used by many third-party apps.

If Apple’s terse summary of what has changed in 11.5.2 is to be believed, this update fixes bugs in Safari and at least three of the major frameworks used by a great many third-party developers. Yet Apple has chosen not to reveal what it has changed to users, system administrators, or third-party developers.

Apple is currently facing a crisis of its own making over its declared intent to check our private images held on Macs and devices to determine whether they contain CSAM. Central to its case is for us to trust Apple not to use this same mechanism for other purposes. When we can’t even trust Apple to tell us what it has changed on our own Macs, we should be rightly suspicious. If it is to work at all, trust must work both ways: if Apple wants our trust, it has to trust us with the knowledge of what’s in a macOS update.