Ventura’s updates have got faster for some

This week’s security update to Ventura 13.0.1 is an important indicator as to where macOS updates are now heading. Although by much earlier standards it may still appear large, a minimum size of 1 GB, for many it was considerably faster.

macOS updates changed with the introduction of the signed and sealed system volume (SSV) in Big Sur. Prior to that, they were basically packages consisting of all the changed files in that update, and scripts to perform related functions. They also contained, as they still do, a complete set of firmware updaters, as macOS updates are now the only normal way of updating the firmware in your Mac.

With Big Sur’s SSV, what comes in the installer has more important things to do than simply replace changed files in the system. Once that has been done, the system has to be signed, a snapshot made of it, and that snapshot is then mounted as the new System volume. There are also complex dependencies, in the pre-linked extensions and dynamic libraries (dyld) and their caches. Apple’s new installers thus come complete with their own ‘brain’ to update and assemble all these into the SSV.

Important goals for the SSV, apart from improving security, were increasing the reliability of macOS installers and updaters, to make failed or incorrect installs almost impossible, and to ensure perfect copies of the system, so that they’d always pass the integrity checks in Secure Boot. The cost of these in Big Sur were large and slow updates, which required a full 30 minutes to prepare, and lengthy installation.

In Monterey and now Ventura, Apple is optimising both the size of updates and the time taken to install them. For size, the figures for the smallest updates speak for themselves:

  • macOS 11 2.2/3.1 GB (Intel/Apple silicon)
  • macOS 12 1.0/1.9 GB
  • macOS 13 1.0/1.46 GB.

It’s likely that, as far as full updates go, Ventura has reached minimum size, allowing for the overhead of firmware, etc.

Another important factor is how much of each update can be cached locally by a Content Caching server. Big Sur’s updates for Apple silicon Macs always had to download around 900 MB direct from Apple, which couldn’t be cached locally, but now in this week’s Ventura update all 1.46 GB could be provided from a Content Caching server. For those updating multiple Macs, that makes an important difference.

Ventura has also brought considerable improvements in the time taken to update, but only, as far as I’m aware, on Apple silicon Macs. Although I haven’t timed this accurately, the 13.0.1 update delivered entirely from my Content Caching server took just under ten minutes, from the start of download to the reappearance of the Desktop and Finder. On a Ventura VM with only four vCPUs running on a Mac Studio Max, from the completion of downloading to the login screen took less that 7.5 minutes, including a ’30 minutes’ preparation period that took about 4 minutes.

Once downloading had finished to my iMac Pro, I had time for a leisurely dinner while it completed its update, I guess taking at least 45 minutes.

Ventura 13.0.1 was a conventional update, and not one of Apple’s new Rapid Security Responses (RSR). Rumour has it that they should become available following the 13.1 update, and will then provide security patches of a similar size to current security data updates, typically tens of MB or smaller. As they are installed as Cryptexes in the Preboot volume, they don’t require the SSV to be rebuilt. Although 13.0.1 didn’t deliver its fixes as an RSR, it did change several of the components already supplied in Cryptexes: look in Preboot/[UUID]/cryptex1/current, for example, and you’ll find several disk images that were updated by the 13.0.1 update.

Overall, though, RSRs are unlikely to save us much downloading or time updating, as those Cryptexes are intended to be temporary until the next macOS update incorporates the patches into the main SSV. RSRs are therefore more about timeliness than economy.

Meanwhile, those still running Monterey or Big Sur will have to wait a little longer before they get the same vulnerabilities patched. What was that saying again: pioneers take the patches, settlers get to wait?