←back to thread

A memory leak in Apple's Network Extension framework

(obdev.at)
224 points chmaynard | 9 comments | 14 Nov 24 13:53 UTC | HN request time: 1.024s | source | bottom
1. lapcat ◴[14 Nov 24 14:00 UTC] No.42136194[source]
See also yesterday's "Apple’s built-in macOS firewall breaks third-party firewalls" https://obdev.at/blog/apples-built-in-macos-firewall-breaks-...
replies(4): >>42136670 #>>42137126 #>>42140020 #>>42146493 #
2. hrdwdmrbl ◴[14 Nov 24 14:53 UTC] No.42136670[source]
I think this is the one that broke Time Machine for everyone with a third-party firewall wall
3. isodev ◴[14 Nov 24 15:28 UTC] No.42137126[source]
> For the time being, until Apple fixes this serious bug in macOS, we therefore highly recommend to turn off the built-in firewall of macOS when also using Little Snitch or Little Snitch Mini.

I remember back in the day when installing two firewalls or two antivirus programs on Windows would break it, so it will have to be reinstalled. That was 20 years ago, though, one would think we're better at making an OS by now.

replies(2): >>42137443 #>>42138819 #
4. hombre_fatal ◴[14 Nov 24 15:54 UTC] No.42137443[source]
We like to wishfully think of human systems (software, government, anything) as immune systems that accumulate knowledge in the system itself over time so that it's increasingly resilient to the systemic problems it's encountered before.

Instead, human systems require eternal vigilance from the humans inside it. Even governmental systems which can encode knowledge into laws rely on the eternal vigilance of judges, prosecutors, and defenders to utilize that knowledge.

So GGz if you're writing a new subsystem in an OS and you're expected to learn from mistakes a team of two people made in some subsystem 20 years ago that someone quietly patched.

replies(1): >>42138392 #
5. isodev ◴[14 Nov 24 17:12 UTC] No.42138392{3}[source]
True, and having the benefit of hindsight, it’s easy for us to judge.

The trouble is, Apple’s feedback process is so opaque that we can never know the details. All we have is the feeling of “a simple test of macOS with a third party firewall before unleashing it to the world would have shown the problem”.

For a piece of software on which countless people rely upon (which macOS and iOS are), the “beta” begins after exhausting all internal means of detecting regressions and unwanted behaviour. It’s not cheap but they can’t just dump something and expect unpaid, third party developers to report all the bugs (while never getting a reply on that feedback app).

replies(1): >>42142910 #
6. toast0 ◴[14 Nov 24 17:42 UTC] No.42138819[source]
I mean... sounds like we are if you only have to turn off one of the firewalls and not reinstall. I think ancient windows firewalls would routinely replace the system networking driver files, and that's why things got really messy. At least we're beyond that.
7. DavideNL ◴[14 Nov 24 19:16 UTC] No.42140020[source]
= https://news.ycombinator.com/item?id=42135148
8. result2vino ◴[15 Nov 24 00:43 UTC] No.42142910{4}[source]
They can, because it’s what happens. It just sucks for those people.
9. crest ◴[15 Nov 24 12:58 UTC] No.42146493[source]
Afaik the macOS port of OpenBSD's pf firewall is the only firewall used by both Apple's system settings and obdev's LittleSnitch. They're both GUI frontends to the same backend, but Apple supposedly also added internal "escape hatches" to their PF port because they couldn't be arsed to write/generate a proper ruleset with anchors to hook into.

The cynic in me assumes it's just teams from different silos trampling over each other in a shared code base. Given Apple's obsession with leak prevention they're probably prohibited by NDA from talking to each other.