Last Week on My Mac: When will macOS updates hurt less?

By Howard Oakley

It’s what we all really wanted. The largest macOS update ever, a good
gigabyte bigger than even the Catalina 10.15.1 update, and more than
most major releases of Mac OS X, the Big Sur 11.3 update gives us what
we’ve all been asking for: it fixes a lot of bugs. The trouble with
getting what you want are the unintended consequences.

For a few, the 11.3 update has proved disastrous, with a clean
re-install their only hope of salvation. For most of us, its sheer size
has at least been compensated for by the relative brevity of updating.
But for those who are more cautious and don’t rush to update, it poses a
serious problem: buried in its avalanche of fixes and improvements is
one to address a serious security vulnerability, which makes updating an
urgent need. Choosing to stay on macOS 11.2.3 means that a lot of
malware out there can completely bypass your Mac’s primary protection,
Gatekeeper.

Patrick Wardle’s detailed explanation of this vulnerability is prefaced
by the exhortation: “But first, go update your macOS systems to 11.3”.
The only real alternative is to install and use his free BlockBlock. If
you fail to update now and don’t use BlockBlock, then the first time
your Mac encounters malware exploiting this vulnerability, it will fall
victim to it. You’ll be pwned.

Using the popular strategy of waiting a few weeks after each update
before installing it yourself now turns into a quandary. Is it better to
run the risk of updating now, or that of malware making your Mac a victim?

One solution could be for Apple to start releasing Big Sur updates in
two streams: security updates only, and full updates. Although this
could help some who only want the former, in practice the inevitable
overhead imposed by Big Sur probably wouldn’t help much. In any case,
Apple takes pride in the previously high take-up of updates, and if
there’s one feature that’s guaranteed to induce users to update, it’s a
compelling security fix. Even those who follow the pack by a couple of
versions might feel the need is overwhelming.

Our problem is that Big Sur updates are, as I warned, spiralling out of
control. In that article, I showed a chart of cumulative sizes of macOS
updates for Mojave, Catalina and Big Sur. Here it is updated for 11.3.

The red and yellow regression lines aren’t quite as steep as they were
at the time of 11.2.3, but only halfway through the cycle, Big Sur’s
updates have already surpassed those of the whole year of Mojave, and
are reaching the final releases of Catalina, which was hardly slimline.
Apple is now on track to release a total of more than 40 GB of updates
to Big Sur for Intel Macs, and 60 GB for M1 Macs – you know, the models
which are selling like hot cakes.

At the moment, we’re all rather too familiar with charts like that, from
waves of Covid-19. Watching each new update to Big Sur push its lines up
the chart is not too different from seeing your local or national Covid
case rates rising: you know this is only going to escalate until someone
does something about it. So far, there’s no sign of Apple doing anything
to reduce overheads such as a complete set of current firmware
installers for Intel Macs, and the dyld cache which is freshly provided
in every macOS update.

Neither has Apple reinstated its previous longstanding service of
providing standalone updaters. These were abandoned the moment that Big
Sur was released: if you can’t update a Mac using Software Update, the
only option now is to download a full installer app for that version of
Big Sur. Instead of a user being able to download a delta update package
of perhaps 6.5 GB for 11.3, that means 12.4 GB instead.

Apple’s response is no doubt to refer us to its Content Caching Server.
For anyone with more than one Mac that’s now a no-brainer, but Big Sur
updates are still hefty, as each M1 Mac has to download around 1 GB
direct from Apple’s server rather than any local cache. Updating my four
Macs from 11.2.3 to 11.3 required almost 9 GB from Apple – that’s nearly
twice the size of the whole Sierra installer. If you want to take the
11.3 update to your elderly parents or a close friend, then bad luck, it
can’t be done.

The 11.3 update addresses many of our concerns. It is rich with bug
fixes, and has extensive release notes. But it’s now ten months since
Apple started providing installers and updaters for Big Sur to large
numbers of users, and their pain and grief aren’t going away.

https://eclecticlight.co/2021/05/02/last-week-on-my-mac-when-will-macos-updates-hurt-less/

HAS ANYONE HERE READ THIS?

On 02/05/2021 17:26, David Brooks wrote:
> Last Week on My Mac: When will macOS updates hurt less?
>
> By Howard Oakley
>
> It’s what we all really wanted. The largest macOS update ever, a good
> gigabyte bigger than even the Catalina 10.15.1 update, and more than
> most major releases of Mac OS X, the Big Sur 11.3 update gives us what
> we’ve all been asking for: it fixes a lot of bugs. The trouble with
> getting what you want are the unintended consequences.
>
> For a few, the 11.3 update has proved disastrous, with a clean
> re-install their only hope of salvation. For most of us, its sheer size
> has at least been compensated for by the relative brevity of updating.
> But for those who are more cautious and don’t rush to update, it poses a
> serious problem: buried in its avalanche of fixes and improvements is
> one to address a serious security vulnerability, which makes updating an
> urgent need. Choosing to stay on macOS 11.2.3 means that a lot of
> malware out there can completely bypass your Mac’s primary protection,
> Gatekeeper.
>
> Patrick Wardle’s detailed explanation of this vulnerability is prefaced
> by the exhortation: “But first, go update your macOS systems to 11.3”.
> The only real alternative is to install and use his free BlockBlock. If
> you fail to update now and don’t use BlockBlock, then the first time
> your Mac encounters malware exploiting this vulnerability, it will fall
> victim to it. You’ll be pwned.
>
> Using the popular strategy of waiting a few weeks after each update
> before installing it yourself now turns into a quandary. Is it better to
> run the risk of updating now, or that of malware making your Mac a victim?
>
> One solution could be for Apple to start releasing Big Sur updates in
> two streams: security updates only, and full updates. Although this
> could help some who only want the former, in practice the inevitable
> overhead imposed by Big Sur probably wouldn’t help much. In any case,
> Apple takes pride in the previously high take-up of updates, and if
> there’s one feature that’s guaranteed to induce users to update, it’s a
> compelling security fix. Even those who follow the pack by a couple of
> versions might feel the need is overwhelming.
>
> Our problem is that Big Sur updates are, as I warned, spiralling out of
> control. In that article, I showed a chart of cumulative sizes of macOS
> updates for Mojave, Catalina and Big Sur. Here it is updated for 11.3.
>
>
>
> The red and yellow regression lines aren’t quite as steep as they were
> at the time of 11.2.3, but only halfway through the cycle, Big Sur’s
> updates have already surpassed those of the whole year of Mojave, and
> are reaching the final releases of Catalina, which was hardly slimline.
> Apple is now on track to release a total of more than 40 GB of updates
> to Big Sur for Intel Macs, and 60 GB for M1 Macs – you know, the models
> which are selling like hot cakes.
>
> At the moment, we’re all rather too familiar with charts like that, from
> waves of Covid-19. Watching each new update to Big Sur push its lines up
> the chart is not too different from seeing your local or national Covid
> case rates rising: you know this is only going to escalate until someone
> does something about it. So far, there’s no sign of Apple doing anything
> to reduce overheads such as a complete set of current firmware
> installers for Intel Macs, and the dyld cache which is freshly provided
> in every macOS update.
>
> Neither has Apple reinstated its previous longstanding service of
> providing standalone updaters. These were abandoned the moment that Big
> Sur was released: if you can’t update a Mac using Software Update, the
> only option now is to download a full installer app for that version of
> Big Sur. Instead of a user being able to download a delta update package
> of perhaps 6.5 GB for 11.3, that means 12.4 GB instead.
>
> Apple’s response is no doubt to refer us to its Content Caching Server.
> For anyone with more than one Mac that’s now a no-brainer, but Big Sur
> updates are still hefty, as each M1 Mac has to download around 1 GB
> direct from Apple’s server rather than any local cache. Updating my four
> Macs from 11.2.3 to 11.3 required almost 9 GB from Apple – that’s nearly
> twice the size of the whole Sierra installer. If you want to take the
> 11.3 update to your elderly parents or a close friend, then bad luck, it
> can’t be done.
>
> The 11.3 update addresses many of our concerns. It is rich with bug
> fixes, and has extensive release notes. But it’s now ten months since
> Apple started providing installers and updaters for Big Sur to large
> numbers of users, and their pain and grief aren’t going away.
>
> https://eclecticlight.co/2021/05/02/last-week-on-my-mac-when-will-macos-updates-hurt-less/
>

On 2 May 2021 at 17:26:40 BST, "David Brooks" <David@nomail.afraid.org>
wrote:

> Using the popular strategy of waiting a few weeks after each update
> before installing it yourself now turns into a quandary. Is it better to
> run the risk of updating now, or that of malware making your Mac a victim?
>
> One solution could be for Apple to start releasing Big Sur updates in
> two streams: security updates only, and full updates.

This may not be technically viable. It assumes that security is separable from
other aspects of the update. This is almost certainly not the case.

John.

--
God made the integers; all else is the work of man.

On 02/05/2021 21:12, John Hill wrote:
> On 2 May 2021 at 17:26:40 BST, "David Brooks" <David@nomail.afraid.org>
> wrote:
>
>> Using the popular strategy of waiting a few weeks after each update
>> before installing it yourself now turns into a quandary. Is it better to
>> run the risk of updating now, or that of malware making your Mac a victim?
>>
>> One solution could be for Apple to start releasing Big Sur updates in
>> two streams: security updates only, and full updates.
>
> This may not be technically viable. It assumes that security is separable from
> other aspects of the update. This is almost certainly not the case.
>
> John.

Thank you for your view, John. I don't doubt that Apple know exactly
what they are doing! I would like to know more about what Apple actually
do remotely with my iMac whilst I'm asleep, but am perfectly aware that
THEY are in control, not me!