Noodlings

macOS Catalina introduced extra privacy protections where the user can control what apps can or cannot do. Key to this is providing the user with a correct identification of the app in question.

For many apps, this is straightforward. If the “Foo” executable, which is located in …Foo.app/Contents/MacOS, does something that requires permission, the system knows to present Foo.app as the responsible bundle. For many apps, though, it’s slightly less straightforward. There may be multiple executables in the app bundle. Nonetheless, it shouldn’t be much of a problem figuring out the responsible app bundle but for some reason, a consistent solution has eluded Apple.

One of the main permissions that Hazel may require is Full Disk Access. If you go to that section in System Preferences/Settings, you’ll see a list of apps. You think adding and enabling your app there is all that is needed; that it should handle permissions for that app and all its subsidiary executables in its bundle. Here’s how it normally looks for Hazel.

But sometimes things go awry. All of sudden, the system requires separate permissions for the other executables in your bundle. Users will find the app not working properly and they won’t think to look at the permissions again as they thought they already given the proper permissions. Another trip to the privacy settings may show it listing the helper executables there.

Now, what the hell is that godforsaken app name? Well, it’s the team id followed by the bundle id. Unfortunately, Apple requires the crazy naming scheme for apps that are login items bundled in the main app. Is this something the user really needs to be exposed to? Minimally, Apple should observe the display name specified by the bundle but in the ultimately, this should not appear there at all.

The user should not have to understand the different running components internal to an app. This is a level of “transparency” that muddles the issue and adds nothing of value. Does the user really need to know that “Foo Helper” exists and want to really control that separately from the main app? I know for a fact that the vast majority of Hazel users have no idea how the different executables in Hazel work and interact with each other. I would not expet them to be able to judge whether it’s a good idea to give permissions to one, but not the other.

At the other end of the spectrum, other parts of the system sometimes fail to list an app at all. For instance, Hazel sends notifications via a commandline program in one of the standard locations within the bundle. With Monterey, while Hazel was properly being recognized as the responsible app in the Notification settings, it would be absent in the list of app you choose for the Focus feature. This was remedied in a Monterey point release with Hazel properly listed in both places there.

Unfortunately, Ventura broke it again and now it’s absent from both locations .

This all seems to indicate that each team working on these different bits are re-inventing the same wheel over and over and doing it incorrectly in different ways. You’d think it would be in their best interest of have someone write the canonical algorithm for this and use it across all these subsystems.

Unfortunately, for me, this has resulted in various DTS incidents and bug reports in recent years. As of this writing, it’s still a problem in Ventura (last checked on the release candidate). Apple, please get this sorted. FB11462910 (which also mentions several other related FBs) for those working at Fruit Company.

There is an unrelated major issue which I am hoping has been worked around in the current Hazel beta. If you are interested in testing, please see the forum article here (forum login required).

For the moment, if Hazel is an important part of your work, I suggest holding off on upgrading to Ventura. I’ll keep you posted on the status of these bugs via Twitter.

For today only, Hazel is on sale at MacUpdate Promo for 35% off. If you’ve been thinking about it and just haven’t gotten around to clicking the “Purchase” button then here’s your chance. And if you already have a copy (and a thanks to you), then forward the link above to a friend. And if you don’t have any friends, I can think of no better way of making a new friend than by walking up to a random Mac user in a cafe and pointing them to the link above. And if getting to the nearest Mac user requires you to be put in cryogenic stasis for the multi-lightyear journey, then click the link and leave a nice comment.

But please, do not spam people or forums. Practice responsible computing. Only you can prevent forest fires. Be cool, stay in school.

Looking at my web stats I noticed a lot of downloads. While normally this would be a good thing there was something suspicious about the hits.

• The rest of the site traffic was normal.
• Many were multiple requests from the same addresses.
• Many of the sessions went straight to the download without looking at any other pages.
• The user-agent was “CFNetwork”
• They were HEAD requests (so they weren’t really downloads).

Through some digging and poking around, I realized it was AppFresh. For those who don’t know, AppFresh is a program that basically is Apple’s Software Update for non-Apple software. It uses various mechanisms to figure out how to check on the latest version of your app. I’m glad someone decided to take this on and I’m interested to see how it progresses. Nonetheless, it’s prerelease and has a few wrinkles that need to be ironed out (such as not setting the user-agent so us devs could figure out what was happening). The developers seem responsive though so feel free to drop them a line.

The point of all this is that there are other devs that are just as confused or alarmed as I was about the traffic. Hopefully this will save some time and effort in trying to investigate this. This also fulfills my public service requirement for my PWI (Programming While Intoxicated) conviction last year.

On a side note, the topic of HEAD requests opens up a whole slew of lewd titles that I could have used for this post. Feel free to laud or chastise me for my restraint or sheepishness.

[Update: Just got a note from the AppFresh guys indicating they’ve released Preview 3 which now sets the user-agent, among other things. The quick turnaround is quite commendable. ]

Despite my lack of desire for doing a blog, I’ve caved in and set one up. Why? One reason, two words: Daniel Jalkut. The renowned author of Red Sweater Blog has been bugging me for months to do one. Most of our conversations go something like this:

Me: [something about programming]
Daniel: Blog it!

Luckily for Daniel, these conversations are always online so he can’t hear the unpleasantly moist sound of my eyes rolling up into my head.

So, it is my hope that doing this blog will bring a little more variety to my conversations with Daniel. And thus begins a sporadically updated, at best mildly interesting developer blog. If you don’t like it, blame him.