Mac OS X 10.4.1 Is Out

MrBadbar writes "Software Update just informed me that an update to Mac OS X (10.4.1) is now available. The updates include mail, address book, dashboard widgets, Safari, iLife, and other miscellaneous fixes. At this rate, it's only about 18 more weeks until 10.5."

A couple of notes

[daveschroeder]

First of all, Mac OS X 10.4 has been complete since March 28. So while it wasn't released until April 29, Mac OS X 10.4.1 has been in development for over six weeks.

Second, Mac OS X 10.4.1 completely fixes the the widget auto-installation issue by adding widgets to the items that Safari prompts for before a download is complete. You will now receive a notice:

"(file) is an application. Are you sure you want to download the application (file)?"

...including when Safari is in its default state, i.e., "Open 'safe' files after downloading" is enabled. This issue is now completely mitigated, as no item can be downloaded or installed without the user's express knowledge and permission. Therefore, this issue is now closed.

Re:A couple of notes

[jdb8167]

Mac OS X 10.4.1 completely fixes the the widget auto-installation issue

I can confirm this. I would disagree on the "completely" but it is certainly good enough for now. It would be better if you couldn't override existing widgets and even better if Apple supplied an advanced button that allowed me to control the sandbox that is built in to Dashboard. As it stands now, Apple has a working sandbox with various levels of security which is completely useless because it isn't exposed to the end user. What is the point of having a AllowFullAccess boolean if the developer can add it without any controls by the user?

Also, do you know if this fixes the 1GB sparse image problem? I see a HFS resource fork issue vaguely mentioned in the developer release notes but I have no idea if that is the sparse image problem or not.

Re:SMB no change

[jellomizer]

Did you fill out a bug report. This is a big issue and I put in a bug report about it. If more people place in a bug report about it maybe they can fix it quicker. For the short term I am using NFS to connect to the files I need but I really need SMB soon. Lucally for me I don't need my Mac to get my work done. But it makes it a lot more efficient when I have it.

No, not quite...

[daveschroeder]

"They" (Apple) weren't supposed to fix anything having to do with VPN clients in 10.4.1.

Making VPN clients work with 10.4.x is completely up to the vendors, and all vendors have had all the information and everything they have fundamentally needed, from a developer standpoint, to make their clients work with Tiger since *last June*.

There is absolutely no reason all of the VPN client vendors shouldn't have had their clients out on April 29 alongside Tiger. Any feigned surprise on their part, or finger pointing at Apple, is completely bullshit. Yes, Tiger changed how things work which "broke" the old clients. But they've also had almost a year to fix it.

Re:What's new video-wise?

[diqmay]

so could anyone explain what advantages Quartz 2D provides? is there a consice explanation someone could point me to?

Also, what kind of hardware do you need to enjoy any Q 2D benifits?

Without shouting...

[argent]

Sorry for the shouting, but I've been watching this slow motion train wreck roll itself out for about a year, since Apple failed to properly close the design flaw underlying the "help:" hole, which is another part of the same problem I see here.

When people are faced with dialog boxes when they do a routine operation saying "what is about to happen may be dangerous", then they pretty soon get in the habit of just clicking "yes" without thinking.

Do you want to delete this file? (click) (oh, hell)

Do you want to run this ActiveX control? (click) (damn)

I spent several years supporting Windows users, and every now and then one of them would come to me and say "I just did something stupid, I got this box, and it asked if I wanted to run something, and I said yes, and now I'm infected". And I'd go clean their PC up. And some of them, a few months later, would come to me again, "I'm sorry, I did it again"...

This was still pretty rare, for a long time, because I'd set up a policy back around 1997 that Internet Explorer and Outlook and every other application that used the MS HTML control was banned. So the only time these problems came up for many years was when someone was using IE against my instructions. A couple of years back, though, we got merged with the rest of the company and my policy was overridden by the parent's "IE only" policy. Then I started getting this regularly.

But, most users were using other browsers, like Netscape. And Netscape (and Firefox, mostly) doesn't have any kind of "auto run" mechanism. You have to explicitly download a file and run it. I still had a few people that did that, but I never had one do it twice, and even when most users were using Netscape it was IE and Outlook where the vast majority of my virus and spyware problems came from.

This is not a hard lesson to learn. Automatically opening safe files after you download them is dangerous. Automatically downloading them is more dangerous. Automatically downloading and installing them when they're not even "safe"? I've watched what happens when you allow that, EVEN WHEN you pop up a dialog box when you do it, and if Apple keeps this up, I'm going to have to treat Safari as the same kind of "Typhoid Mary" as Internet Explorer. It's not quite as bad, I suppose it's like going to work when you've got a contagious cold... it's still not what anyone would call appropriate behaviour.

A previous thread on the same subject here [slashdot.org].

Re:Without shouting...

[argent]

Is there really a substantive difference between downloading a file and saying "Yes, I want to run this" and downloading a file and double clicking on it?

Yes. It's the difference between accidentally buying a pallet of junk at an auction by waving your hand at the wrong time, and buying a pallet of junk at a surplus store by pointing to it and saying "I want to buy it".

It's hard for me to understand how you could have a powerful, flexible system that doesn't allow the user to do stuff by clicking on things.

You'll have to explain what you're getting at here. I haven't suggested that people shouldn't be allowed to "do stuff by clicking on things". I'm saying that the browser shouldn't interpret a click in a "sandboxed" environment as a request to move an untrusted document outside that environment and open it.

Clicking on links in a browser is something that is, normally, always a "safe" operation as far as your computer is concerned. The browser is sandboxed, as you mode from page to page the websites can sow you different serts of images and text, even quite sophisticated ones uring Flash or Java, but you can't normally have that take over your computer, any more than reading a book can make your head explode, or watching TV can set your end-tables on fire.

And that's important, because you can't trust people on the net not to want to set your end-tables on fire or explode your head.

So moving OUT of the "safe" environment into the "unsafe" environment should require an explicit action. If you're watching TV and someone comes to the door, you have to get up and go down to the door and let them in. You don't yell "yes, who is it" and have your house interpret that "yes" to mean "let them in".

Well, that's what a dialog box does in this situation. It doesn't make an unsafe operation safe, it just makes it one that can happen by mistake.