
MacOS Catalina: Slow by Design? - jrk
https://sigpipe.macromates.com/2020/macos-catalina-slow-by-design/
======
usmannk
It seems like there is a lot of confusion here as to whether this is real or
not. I've been able to confirm the behavior in the post by:

\- Using a new, random executable. Even echo $rand_int will work. Edit: What I
mean here is generate your rand int beforehand and statically include it in
your script.

\- Using a fresh filename too. Just throw a rand int at the end there. e.g.
/tmp/test4329.sh

I MITMd myself while recording the network traffic and, sure enough, there is
a request to ocsp.apple.com with a hash in the URL path and a bunch of binary
data in the response body. Unsure what it is yet but the URL suggests it is
generating a cert for the binary and checking it. See:
[https://en.wikipedia.org/wiki/Online_Certificate_Status_Prot...](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol)

Here's the URL I saw:

[http://ocsp.apple.com/ocsp-
devid01/ME4wTKADAgEAMEUwQzBBMAkGB...](http://ocsp.apple.com/ocsp-
devid01/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFDOB0e%2FbaLCFIU0u76%2BMSmlkPCpsBBRXF%2B2iz9x8mKEQ4Py%2Bhy0s8uMXVAIIfYbtkeEKZsI%3D)

Edit2: Anyone know what this hash format is? It's not quite base64, nor is it
multiple base64 strings separated with '+'s but it seems similar...

Edit3: Here is the exact filename and file I used:
[https://gist.github.com/UsmannK/abb4b239c98ee45bdfcc5b284bf0...](https://gist.github.com/UsmannK/abb4b239c98ee45bdfcc5b284bf0029e)

Edit4 (final one probably...): On subsequent attempts I'm only seeing a
request to [https://api.apple-cloudkit.com](https://api.apple-cloudkit.com)
and not the OCSP one anymore. Curiously, there's no headers at all. It is just
checking for connectivity.

~~~
rurban
It's called lockdown for a reason. Apple was just the very first to implement
centralized binary blacklisting, revocation. They call it notarization.

Problem is, that they did it unannounced. There must be really some weird
stuff going on in those managers heads. How can they possibly think to go away
with that?

~~~
kevinh456
There was nothing "unannounced" about it. Notarization was introduced at WWDC
2018 and announced as required at WWDC 2019. Every macOS developer should have
been aware of this requirement. It was a special project for my apps.

~~~
ghayes
I believe the concern here is that this is affecting not just macOS
developers, but all developers who use macOS. That's an important distinction.

~~~
pjmlp
Developers who use macOS as shiny GNU/Linux replacement are only getting what
they deserve, they should have supported Linux OEMs to start with.

Those that show up at FOSDEM, carrying their beloved macBooks and iPads while
pretending to be into FOSS.

I use Apple devices knowingly what they are for, not as replacement for
something else.

~~~
nottorp
Sadly it's not the "shiny"... it's the fact that Mac OS has a GUI that works.

Been using linux since the days you installed Slackware from floppies and
recompiled your kernel to get drivers. Command line has always been a bliss,
but no one has managed to come up with an usable and consistent GUI yet.

Btw does sleep work on linux laptops these days? How's hi dpi support?

~~~
green7ea
Sleep has been working on my last ~10 laptops and desktops, it's a non-issue
at this point unless you have brand new exotic hardware. I did have a
motherboard issue on a first-gen Ryzen that required a bios update to get it
working.

hi-dpi works very nicely if you use GTK or Qt. For the other apps, it really
depends how they are implemented. For me it has been working better than
Windows.

These are strawman agruments. Give Ubuntu 20.04 a try an you'll see stuff
pretty much just works on any common hardware. You can even use slackware and
get everything working with a bit of fiddling.

MacOS is a very nice OS but it isn't FOSS and it isn't more capable at this
point, it's just a personal preference. Pretending otherwise is disingenuous.

~~~
moe
> you'll see stuff pretty much just works

The problem is the "pretty much" part.

We all know what that means in practice. That's why OSX is popular.

~~~
bwat49
OSX can only guarantee that everything works because apple controls both the
hardware and software.

Windows can only guarantee that everything works because they have a monopoly
and therefore hardware vendors have to support windows.

Most laptops don't ship with linux/are never tested with linux, so it's never
going to work flawlessly on all possible hardware configurations. It's just
not possible.

It does however, 'pretty much' work on most hardware.

And if you buy a machine from a vendor that actually supports/pre-
installs/tests linux, all of the hardware will work out of the box.

~~~
runjake
It's that "pretty much" that's the debate.

I recently switched from macOS to Ubuntu 19.10 and then 20.04 as my daily
driver and it's way flakier and has far more random app crashes than macOS.

That said, the system is fast, the UX is way further along than I expected --
in some ways it's got a better UX than macOS. It's way, way faster at nearly
everything.

~~~
bwat49
my point is that if you want to do better than 'pretty much', you should buy a
machine from an OEM that actually supports linux

If you're installing it on a random windows laptop, you're never going to get
better than 'pretty much', because the OEM doesn't support linux or test their
hardware with linux.

------
davidvartan
> a degraded user experience, as the first time a user runs a new executable,
> Apple delays execution while waiting for a reply from their server.

The way to avoid this behavior is to staple the notarization ticket to your
bundle (or dmg/pkg), i.e. "/usr/bin/stapler staple <path>." Otherwise,
Gatekeeper will fetch the ticket and staple it for the user on the first run.

(I'm the author of xcnotary [1], a tool to make notarization way less painful,
including uploading to Apple/polling for completion/stapling/troubleshooting
various code signing issues.)

[1] [https://github.com/akeru-inc/xcnotary](https://github.com/akeru-
inc/xcnotary)

~~~
xenadu02
Xcode (the UI) is able to bypass GateKeeper checks for things it builds.

The "Developer Tool" pane in System Prefs, Security, Privacy is the same
power. Drag anything into that list you'd like to grant the same privilege
(such as xcodebuild). This is inherited by child processes as well.

The point of this is to avoid malware packing bits of Xcode with itself and
silently compiling itself on the target machine, thus bypassing system
security policy.

~~~
LeoPanthera
Putting Terminal (and your favorite text editor) in this category and in "Full
Disk Access" will change your life.

~~~
MrBuddyCasino
How does "Full Disk Access" help?

~~~
lloeki
You can browse Time Machine backup directory trees from the CLI again.

------
jaimehrubiks
In our company many of us have similar issues. I have always loved OSX but
this time it is driving me crazy. I though the issue was some sort of company
antivirus/firewall, or it could even be a combination of that and this issue
(maybe my vpn + path to company firewall is what magnifies the issue in this
post). The thing is that some commands take 1 second, some others take 2
minutes or even more. Actually, some commands slow down the computer until
they are finished (more likely, until they just decide to start).

For example, I can run "terraform apply" and it could take up to 5 minutes to
start, leaving my computer almost unusable until it runs. The weird thing is
that this only happens sometimes. In some cases, I restart the laptop and it
starts working a little bit faster, but the issue comes back after some time.

It's already been a few months since I try to run every command from a VM in a
remote location, since I am tired of waiting for my commands to start.

I have a macbook air from 2013 which never had this issue.

Any easy fix that I could test? Disconnecting from the internet is not an
option. Disabling SIP could be tried, but I think I already did and didn't
seem to fix it, plus it is not a good idea for a company laptop.

Don't we have some sort of hosts file or firewall that we can use to block or
fake the connectivity to apple servers?

~~~
derefr
IIRC the big thing that changed with 10.15 for CLI applications is that BSD-
userland processes (i.e. ones that don't go through all the macOS Frameworks,
but just call libc syscall wrappers like fopen(2)) now also deal with
sandboxing, since the BSD syscall ABI is now reimplemented in terms of macOS
security capabilities.

Certain BSD-syscall-ABI operations like fopen(2) and readdir(2) are now not-
so-fast by default, because the OS has to do a synchronous check of the
individual process binary's capabilities before letting the syscall through.
But POSIX utilities were written to assume that these operations _were_ fast-
ish, and therefore they do tons of them, rather than doing any sort of
batching.

That means that any CLI process that "walks" the filesystem is going to
generate huge amounts of security-subsystem request traffic; which seemingly
_bottlenecks_ the security subsystem (OS-wide!); and so slows down the caller
process _and_ any other concurrent processes/threads that need capabilities-
grants of their own.

To find a fix, it's important to understand the problem in fine detail. So:
the CLI process has a set of process-local capabilities (kernel
tokens/handles); and whenever it tries to do something, it first tries to use
these. If it turns out none of those existing capabilities let it perform the
operation, then it has to request the kernel look at it, build a firewall-like
"capabilities-rules program" from the collected information, and run it, to
determine whether it should grant the process that capability. (This means
that anything that already has capabilities granted from its code-signed
_capabilities manifest_ doesn't need to sit around waiting for this
capabilities-ruleset program to be built and run. _Unless_ the app's
capabilities manifest didn't grant the specific capability it's trying to
use.)

Unlike macOS app-bundles, regular (i.e. freshly-compiled) BSD-userland
executable binaries don't _have_ a capabilities manifest of their own, so they
don't start with _any_ process-local capabilities. (You can embed one into
them, but the process has to be "capabilities-aware" to actually make use of
it, so e.g. GNU coreutils from Homebrew isn't gonna be helped by this. Oh,
_and_ it won't kick in if the program isn't _also_ code-signed, IIRC.)

But all processes _inherit_ their capabilities from their runtime ancestors,
so there's a simple fix, for the case of running CLI software interactively:
grant your terminal emulator the capabilities you need through Preferences. In
this case, the "Full Disk Access" capability. Then, since all your all CLI
processes have your terminal emulator as a runtime ancestor-process, all your
CLI processes will inherit that capability, and thus not need to spend time
requesting it from the security subsystem.

Note that this doesn't apply to BSD-userland executable binaries which run as
LaunchDaemons, since those aren't being spawned by your terminal emulator.
Those either need to learn to use capabilities for real; or, at least, they
need to get exec(2)ed by a shim binary that knows how.

\-----

tl;dr: I had this problem (slowness in numerous CLI apps, most obvious as
`brew upgrade` suddenly taking forever) after upgrading to 10.15 as well.
Granting "Full Disk Access" to iTerm fixed it for me.

~~~
saagarjha
> IIRC the big thing that changed with 10.15 for CLI applications is that BSD-
> userland processes (i.e. ones that don't go through all the macOS
> Frameworks, but just call libc syscall wrappers like fopen(2)) now also deal
> with sandboxing, since the BSD syscall ABI is now reimplemented in terms of
> macOS security capabilities.

Is this actually new in macOS 10.15? I seem to recall this being a thing ever
since sandboxing was a thing, even all the way back to when it was called
Seatbelt.

> That means that any CLI process that "walks" the filesystem is going to
> generate huge amounts of sandboxd traffic, which bottlenecks sandboxd and so
> slows down the caller process.

Is this not implemented in the kernel as an extension? I thought the checks
went through MAC framework hooks. Doesn't sandboxd just log access violations
when told to do so by the Sandbox kernel extension?

> Unlike macOS app-bundles, regular BSD-userland executable binaries don't
> have a capabilities manifest of their own, so they don't start with any
> process-local capabilities (with some interesting exceptions, that I think
> involve the binary being embedded in the directory-structure of a system
> framework, where the binary inherits its capabilities from the enclosing
> framework.)

I am fairly sure you can just embed a profile in a section of your app's
binary and call the sandboxing Mach call with that…

~~~
danudey
It's a new behavior that doing 'find ~' will trigger a MacOS (GUI) permissions
warning dialog when `find` tries to access your photos directory, contacts
file, etc.

~~~
saagarjha
That is new, but I believe the groundwork for that was mostly laid in 10.14
and is also mostly in the kernel.

------
brendangregg
Adding network calls to syscalls like exec() is utterly insane. This road can
lead to bricked laptops where you can't run anything to fix it (imagine an
unexpected network error that the code doesn't handle properly). And crackers
will just use ways to overwrite running instruction text to avoid the exec().

The comments on the article are annoying: it good that there's a mini way to
reproduce, but please, use some further debugging like tcpdump (it still
exists on osx, right?). Last time I summarized osx debugging was
[https://www.slideshare.net/brendangregg/analyzing-os-x-
syste...](https://www.slideshare.net/brendangregg/analyzing-os-x-systems-
performance-with-the-use-method/38)

I'd also stress test it: generate scripts in a loop that include random
numbers and execute them.

~~~
xvector
There is no excuse for this except for sheer, utter incompetence. Everyone
involved in writing and shipping this should be ashamed of themselves.

~~~
drvdevd
This is what I scrolled all the way down this thread for - to see if anyone
thinks this is a _good_ design/security decision on Apples part. I’m trying to
understand what the reasoning is for this particular decision and if it
actually makes the OS more secure in any meaningful way? Or does it actually-
just degrade performance with very limited benefits? Are there _any_ real
benefits to this VS current security design in popular Desktop Linux distros
at this point?

~~~
HappyDreamer
Couldn't this have been a business decision? Not about security? (just what
they say?)

To make non-App-store apps annoyingly unusable, so the App store will sell
more apps, instead of people downloading in other ways?

Just like Apple cripples the Safari browser and PWA apps.

Long term, maybe Apple wants to be able to remote-forbid apps if Apple is
developing their own competing app?

Whilst most developers working at Apple understands this, and don't like it?
Maybe the developers even feel happy about people here at HN being
disappointed, and think that _" now the business people here at Apple notice
that this causes disappointment"_ ?

~~~
saagarjha
I don't think the people at Apple are actively trying to make non-App Store
apps unusable because they want to make more money from the App Store or
anything. It's just that they want code to pass through them, and as a by
product making code that has been vetted less or does things that could
potentially be abused is made more annoying to run. Such a change is divisive,
as you may have guessed.

~~~
michaelmrose
That vetting will come at the cost of 30% of money paid for your software and
any money earned within the software.

------
nromiun
> This is not just for files downloaded from the internet, nor is it only when
> you launch them via Finder, this is everything. So even if you write a one
> line shell script and run it in a terminal, you will get a delay!

> Apple’s most recent OS where it appears that low-level system API such as
> exec and getxattr now do synchronous network activity before returning to
> the caller.

Can anyone confirm this? Because honestly this is just terrifying. I don't
think even Windows authorises every process from a server. This doesn't sound
good for both privacy and speed.

~~~
mbreese
There are two new Security/Privacy Settings that I just noticed last night.

"Full Disk Access" to allow a program to access any place on your computer
without a warning. A few programs requested this, so it looks like it's been
around for a while.

The other one is "Developer Tools" and it looks pretty new. The only
application requesting it is "Terminal". This "allows app to run software
locally that do not meet the system's security policy". So, my reading of this
is that in Terminal, you could run scripts that are unsigned and not be
penalized speed-wise.

~~~
oefrha
I don't see it on macOS 10.15.4 (19E287). The full list of categories on my
Privacy tab:

    
    
      - Location Services
      - Contacts
      - Calendars
      - Reminders
      - Photos
      - Camera
      - Microphone
      - Speech Recognition
      - Accessibility
      - Input Monitoring
      - Full Disk Access
      - Files and Folders
      - Screen Recording
      - Automation
      - Advertising
      - Analytics & Improvements
    

Granted I don't typically use Terminal.app (iTerm 2 user), so I launched
terminal and did some privileged stuff. Had to grant Full Disk Access to, say,
`ls ~/Library/Mail`, but "Developer Tools" never popped up.

Are you running a beta build or something?

\---

Update: Okay, I checked on my other machine and that one does have it
(Terminal is listed but disabled by default). What in the actual fuck?!?

~~~
Sangeppato
Maybe you need Xcode, try running "mkdir /Applications/Xcode.app"

~~~
saagarjha
I would expect checks for Xcode to go through xcselect rather than a simple
directory check. Installing the command line tools (sudo xcode-select
--install) might actually be a better idea to test this.

~~~
Sangeppato
I thought the same, but actually this method worked for me when I wanted the
the Spotlight "Developer" option to show up (the CLT were already installed).
I have the Developer panel under "privacy" as well, even if I never installed
Xcode on my machine

------
gouggoug
I experienced this one day while tethering in the train. I was coding and
running `go build` multiple times.

I could not for the life of me understand why go build would take upwards to
30 seconds to run and sometimes 100ms. I finally realized it was related to my
internet connection being extremely spotty. I went online and searched if
anybody had the same experience with `go build` but couldn't find anything.

I finally know what happened. This is a pretty intolerable "feature".

~~~
lallysingh
Does it work at all when unconnected?

~~~
enriquto
There seems to be a delay of about 5 seconds, then it "gives up" trying to
notarize your program .

------
unown
As someone living in China, this is my result when I connected to my VPN (this
is my normal life, thus I can visit sites like HN):

> Hello

> /tmp/test.sh 0.00s user 0.00s system 0% cpu 5.746 total

> Hello

> /tmp/test.sh 0.00s user 0.00s system 79% cpu 0.006 total

And even if I didn't connect to my VPN:

> Hello

> /tmp/test2.sh 0.00s user 0.00s system 0% cpu 1.936 total

> Hello

> /tmp/test2.sh 0.00s user 0.00s system 78% cpu 0.005 total

That's just ridiculous and unbearable.

Apple should provide a way to disable this notarization thing, and the user
should still be able to enable SIP while disabling it.

additional information:

\- macOS version: 10.15.4

\- terminal: iTerm2 3.3.9

\- didn't install any "security" software

~~~
ccmcarey
It doesn't work when there's no network connection, wonder if it would be
possible to filter out and automatically block notarization traffic, or if
it's all encrypted with cert pinning to prevent this type of MITM+filter.

~~~
Karliss
Dropping packets when there is an otherwise working connection could
potentially make the delay even worse depending on timeout or retry strategy
used by Apple code. I assume that in the fast case without network connection
it checks the network status flag and doesn't try to do any network connection
at all.

------
chipotle_coyote
Okay, I've tried this test on my MacBook Air 2020 several times, first by
saving the "echo Hello" shell script in an editor and then, because I wasn't
getting the results the author experienced, trying again exactly as he wrote
it. Essentially the same result:

    
    
        airyote% echo $'#!/bin/sh\necho Hello' > /tmp/test.sh
        airyote% chmod a+x /tmp/test.sh
        airyote% time /tmp/test.sh && time /tmp/test.sh
        Hello
        /tmp/test.sh  0.00s user 0.00s system 74% cpu 0.009 total
        Hello
        /tmp/test.sh  0.00s user 0.00s system 75% cpu 0.007 total
    

Is it _possible_ that Allan Odgaard, as good a programmer as he unquestionably
is, has something configured suboptimally on his end? Because it just strikes
me as super unlikely that Apple has modified all the Unix shells on macOS to
send shell scripts off to be notarized. (From what I've read, while shell
scripts can be _signed,_ they can't be notarized, and Gatekeeper is _not_
invoked when you run a shell script in Terminal -- although it _is_ invoked if
you launch a "quaurantined" shell script from Finder on the first run, but it
treats the shell script as an "executable document." This is the way this has
worked for years, as I can find references to it in books from 2014.)

I have my complaints with macOS Catalina, and I know that Apple's "tighten all
the screws" approach to security is anathema to a lot of developers (and if
there was a big switch that I could click to disable it all, I probably
would), but I'm using Macs running Catalina every day and I gotta admit, they
just don't seem to be the dystopian, unlivable hellscape HN keeps telling me
they are. At least off the top of my head, I can't think of anything I was
doing on my Macs ten years ago that I can't do on my Macs today. ("Yes, but
doing it today requires an extra step on the first run that it didn't used to"
may be inconvenient, but that's not the same thing as an inability to perform
a function -- and an awful lot of complaints about modern Macs seem to be "the
security makes this less convenient." There's an argument to be had about
whether Catalina's security model strikes the right balance, of course.)

~~~
Sangeppato
I don't experience a delay in Terminal.app either, but I've tried running the
script with a fresh install of iTerm2 while capturing with Wireshark and it
does look like the script triggers a connection to an Apple server

~~~
false_kermit
I just ran the same script on iTerm2 and had no delay.

~~~
Sangeppato
I had no delay neither until I reinstalled iTerm2, I have no idea why

------
saagarjha
There was a thread on the almost-forgotten Cocoa-dev list about this:
[https://lists.apple.com/archives/cocoa-
dev/2020/Apr/msg00008...](https://lists.apple.com/archives/cocoa-
dev/2020/Apr/msg00008.html)

Catalina has a huge number of things that synchronously block application
launch, and if any of them fail you get nothing but a hung app. A friend and I
have a running discussion of the many ways where an application would just
hang and we’d send samples and spindumps, to each other trying to figure out
the right daemon or agent to kill to get the process to start responding
again. It’s madness.

------
twhb
I tested whether running a script you just wrote really contacts Apple to
“notarize” it. It does.

I first used the author’s timing method. First runs are consistently about 300
ms, subsequent runs consistently about 3 ms. Something is happening at first
run.

Some in the comments are saying it’s “local stuff”, so I tested timing again
with internet off. First runs go to about 30 ms, subsequent remain the same.
So there is “local stuff”, but it doesn’t explain the delay.

Just to be entirely sure, I installed Little Snitch and got clear
confirmation: running a script you just wrote results in syspolicyd connecting
to api.apple-cloudkit.com. syspolicyd is the Gatekeeper daemon.

I don’t know what exactly is being sent. Maybe somebody else can do a proper
packet analysis.

------
mindfulhack
I still love macOS, a lot. Since moving over after the disaster that was
Windows 8 (and by then I was already using MacBook hardware), I've become a
loving power user e.g. with AppleScript and setting up hotkeys or other ways
to do absolutely anything I want on the screen. It really is still as
powerfully customisable as Linux. Turn off SIP if need be.

My only problem in moving to Linux software is that I prefer Apple's hardware.
I'm on the 2019 16-inch MBP. Linux's compatibility with all the T2 and SSD
hardware isn't there yet, but apparently it almost is.

If Linux on the T2 MBP becomes solid and stable in the next 1-2 years, after
extensive testing I may move over permanently. I already use Linux on
secondary computers, and I love and value its privacy. Same with my phone. I
just love my privacy.

My needs are a high bar though. Productivity must be held back by nothing. I
use macOS notes _extensively_ and it syncs with my iPhone which is an
extremely useful tool for me to note things down both in audio and. It needs
to be reliable and - heh - 'just work'. I just discovered the cross-platform
'Standard Notes' app, with a bit more money paid out to Linux-compatible
services like that, maybe it can all work. Casual photoshop can be taken care
of via a VM.

Surprisingly, macOS Catalina is itself a disrupter to my productivity. It
seems buggy as hell - glitchy, and weirdly slow for many extremely basic
things - all since Catalina. I just don't get it. Is it caused by this
article's observation? Something's definitely going on.

Maybe Apple will fix this in the next release? Like how they fixed the
keyboard?

Either way, I still want to move to Linux on this fabulous (fixed) hardware
that is the 16-inch MBP. (T2 issues aside.)

~~~
fphhotchips
I have a 2019 Macbook Pro 16in and I _hate_ it. It runs exceptionally hot
(leading to massive performance problems), doesn't get enough power from the
adapter to start with no battery, doesn't play nicely with my display, needs
restarting every couple of days so Chrome doesn't crash and takes forever to
boot.

That's just the technical problems. I'm willing to give the UI a break, since
it's probably as much me adjusting as it being bad.

This is my first Apple anything, and if this is what "just works" looks like,
I don't want it. I could be more productive on an Android tablet at this
point.

~~~
mindfulhack
Actually, I do agree with you with some of those observations. Apple's been
trying to fix their terrible T2 issue and I suspect some of the problems
lately have been them trying to prevent the T2 reboot crash, while ruining
other parts of the experience in the process as a necessary compromise. It may
get worse (or better) as they move to all-Arm architecture.

I also am sick of the touch bar now - after 2 years living with it. I have to
press it twice to actually pause my media, because it's an LCD screen and it
has to auto turn off to prevent burn-in. That's a regression from the old hard
media button in the Fn row which was both instant and far easier to press. At
least we got 'Esc' back.

But man, their trackpad...nothing beats it. Still.

~~~
saagarjha
> it's an LCD screen

OLED.

~~~
mindfulhack
I hear OLED can be just as bad if not worse. So same diff.

~~~
saagarjha
Much worse. Just explaining why that would be a problem.

------
ronyfadel
I hope Apple currently has a team focused on macOS perf.

I worked on the team in charge of improving iOS (13) perf at Apple and IIRC
there was no dedicated macOS “task force” like the one on iOS.

Luckily some iOS changes permeated into macOS thanks to some shared codebases.

~~~
pier25
> _IIRC there was no dedicated macOS “task force” like the one on iOS_

It's not surprising. Macs are less than 10% of Apple's revenue.

[https://www.macrumors.com/2020/04/30/apple-2q-2020-earnings/](https://www.macrumors.com/2020/04/30/apple-2q-2020-earnings/)

~~~
qppo
It's surprising that they don't improve the developer experience for their own
developers using their own tools, including hardware.

~~~
saagarjha
Apple uses the same tools you do. They just might not be using it like you
are; you can find a lot of features that clearly have no reason to exist
outside of Apple nonetheless shipping with their software.

~~~
asdff
Is there a list somewhere of Apple's in house dev environments or workflows? I
wonder what cool tricks they use internally that could be pretty useful
generally.

~~~
saagarjha
Nothing special that can really be talked without internal context. You can
get a hint at how they use their own tools though (which are available
externally) if you pay careful attention to their public appearances and
presentations.

------
shripadk
I would give anything to have my Mac be fast again. I have no idea what
changed but even 10.14 feels a whole lot slower than it was earlier. Haven't
upgraded to 10.15 seeing all the negative reviews it is getting when it comes
to perf. Apple needs to seriously give perf a priority for Mac. Do they really
expect developers to use a Mac to develop Apps when it is slow as molasses? I
shudder to think what will happen to the Apple ecosystem if developers migrate
to another OS for development. Apple will come crashing down. I don't wish for
that to happen but looks like there is absolutely no one at Apple focused on
making it better.

~~~
acdha
Remember, people don’t write blog posts saying nothing changes. The negative
reviews tend to be one of two things: spotlight reindexing shortly afterwards,
or attribution error where every new thing is blamed on the OS upgrade and
similar old behavior is mentally discounted. App development didn’t suddenly
get “slow as molasses” and for most users the install was a reboot and back to
work.

------
leephillips
This is completely insane. I am so glad I decided years ago to leave closed
operating systems behind.

This design seems to cement the trend at Apple to position their products as
consumer appliances, not platforms useful for development.

~~~
Nextgrid
> I am so glad I decided years ago to leave closed operating systems behind.

The problem is, there's nothing else out there. _Everything_ is going to shit
in one way or another. Windows is now a disaster, Linux was always a disaster
in terms of user experience and isn't improving.

Mac OS was the last bastion of somewhat good, thoughtful design, user
experience and attention to detail and now _they 've_ gone to shit too.

~~~
kick
_Linux was always a disaster in terms of user experience and isn 't
improving._

Curious: what have you tried? People who use "Linux" as a catch-all in terms
of UX usually have only tried a single distribution with a single desktop
environment.

~~~
dmitriid
> Curious: what have you tried? People who use "Linux" as a catch-all in terms
> of UX usually have only tried a single distribution with a single desktop
> environment.

Yup. You've just described a disaster. How many permutations of <hundreds of
distros> x <dozens of DMs> must a user try before finding a good UX?

~~~
kick
Mac is a BSD. OpenBSD exists. FreeBSD exists. NetBSD exists.

Because there are at least four BSDs, Mac therefore isn't good.

Do you see how ridiculous applying that logic to _any_ operating system is?

Linux isn't a disaster. It's a kernel. There are Linux distributions with
great user interfaces and great UX, developed by people who are great at it.
There are also distributions that aren't.

~~~
BruceEel
> There are Linux distributions with great user interfaces and great UX

Could you name some? No sarcasm, actually interested!

~~~
kick
It sort of depends on what really fascinates you, right? I'll avoid naming
some of the most popular ones, because it's likely that you've already tried
them. If you haven't, I'd really recommend giving them a try. Many people seem
to really love them.

 _In terms of defaults:_

I've heard _really_ good things about Solus, and its use of AppArmor seems
really cool. Never touched its package manager, so I won't recommend it, but
it might be worth checking out. Its desktop environment is really snappy and
has an interesting design philosophy.

Elementary is really cool as a boutique distribution; I don't personally feel
any urge to use it seriously (I dislike apt as a package manager), but I
always keep its live environment on a flash drive, because it works without
any setup on basically anything I throw it at, painlessly, and without error.
It's got a cool indie app store full of curated Elementary-centric free
software, and overall just feels great. Using it, you'll probably notice a few
areas that it clones Mac on, and a few that feel delightfully different.

Clear Linux (Intel's desktop distribution) is pretty popular right now because
of how simple it is & how Intel seems to be going to great lengths to optimize
it and make it a serious contender, but I don't like its desktop environment
(vanilla GNOME 3 as far as I'm aware) all that much.

ChromiumOS is probably the best-designed desktop operating system on the
planet right now _technically_ , and I say that as a person who really hates
Google. UI-wise it's so-so, but UX-wise it's really something special.

But more interesting are desktop environments in general, since they can be
used with any variant of Linux you feel the urge to use. There's an exception
there, though, in that Elementary's DE and Deepin's DE tend to not work so
well or nicely on platforms that aren't Elementary or Deepin.

 _There are modern environments:_

Plasma has hands-down the best UX of any sort of desktop operating system
assuming you've got an Android smartphone; you say you're coming from Apple's
environment, so imagine the interop between your Mac and your iPhone, but
going both ways instead of just Mac -> iPhone. Texting, handling calls, taking
advantage of the computing resources of connected devices, using your phone as
an extra trackpad, notifications, unlocking your PC, painless file-sharing,
pretty much anything you'd like. There are a bunch of distributions that ship
with Plasma by default.

Solus's Budgie is kind of neat in that it takes the main benefit of GNOME 3
(ecosystem) with far fewer downsides.

 _There are also retro environments,_ if those are your thing. There's a
pretty much perfect NeXTSTEP clone (including the programming environment, not
just the UI), amiwm is still pretty interesting, there are clones of basically
every UNIX UI under the sun, so on.

I'm not the best person to answer your question, because for the most part I
don't go out of my way to use new desktop environments and distributions, and
nothing above is my first choice. (In terms of window management, I usually
stick with 9wm & E just because I have ridiculous ADHD and 9wm forces me to
focus while E allows me to tile painlessly if I ever need it. I use three
distributions overall, none of which are very popular at the moment, pretty
much solely because I'm really picky with package managers & design
philosophies.) That's a "me" issue rather than a Linux issue, though.

~~~
BruceEel
This is excellent and indeed largely novel information, thank you.

It sounds like the finding right combination of DE and package management
solution plays a big role here. I don't remember much of my experience with
Gentoo's package manager in the early 2000's other than finding it generally
did its job (if a bit slowly)... Experience with package managers on Mac
(brew, macports) hasn't been great so I'm eager to play around with modern
ones on Linux. Same goes for the DE actually: stock, out-of-the-box, macOS is
essentially unusable for me until I get my customization (scroll, trackpad,
KeyboardMaestro) done exactly right, I can't imagine this _not_ being better
on Linux, if anything for the ability to switch among the various DE's.

I'm starting to contemplate this ( _fully untested_ ) strategy: trying out a
few distros and installing the one I like best on VMWare Fusion and then try
to use it as much as possible, falling back to macOS if I get stuck or I'm
short on time but gradually replacing Mac-specific stuff as I find suitable
replacements.. TextMate, the masterpiece of Allan Odgaard (author of the
article being discussed here) probably going to be the toughest one. If I'm
successful, I should eventually be able to let Linux 'out of the box' and run
it on real hardware..

PS: amiwm! This is going to be a must. I do miss the Amiga, a fair bit..

~~~
kick
My favorite package managers, personally:

xbps

apk (terrible interface; wonderful technically)

pacman (wonderful interface; so-so technically; dislike the distro that uses
it because of technical choices)

InstallPackage (GoboLinux is kind of cheating, because InstallPackage isn't a
"real" package manager, but that's kind of the point)

I love TextMate, too! Something you might find nice is how easy it is to run
Mac in a VM on Linux; there are scripts that manage the entire thing for you,
and it's pretty painless (and so fast; I was surprised). Useful if you have a
few packages you can't find replacements for.

You mention Apple Music elsewhere, which you might be interested to know has
an Android client and a web client, and you can probably get a native client
on Linux, though I'm not immediately aware of one.

~~~
BruceEel
> I love TextMate, too! Something you might find nice is how easy it is to run
> Mac in a VM on Linux; there are scripts that manage the entire thing for
> you, and it's pretty painless (and so fast; I was surprised).

That would be excellent! I like the idea of swapping host and guest with this
VM strategy, sort of evolutionary platform switching.

~~~
kick
Take a look at this! It's pretty simple; it just fetches macOS and then gives
you a shell script that launches qemu with a few flags:

[https://github.com/foxlet/macOS-Simple-KVM](https://github.com/foxlet/macOS-
Simple-KVM)

Really, really fast, and fairly painless.

~~~
BruceEel
It's fetching the disk image right now. Gold... Thank you!

------
Terretta
From the comments, roughly, are you running third party "security" tools?

> _Is there any "security" software running on your Mac? I've seen this sort
> of thing caused by that, but not in general._

> _I ran the two line test and it had no delay at all. The Mac doesn 't check
> for notarization on shell scripts or any non-bundle executable. I just did
> it again with a new test2.sh and Wireshark capture and there is nothing._

> _I do a lot of Keychain code and I 've also never seen those delays. The
> reason I suspect they told you not to use that API is that it's in the
> "legacy" macOS keychain. They really want everyone to move to the modern
> keychain but lots of people, myself included, still need the older macOS
> specific features._

> _I 'm not saying you are crazy, but all of these things though are the
> trademark reek of kernel level security software that is intercepting and
> scanning every exec and file read on the system. We had an issue with Cisco
> AMP once that took Xcode builds from under 10 seconds to over 5 minutes
> until we were able to get it fixed._

~~~
oefrha
The only kernel-level security software on my systems is Little Snitch, and
I’m pretty sure it doesn’t do anything unless there’s network activity, so it
doesn’t explain anything.

------
oasisbob
Reminds me of the terrible delay I faced after having Sophos installed on my
Mac.

Having to wait 5-10 seconds for a new terminal tab as Sophos churns (checking
autoccomplete scripts, rbenv, etc) was infuriating. Oddly, there was fate
sharing with Internet interception, so there was a good chance the browser was
getting dragged down too, and vice versa.

Convincing corporate IT of how bad the problem was was maddening. Based on
what this author says, 10.15 on rural internet sounds like hell.

------
jwlake
The funny thing is its not transitive. No slowdown if you invoke bash
specifically with a new shell.

% rm /tmp/test.sh ; echo $'#!/bin/sh\necho Hello' > /tmp/test.sh && chmod a+x
/tmp/test.sh

% time bash /tmp/test.sh && time bash /tmp/test.sh

Hello

bash /tmp/test.sh 0.00s user 0.00s system 83% cpu 0.004 total

Hello

bash /tmp/test.sh 0.00s user 0.00s system 77% cpu 0.003 total

vs the one from the article:

% rm /tmp/test.sh ; echo $'#!/bin/sh\necho Hello' > /tmp/test.sh && chmod a+x
/tmp/test.sh

% time /tmp/test.sh && time /tmp/test.sh

Hello

/tmp/test.sh 0.00s user 0.00s system 2% cpu 0.134 total

Hello

/tmp/test.sh 0.00s user 0.00s system 73% cpu 0.004 total

(edited for formating)

~~~
saurik
When you run "bash hello" you are calling exec() on bash, passing "hello" as
an argument, which bash then reads; when you run "./hello" you are calling
exec() on hello: the kernel then treats "hello" as an executable, but notes
that "hello" starts with "#!" and then will run the specified interpreter for
you, passing "./hello" as an argument. The kernel doesn't think of "hello" as
a program when you run "bash hello".

------
halotrope
I am using Ubuntu 20.04 on a Thinkpad X1 Extreme Gen2 and you would be
surprised how "normal" it feels as a development machine. Sure there some
little annoyances, the touchpad behaves a little worse than on windows, sound
is a little worse. But the most important things, Keyboard and Screen are
excellent. The system in general does not feel like the horror stories that
people keep telling about linux on desktop(notebook). Now that WSL2 is getting
Cuda even windows looks workable. Their new terminal app is amazing. After a
decade of Mac notebooks it was quite liberating and I would not switch back
even if the flaws in macOS would be fixed. It is for sure the nicest of the
big 3 operating systems but for development work Ubuntu is hard to beat for
me. YMMV but it won't hurt to look around you what else is there.

~~~
kristopolous
I've been seeing the trajectory of Windows (pre-2012 or so) -> Mac (2012 -
~2019 or so) -> Linux (~2018 - now) play out with quite a few people without
any issues.

And I don't mean developers. They're all pretty educated people but it's taken
me by surprise. They come to me in frustration over Mac, they don't want to
return to Windows and they really, really, really want linux. I've been using
linux since about 1997 so they come to me. I usually push back, thinking "do
you really want a unix workstation?!" but they insist.

My strategy has been some x2xx lenovo (like x230 or so) for about $300 from
ebay, 8/16gb of ram or so with an SSD, the extended battery pack, putting mint
on it and then just handing it over. Everyone, much to my continued surprise,
has loved it and are really happy with it.

It's happened 4 times now and I'm still shocked every time. They've told me
they use youtube to figure things out.

They're fine with libreoffice, gimp does what they need, supposedly spotify
works on it fine, they don't know what bash or the kernel is and it's all
fine. Incredible.

~~~
azinman2
I recently _really_ tried adopting Linux on a hobby development machine that I
built back in 2016 (hardly new hardware -- and desktop not laptop). Sleep
never worked, graphics sometimes borked, UI felt janky and inconsistent, icons
are super fugly and often too theme-y to the point of being undifferentiated
at a glance, HiDPI support is a giant mixed bag (in 2020), machine would
randomly freeze (mostly elementOS; Ubuntu didn't freeze as much), Hauppage
drivers rarely worked consistently and often required reboots, I hated the
mouse acceleration curves and was horrified to learn they were effectively
hardcoded in X (I'm not talking just speed which is tweakable), gstreamer was
nightmare to develop for, the Ubuntu & elementaryOS stores are a joke, and the
mix of apt/snap/nix was very frustrating and the opposite of user-friendly.

I switched back to my 2012 MBP and it's predictably gone well since, plus I
get iMessage integration with my iPhone.

YMMV

~~~
bproven
Yeah - the hw really has to be curated. I havent tried using a machine cobbled
together from various parts (custom desktop), but off the shelf _quality_
laptops work fine for me last 2 years or so and have none of the issues you
mentioned. Emphasis on quality - not cheapo models. I think if you treat Linux
same as OSX and run it on known good hardware supported well by Linux you are
fine today IME

>HiDPI support is a giant mixed bag I will say that this is still a thing,
although with experimental gnome fractional support it works pretty well now.

Honestly I have a 2019 macbook pro 15 and have more problems with it than I do
with my Thinkpad X1 Carbon 6th gen with Fedora 32.

------
kebman
OSX used to be the OS that started really quick, and ran really smoothly.
Certainly far better than Windows. Also search was lightning fast. It was a
selling point on its own. But recently it has slowed to a crawl. And I have to
ask, what business is it to Apple whether I store a script somewhere? I don't
even want them to have a checksum. And I don't want to go through the bother
of having to change settings for it either. Do they even ask if this is OK?
For me this is just yet another reason to steer well clear of Apple products
in the near future. Very sad, because I really used to love their stuff.

~~~
haunter
>OSX used to be the OS that started really quick

Coldboot Windows 10 from pushing the power button to reaching the login screen
is 7s for me (i7-7700, m2 SSD, 32GB RAM).

I never ever had quicker startups on OSX.

~~~
kebman
Once I tried out Mac OS X for the first time during the late 2000's it was
really striking how much better OS X was, compared to Windows, epspecially for
"creative professions," for video, design and the sort. But since then, I have
to hand it to Microsoft; they've really stepped up their game. They even seem
to be fixing _some_ of the non-UX compatibilities now. Granted, it's nowhere
near good enough, but with PowerShell it's workable, at least for the projects
I'm currently working on. For the more demanding stuff, I'll probably still
Vbox a Linux distro however, while that has remained completely unnecessary
for me on OS X. (I'm speaking about the whole personal experience and package
deal here, so that's why I'm not mentioning things like Docker.)

------
oefrha
Damn, I too have noticed that when developing in compiled languages (C, C++,
Go, Rust, what have you) the first execution after a recompile is always
noticeably delayed. I thought it was odd but didn’t bother digging into it.
This must be why! (Can’t recall having this problem with scripting languages,
but maybe subsequent modifications don’t trigger a notarization check? Edit:
Yeah TFA does mention this.)

------
inimino
It looks like my time with MacOS is rapidly coming to an end. Any Linux distro
recommendations these days?

~~~
speedgoose
Windows 10 with WSL if you have a laptop.

Debian or similar or ArchLinux if you have a desktop.

~~~
inimino
For reasons of personal prejudice, I'll never install any Windows version on
any hardware I own. Debian was always my first choice back in the desktop
linux days, and still is for servers, but I haven't looked at the landscape
recently. It seems to have become more consolidated, which is not surprising
but still mildly disappointing.

Edit: and WSL is not Linux

~~~
yjftsjthsd-h
> WSL is not Linux

It _is_ Linux as of WSL2, it's just _also_ Windows, so you lose many of the
advantages that would make a person recommend Linux in this thread.

~~~
inimino
TIL. But yes, for me, not having Windows installed is the primary advantage of
any non-Windows OS.

------
dcow
Can anybody actually confirm these claims? I'm no fan of the new notary
system, but in my experience the behavior described is not how things work.
Has there been an update or change in behavior recently?

I've been running a Debian thinkpad for the last meaningful stretch of time,
but from what I recall macOS quarantines any files created by the user via an
extended attribute `com.apple.quarantine`. Quarantined files are not allowed
to be executed by gatekeeper. It's not about a network check, they just can't
be executed. If the user removes the quarantine attribute, then gatekeeper
will shut up and the files will execute normally. Alternatively, if a file has
a signed hash stapled to it i.e. if it has been notarized, then gatekeeper
will also allow execution after verifying the signature. This doesn't require
a network check either.

Interestingly, the way to bypass the quarantine behavior is to unarchive a
folder. Archives themselves include the quarantine attribute, however, files
extracted from the archive using a terminal program (a "developer tools"
program) don't. And so macOS doesn't care. Also tools like `curl` don't apply
the quarantine bit to downloaded files so curling a binary or shell script
still works just fine.

~~~
saagarjha
Notarization is an additional check that ensures that Apple has not revoked
permission for the software to run.

------
dkmar
For anyone looking for more information on what happens on the first run of an
app in Catalina, see [0]. Here's a direct link to the diagram [1].

[0]: [https://eclecticlight.co/2020/01/27/what-could-possibly-
go-w...](https://eclecticlight.co/2020/01/27/what-could-possibly-go-wrong-on-
an-app-first-run/)

[1]:
[https://eclecticlightdotcom.files.wordpress.com/2020/01/appf...](https://eclecticlightdotcom.files.wordpress.com/2020/01/appfirstrunchecks10152.pdf)

------
KevinSjoberg
Thought I was going insane seeing delays myself on a daily basis since
Catalina. Turns out I'm not insane but a victim of Apple's continuous neglect
of Mac OS.

How can something as damning as this ever reach end consumers without getting
detected?

------
marcinzm
If Microsoft wasn't doing ever worse privacy things with Windows I'd seriously
look into switching away from Mac OS given the ever growing issues it's been
having with every release.

~~~
lol768
The set of possible operating systems to consider does not contain two items.

~~~
nsxwolf
I find Linux to be a usability nightmare. Weird cut and paste behavior,
difficult to resize windows, terrible trackpad support. macOS and Windows will
have to get a lot worse before I switch.

~~~
Accacin
I found at least in Gnome and KDE Plasma window management works pretty much
just how Windows works. Cut and paste it just cut and paste - Do you mean how
you can select text and use middle click on the mouse to paste without even
needing to do anything but select?

~~~
rrdharan
There are two X clipboards. They are implemented differently (as in
"ownership" model of the content) and the implementation bleeds out
everywhere.

You can't remove or change this behavior because some people love it.

EDIT: FWIW the above statements are oversimplifying the situation of course:
[https://en.wikipedia.org/wiki/X_Window_selection](https://en.wikipedia.org/wiki/X_Window_selection)

And more here: [https://unix.stackexchange.com/questions/13585/how-can-i-
use...](https://unix.stackexchange.com/questions/13585/how-can-i-use-just-one-
unified-clipboard-even-for-intellijs-copy-path)

Most fans of Linux will claim the fact that you can choose any number of
clipboard managers to customize things to your liking is a critical aspect
that draws them to the platform.

Others among us (whether reformed or uninitiated) will commonly cite this same
stuff as the reasons we avoid Linux on the desktop.

------
kar1181
I completely understand why things are going the way they are as our computing
environment has become ever more hostile. But I am very nostalgic for the time
where I would power up a Vic-20 and within seconds be able to get to work.

Teaching my daughter to program on a modern computer, we spend more time
bootstrapping and in process, than we do in actual development.

~~~
tragomaskhalos
That computers are just slower to interact with now is such a truism that we
hardly remark upon it any more. It seems utterly insane that in the early 90's
I could just run Windows 3.1 on a bit of kit that in all likelihood wouldn't
even power a toaster today, and the experience was, well, frictionless. I
don't recall _ever_ thinking "wtf is this thing _doing_?", whereas today, by
contrast, if I have the audacity to be afk for long enough for my Windows 10
box to go sleep I know I am in for an infuriating waste of minutes' worth of
disk thrashing before the bloody thing even deigns to reacknowledge my
existence.

~~~
WrtCdEvrydy
I call this 'Outsourcing the cost of development to the user'...

Getting knowledgeable people costs money so we build more abstractions that
lower the cost of development and pass the costs of development from the
company to the user in the form of requiring more hardware to do the same
thing.

How come I need 16Gb of RAM these days when 8Gb did it yesterday? How come my
phone needs 4Gb of RAM while my 2012 tablet had 1Gb? Sure the hardware is
cheaper but we're still not using the hardware to it's fullest.

~~~
valuearb
What’s the point of cheaper disk and ram, and faster systems if not for
supporting higher level abstractions?

~~~
npongratz
To watch more, higher-def cat videos faster. No need to get lost in the weeds
of higher level abstractions to do that.

------
konart
I've been using linux distros (~5 years of Ubuntu and ~3 years of Arch) before
switching to macOS somewhere around 2013-2014. And now years later I'm
thinking about moving back. But every time I'm think about this I start with
digging about current Linux situation and every time I realise than it is
still a horrible system for anything outside of work, especially if you can't
really do without a decent UI\UX.

Apple's ecosystem is also an issue. iOS + macOS is still much better than
anything on the market (no alternatives really).

~~~
PKop
Switched from macOS this year having used it for about 8 years to first PoP_OS
and now Manjaro. Both were great (GNOME environments) and very productive for
both development and general use. I really like the streamlined, "get out of
your way" UI.

I would say go for it, I'm glad to not be dealing with any of this nonsense,
while paying a premium for it.

~~~
konart
I've seen both of them, but the "get out of your way" UI is a limited feature.
Apps are still do not respect the rest of it.

You install this new distro (like Elementary if it's still alive) and fall in
love with the new Finder clone. But then you install twitter client, torrent
client and a dozen of other everyday apps. And they all look terrible. And
feel even worse. People still don't care.

As much as I hate certain things about macOS - I'd still chose it over Manjaro
for example (haven't really tried PoP)

And not to mentions things like continuity and handoff. I can live without
being able to copy paste token from my phone to my computer but this is so
convenient T_T

~~~
jfkebwjsbx
> twitter client, torrent client and a dozen of other everyday apps

I don't install any of that in work machines, and I'd hope most devs don't
either, specially if the company owns the device.

If you really need those, why cannot you use the browser?

> continuity and handoff

Why do you need that for development?

Even if your workflow requires it for some strange reason, why don't you use
an alternative? There are plenty of ways to pass data between devices.

~~~
konart
I think you are missing a point here.

tl;dr: I don't have and don't want to have two PCs for two use cases.

I have my personal macbook that I use for work (development) and everything
else. I use it when I have to be at the office or when I want to work outside
of my apartment. Needless to say I want my personal computer to have
applications that I use. For both - work and ... not work.

>> continuity and handoff

>Why do you need that for development?

I don't. I don't use a computer only for development (see above). But even
during development something it can come in handy. For example when you are
working on a service that has sms auth. Can I just put in 6 digits by hand?
Sure. But having them being copied from you phone for you is very convenient.

~~~
jfkebwjsbx
That is definitely _not_ wise.

Many companies lock down devices for good reason. For starters, to prevent
employees doing that and risking the entire company.

~~~
konart
Many companies also take a screenshot of your screen every 10 seconds to "keep
you in shape". I'm not taking part in this shit show thankfully. I've had my
time in corporations that do this or similar stuff. Never again.

And the only channel I'm connected to the company is the email and selfhosted
gitlab. Now tell me how can a twitter client on my working machine harm this.
Not in a fictional one in a life time scenario out of Mr Robot.

~~~
jfkebwjsbx
Don't mix privacy and security. Privacy-invading policies have nothing to do
with the discussion.

As for examples, you have many, including ones discussed in HN _regularly_.

------
zimpenfish
Their "see!" shell script example is a bit rubbish because I get 0.012s,
0.005s on this Mac laptop whilst getting 0.022s, 0.023s on Linux box 1 and
0.006s, 0.006s on Linux box 2.

Changing the filename to test2.sh on the Mac (which should trigger the delay,
right?) gets 0.006s, 0.006s.

I don't think the shell scripts are doing what they claim (and wouldn't the
second run be faster anyway because of caching?)

~~~
egorfine
If they are caching based on inode, this will not invalidate the cache. Do cp
test.sh test2.sh and try again.

~~~
saagarjha
I feel like cp might do an APFS CoW and this might still cause problems…

~~~
ken
No, even "cp -c" creates a new inode.

------
Nextgrid
I've been forced to update to this pile of shit because latest iOS requires
latest Xcode which in turn requires Catalina. It's a nightmare.

First off the new apps (music, podcasts, etc) are terrible. They killed off
iTunes but replaced it with much worse. These apps don't behave like standard
macOS apps, the UI is full of inconsistencies and is just so empty. This
website has nice examples of the failures of modern Mac OS:
[https://annoying.technology](https://annoying.technology)

For some reason after updating the "new updates" badge was stuck on the system
preferences icon (and even on the preference pane itself) despite no updates
being available. I ended up having to delete a plist and reboot to fix it,
apparently a common issue.

The Mail app will now randomly play the "new mail" sound. I can't confirm it
for sure but I'm assuming it's treating _read_ , existing mails when they are
moved to the trash/archive or newly created drafts. They screwed up the _mail_
app, a problem that has been solved for decades. WTF? The worst is that I see
no major changes in there, so why touch the mail client in the first place if
you're not even going to give me additional features in exchange?

Xcode was stuck upgrading in the App Store. It would start the process and
never make any progress. Cancelling it had no effect. Rebooting cancelled it
but the second attempt, while making progress, ended up failing with a generic
error message with no actual information. Logs are useless because they're
being spammed by all the background processes even during normal operation
making it impossible to find anything. Finally the third attempt succeeded.

1Password now takes 5 more seconds to unlock my password database. Somehow
this disgrace of an OS slowed down the password hashing process by an order of
magnitude.

Switching screen resolutions or connecting to an external screen takes a good
10 seconds of flickering and frozen UI before everything starts working again.
This is now actually _worse_ than both Windows and Linux. I dread moving the
laptop or touching the USB-C cable (also because USB-C is so brittle) when
it's connected to an external monitor out of fear that it'll
disconnect/reconnect and I end up in a 30-second cycle of flickering.

I upgraded a couple of _days_ ago, so those are not early bugs. Apple had a
year to fix all of this. The Xcode thing might be an isolated issue but
there's no excuse for the general performance penalty or the stuck update
badge which has many hits on search engines suggesting it's a widespread
issue.

~~~
ehutch79
Have you actually done anything to try and fix these issues? Because this is
not typical

I use 1password and it doesn't take 5 seconds to open. Did I accidently
install linux or something? because since it's the OS causing your delay it
would be causing me to have the same delay.

xcode installs just fine for my entire team. Just did the update myself,
worked just fine.

I plug into a dock and undock constantly during the day, and while it could be
quickinger, 10 seconds and flickering is NOT my experience.

and what the f __k are you doing to your connections that you consider usb-c
brittle?!?

~~~
inimino
There's a lot more non-determinism in a modern MacOS install than you imagine.
"WFM" doesn't invalidate the anecdote to which you reply. TFA is about putting
network requests in system calls ffs.

------
chadlavi
> You can test this by running the following two lines in a terminal:

>

> echo $'#!/bin/sh\necho Hello' > /tmp/test.sh && chmod a+x /tmp/test.sh

> time /tmp/test.sh && time /tmp/test.sh

Am I missing something here?

I just did this, and the timing between the first and second run was barely
noticeable -- in fact, the first run was slightly quicker:

> echo $'#!/bin/sh\necho Hello' > /tmp/test.sh && chmod a+x /tmp/test.sh time
> /tmp/test.sh && time /tmp/test.sh

> Hello

> /tmp/test.sh 0.00s user 0.00s system 55% cpu 0.006 total

> Hello

> /tmp/test.sh 0.00s user 0.00s system 41% cpu 0.010 total

This is on macOS 10.15.4.

------
hitekker
> Another way to reduce the delays is by disabling System Integrity
> Protection. I say reduce, because I still do get some delays even with SIP
> disabled, but the system does overall feel much faster, and I would strongly
> recommend anyone who thinks their system is sluggish to do the same.

The tone of this article reminds me of a passage from the seminal Google+
Platforms Rant:

> Like anything else big and important in life, Accessibility has an evil twin
> who, jilted by the unbalanced affection displayed by their parents in their
> youth, has grown into an equally powerful Arch-Nemesis (yes, there's more
> than one nemesis to accessibility) named Security. And boy howdy are the two
> ever at odds. > But I'll argue that Accessibility is actually more important
> than Security because dialing Accessibility to zero means you have no
> product at all, whereas dialing Security to zero can still get you a
> reasonably successful product such as the Playstation Network.

[https://gist.github.com/chitchcock/1281611](https://gist.github.com/chitchcock/1281611)

------
vegardx
I had put off upgrading for a long time because nothing good can come from
running the latest stable release. They've never been stable. But Apple sort
of forced me to update recently since wanted to back up my phone, which I
wanted to do before switching to a new one. I imagined that it would be better
after a year. Boy was I wrong, and I regret doing it much. It has been a
constant pain ever since, bluetooth is completely broken.

\- My external trackpad isn't able to connect, at all. Audio devices require
that I kill coreaudiod before connecting, otherwise they just disconnect after
a few seconds.

\- I can wake the laptop with a bluetooth keyboard, but when it's awake the
keyboard stops working. Flipping the switch on the backside of the keyboard
lets it reconnect again.

\- There are transitions that you cannot disable that makes your laptop feel
super slow. In Mojave you could disable them, in Catalina you can't unless you
want to run with SIP disabled.

\- There's also a super fun bug with mobile hotspot failing to activate, and
there's no way for you to just manually connect to your own hotspot, it has to
go through this bluetooth activation, even though your mobile hotspot is
visible and connectable on all other devices. You end up in situation where
you connect to your friends hotspot and they connect to yours, since neither
of you are able to connect to your own.

I've given up. The quality control in Apple is down the drain, and have been
for quite some time. I'm fixing to downgrade to Mojave this weekend, hopefully
that will make it more stable. But I'm not holding my breath. To add injury to
insult I'm on my third broken keyboard now. Next time it breaks I might just
use the consumer laws and make them refund the laptop so they'll have to take
a big loss for creating such a flawed device.

~~~
1123581321
Those all sound like unusual problems. What external hardware and phone are
you using?

~~~
vegardx
I've drunk the cool aid. Never drink the cool aid: iPhone 11 Pro, Magic
Trackpad and Keyboard, AirPod Pro and Bose QC35. If you search for these
issues on the community forums or web in general you'll see that it's quite
common, and it all started with Catalina.

Some brave people that were running the public beta reported these issues to
Apple, but we're now four point releases in and still no fix. Apple seem to
not even want to acknowledge the issue, they just send users to their FAQ
which sums up to "have you rebooted?"

The issues seems to start if you have bluetooth devices connected and your
laptop becomes memory constrained. And after that it's in a broken or bricked
state it seems. You can do tricks like killing coreaudiod to get audio devices
to connect, but trackpad is still broken.

------
rtomayko
I made the jump to a System76 Adder WS laptop and pop!os for development after
buying the lemon first gen MBP with the terrible keyboard. It was my seventh
and possibly last MBP (including powerbooks before it).

I was considering one of the new 13” MBPs but that seems unlikely if injecting
network latency into syscalls is the direction things are going.

If you’re not building Mac/iOS apps, find a Linux laptop you can tolerate for
development and an iPad Pro for everything else.

------
justinclift
Thinking about it, this probably also gives Apple a ~fairly accurate set of
usage stats for software.

All they'd need to do - and it's very simple - is count the number of requests
of each given hash lookup.

Since they know the hash for each of their own executables, that gives a
direct count of "most used" through to "least used" programs.

Not sure if they'd have the hash for third party executables though, to know
what the given hash request corresponds to.

If they receive the hash for 3rd party executables when developers sign
things, then Apple seems like it's able to generate usage stats for their
entire OS and 3rd party app ecosystem.

------
grandinj
This seems like a natural outflow of a company design process that (a)
prioritizes security highly (b) prioritizes regular users over developers (c)
does not allocate sufficient resources to the product to thoroughly cover all
the bases (d) is developed by people in North America, for whom the USA ===
the whole world, and are used to near 100% seamless internet connectivity with
latency < 20ms.

I love macOS, but their software generally has issues with flakey internet
connectivity and long latencies - down here in South Africa, ~400ms RTT is not
uncommon.

------
mkchoi212
I understand the purpose of notarization but I feel like they could've come up
with a much better solution to this. A network call __everytime__ someone runs
an executable is not acceptable. But for the cases where the user is offline,
Apple must keep a list of notarized apps on the machine...

------
soraminazuki
Up until the release of Catalina, I've always upgraded to the latest version
of macOS within a month or two. But some of the changes this time is really
stopping me from upgrading.

As of Catalina, there's no sane way to install the Nix package manager without
losing functionality because macOS now disallows creating new files in the
root directory[1]. Nix stores its packages in the /nix directory and it's not
possible to migrate without causing major disruptions for existing NixOS and
other Linux users. This is too bad, since apart from Nix being a nice package
manager, it also provides a sane binary package for Emacs. The Homebrew
core/cask versions only provides a limited feature set[2][3].

[1]:
[https://github.com/NixOS/nix/issues/2925](https://github.com/NixOS/nix/issues/2925)

[2]: [https://github.com/Homebrew/homebrew-
core/issues/31510](https://github.com/Homebrew/homebrew-core/issues/31510)

[3]: [https://github.com/caldwell/build-
emacs/search?q=support+is%...](https://github.com/caldwell/build-
emacs/search?q=support+is%3Aopen&unscoped_q=support+is%3Aopen&type=Issues)

~~~
yalogin
Brew never had this problem because they chose a sane path without corrupting
the system directory. It’s a bad design on part of NixOS and one can even say
the changes in the macOS were designed to encourage good/sane design.

~~~
pmahoney
Nix living at a predefined path is integral to how it works. An executable
does not dynamically link to a generic "ncurses" but (via rpath) links to a
specific compiled version of ncurses (such as
/nix/store/81rb87agmp9cbsvg2xm2n4kp9c6309lv-ncurses-6.2). This is the root of
all the benefits of Nix such as being able to install things side-by-side that
use different versions of things or upgrade and rollback without problems.

That predefined path being the same (/nix) across all users of nixpkgs is
required to be able to share binary packages (you could perhaps build
everything from source, but that's a lot of time, more time even than
something like gentoo because package updates require all dependencies to be
rebuilt as well).

You can call it an insane choice or bad design, but there aren't a whole lot
of options here. Could Nix move to a different path? Maybe, but is there a
path that all operating systems could abide? If the new path stops working in
some future OS, will it still be insane and bad design? Again, maybe, but I
happen to love Nix and I use is on macos because it makes my life easier (and
I'm on macos for work reasons). I'm willing to bend and do a lot of legwork to
be able use Nix, and I'm upset with the Catalina situation.

Can follow some discussion here
[https://github.com/NixOS/nix/issues/2925](https://github.com/NixOS/nix/issues/2925)

~~~
bad_user
Unix OS variants have pretty standard paths like /opt or /usr.

Going with /nix was basically the best way to run into trouble.

------
thedanbob
Nearly every article I see about macOS or Windows these days further confirms
to me that switching entirely to Linux was the right call. Maybe 2020 will be
the year of the Linux Desktop by default.

~~~
luckydata
anyday now...

------
ambernightcrush
This is also the case with APFS on rotational disk drives. Why does APFS
perform so much worse on HDD vs SSD? Will Apple fix it?
[https://bombich.com/blog/2019/09/12/analysis-apfs-
enumeratio...](https://bombich.com/blog/2019/09/12/analysis-apfs-enumeration-
performance-on-rotational-hard-drives)

~~~
cmckn
APFS was not designed for spinning disks. No, they won't fix it; because they
don't even sell a computer that ships with only a spinning disk (asterisk on
the iMac's hybrid drive). HFS+ is still available, just use it if you need to
format a spinning disk. I think this is a very different type of issue, with
much more reasonable trade-offs.

------
dkmar
Perhaps related: "How come someone notarized my app?"[0]

It mentions that anyone with an apple developer ID can notarize a qualifying
app and submit this notary to the Apple Notary Service. However, the proof of
notarization—the notarization ticket—might not be stapled to the application.

In the case of no stapled ticket, Catalina contacts the notary service to see
whether a ticket exists. If so, the app is good to go.

[0]: [https://eclecticlight.co/2020/05/22/how-come-someone-
notariz...](https://eclecticlight.co/2020/05/22/how-come-someone-notarized-my-
app/)

EDIT. More informative link here[1]. It specifically outlines what happens on
first run of an app. (and there's a great diagram if you scroll down)

[1]: [https://eclecticlight.co/2020/01/27/what-could-possibly-
go-w...](https://eclecticlight.co/2020/01/27/what-could-possibly-go-wrong-on-
an-app-first-run/)

------
tozeur
I feel like the continual development of MacOS is making it worse and worse.
Similar to Windows, where every extra feature causes more and more
complications.

But alas the 1000s of engineers gotta be put to work somehow.

~~~
saagarjha
There are significantly fewer than 1000 engineers working on macOS.

------
aflag
Did apple make any comments on this? I haven't been able to find any public
responses from them. I'm really interested on reading their side of things.
This is quite jarring, it's hard to believe it is a thing. However, as I read
through tests people did, it seems just as bad as it sounds.

I was actually getting a mac mini now that I'm working from home (I thought
I'd get better integration with some of the company's wfh infrastructure while
still having a unixy environment, so a win/win situation), but I cancelled the
purchase after reading this. I get that you can jump some hoops and set some
apple specific flags to things so that it works better, but the reason I
wanted a mac was to make things easier and not having to look into obscure
APIs and features to get simple things working. I was really looking forward
to that, but I don't feel that sort of investment will be justified with
issues like this in their OS :/

~~~
pram
This is frankly hyperbole. A single checkbox in a GUI menu that is routinely
accessed for managing other system-wide sandbox privileges isn't exactly
obscure. It also isn't some difficult, inconvenient task. It needs to be done
once.

~~~
aflag
From what I've read it's not available by default and you need to run some
commands (which seem to be hard to google). And that solves only part of the
problem, the article had other examples that may be harder to solve. It seems
like, if your internet connection is not great, then you're going to have a
bad experience.

------
sneak
Increasingly I find macOS only to be tolerable with iCloud (and Siri,
location, suggestions, bug reporting, et c) entirely disabled, and Little
Snitch’s built in/automatic whitelisting for Apple services disabled, and most
of the background processes entirely denied networking access. It phones home
constantly even with all of the services disabled/opted out.

It’s indeed a huge mess, from a privacy standpoint too, not just a performance
one. It’s sad also to lose things like AirPlay or iMessage as collateral
damage in the process. :/

I just can’t tolerate a machine that hits the network hundreds of times a day
when doing normal computing tasks that do not involve the network. They even
tolerate this sort of spyware in App Store apps, too.

Is it too much to ask for a polished workstation OS that lets me boot and edit
a local text file of notes and save and quit without notifying 4 different
parties that I did so?

~~~
m463
and there are a lot of background processes.

running just firefox and terminal, ps -ef|wc -l is 198

and many of them have _no_ reason to be on my system.

------
cmckn
I run a pihole at home, which has intermittent issues. When macOS can't
resolve a hostname, almost every user-facing UI grinds to a halt. It's truly
bizarre. Applications won't launch, menus don't respond, etc. Feels like a
decade ago when your spinning disk was going bad. Not cute :(

------
skykooler
If it checks with Apple servers every time you execute a new binary, what
happens if you don't have an Internet connection? Are you just unable to run
new code?

~~~
nromiun
> One way to solve the delays is to disable your internet connection.

I think it just skips the checks if internet isn't available. But doesn't that
kind of defeats the point of notarization?

~~~
lallysingh
Hopefully you're also less likely to get new unsafe binaries when
disconnected. But it's all still awful.

------
ken
> With internet enabled, it was reproducible by relaunching the application
> and triggering the code that called SecKeychainFindGenericPassword.

I have issues with a lot of APIs, but SecKeychain has got to be one of the
worst. I don't think it's gotten any love in many, many years. Unlike
literally every other Apple API that a Macintosh application might reasonably
use, you call its functions (even from Swift) by passing strings as
(length:UInt32, data:UnsafePointer<Int8>?) pairs, and getting results out by
passing (length:UnsafeMutablePointer<UInt32>?,
data:UnsafeMutablePointer<UnsafeMutableRawPointer?>?) pairs, and checking
OSStatus return values. Every aspect of it is painful.

In Apple's "Documentation Archive" there's three "Sample Code" downloads
related to Keychain. The newest one is for TouchID, and the oldest is for
PowerPC. This is an area of the OS that doesn't get much attention.

> This issue has been reported to Apple and assigned FB7679198. Apple has
> responded that applications should not use this function, though the
> documentation for SecKeychainFindGenericPassword does not state that it is
> deprecated

I see that it's now grouped in a section of the docs called "Legacy Password
Storage", but not actually "deprecated". Strange. That means you won't get any
indication of its non-current status from Xcode, or even reading the release
notes.

I like that there's a newer (and presumably less awful) interface. I don't
look forward to having to rewrite/retest that corner of my application. Seeing
all the CFString/CFDictionary casting and OSStatus checking with the new
functions, it still doesn't look all that great.

------
xvector
What a ridiculous feature. The people involved in making this decision ought
to be fired.

------
parhamn
I'm showing 20-200ms longer on first run of the exec. Modified the test script
a bit to show that it doesn't happen again if you modify the executable's
contents.

    
    
        echo $'#!/bin/sh\necho Hello' > /tmp/test.sh && \
        chmod a+x /tmp/test.sh && \
        time /tmp/test.sh && \
        time /tmp/test.sh && \
        echo 'echo Hello2' >> /tmp/test.sh && \
        time /tmp/test.sh

~~~
eugenekolo
Another slight modification to make this show the effect every time:

    
    
        f=$(mktemp) && \
        echo $'#!/bin/sh\necho Hello' > $f && \
        chmod a+x $f && \
        time $f && \
        time $f && \
        echo 'echo Hello2' >> $f && \
        time $f
    
    

On my system:

    
    
        Hello
    
        real 0m0.131s
        user 0m0.001s
        sys 0m0.002s
        Hello
    
        real 0m0.004s
        user 0m0.001s
        sys 0m0.002s
        Hello
        Hello2
    
        real 0m0.004s
        user 0m0.001s
        sys 0m0.002s

------
unilynx
I got hit by this yesterday, borgbackup (installed using home-brew) had a 5
second delay on every invocation.

Setting Terminal as a Developer Tool in Security&Privacy fixed it

------
blackrock
One frustrating experience on the Mac is keyboard shortcuts.

Yes, they have polished the GUI, which makes it easy to navigate by mouse.
But, when you need to work in speed mode, then you reach for the keyboard
shortcuts.

The problem, is that there are plenty, too much sometimes, and they are often
inconsistent between applications.

And yes, the Mac has a keyboard shortcut assignment tool, but it often doesn’t
work correctly.

I must give credit to Microsoft here. They at least seemed to have perfected
most of the common keyboard shortcuts.

Some good features about Windows shortcuts.

1\. Alt-Spacebar to open the windows control menu, to move, minimize,
maximize, or close the window.

2\. Alt combinations are used to control the active Window application itself.

3\. Alt-F4 to close the window. But, I would have preferred Alt-Escape
instead, to close the window.

4\. Control key for shortcuts inside the application. Like, Ctrl-C for copy. O
for open. P for print. Etc.

5\. Then the Windows key, to control Operating System level shortcuts. Like
Win-M to minimize all windows. Win-L to lock the computer. Win-R to launch a
command.

Some feature I would like are to use, Win-Spacebar to open a command search,
similar to Win-R, but with the ability to list all possible commands. Similar
to activating the command palette on VSCode.

And Ctrl-Spacebar, to activate keyboard commands for the active window. Kinda
like Emacs, where I can run macros on it, like highlighting the words that I
want, and execute something on it, like changing to uppercase, or converting
to comma separated, or whatever else is needed.

~~~
astronautjones
this has always been the case. the underlined shortcuts in menus are a godsend
in non-osx OSes. I am still astonished at the hostility of macos when it comes
to Yes/No dialogs - you usually can't hit Y or N! This changed at some point
after snow leopard. If I could run HDCP on my old macbook, I'd still be using
snow leopard. aesthetically, they have made no innovations of use since then.

------
jakearmitage
This seems to be, once again, a case of user experience being degraded due to
lack of attention, testing and measurement of impact by security engineers.

~~~
inimino
Once you have security engineers, security is no longer the responsibility of
all engineers equally, and you've already lost at security.

------
rb808
The weird thing is the price of windows laptops have skyrocketed with the
shortages. New MBPs are cheaper than X1 Carbons and XPSs with 10gen chips.

~~~
asdff
New MBP with a 10th gen chip is a $600 upgrade over the base model with an 8th
gen chip.

------
herova
Windows + VSCode + WSL2 + Terminal + PowerToys = Just one love, never looked
back.

~~~
xyst
The only problem I have with that is "Windows"

I'm currently trying to figure out how to emulate windows from a *nix
distribution using qemu. I plan to use this as a "home lab" (k8s cluster or
just plain fucking around), but still retain the ability to play an occasional
AAA game.

~~~
herova
You don't need to emulate windows if you have windows as parent host ;).
Windows with WSL is the best linux desktop which i had for past 20 years

------
swiley
How do people put up with the complete brokenness in commercial OSes? Is this
really better than having to edit the occasional config file?

~~~
saagarjha
Personally, I know which process to kill when things go south. It's not early
to acquire this information, though.

------
HugoDaniel
I have been running OpenBSD for all my dev work in a VM for quite some time
now.

This just makes me wanna start using it for more things besides dev work :(

------
inimino
Last year I was preaching that if you can't develop in a submarine or a space
station (or on the metro), from a fresh git clone to your next git push, then
your development environment is broken and you should burn it to the ground
and start over.

It'll be interesting to see how much power we developers will let Apple take
from us before we jump the garden wall.

~~~
saagarjha
Interestingly, I hear that iPads cannot be used on the ISS because apps will
stop launching if you disconnect from Apple's servers for too long.

~~~
john_alan
Src?

------
PopeRigby
Just did a test using the command the author listed. Benchmarked on ArchLinux
and got 0.00s. I then did the same test on MacBook Pro and got 0.332s. I feel
like that's pretty bad. 0.332s might sound inconsequential, but that's just
for a single echo command. I would imagine it gets exponentially worse as your
executable grows in complexity.

------
mnm1
I'm getting 10-15 minute beach ball of death freezes on a month old MBP 16".
That recur until I hard reboot. I can't open the 'force quit applications'
window during this nor the apple menu. Can't reboot or shutdown from the cli
or otherwise. Some apps lose network connections, some don't. The entire
system becomes unusable. It requires a hard reboot. I think it's related to
Intellij IDEA and similar IDEs somehow, but profiling those shows the slowdown
is not in their apps but in the OS. It won't start with anything plugged into
the USB ports, not even just power. Been trying various things but if it
doesn't go away, I will return this when the Apple store here reopens. The
only good thing about this coronavirus is that I've had more than 14 days to
test this and find out what a clusterfuck this OS is even on a $4400 brand new
mbpro. Do they even test anything anymore?

------
jrochkind1
Do you think developers make up a significant portion of Mac buyers? I think
it's possible, but I'm not sure.

I am pretty sure the laptop market has been shrinking generally (as more
people have a phone but no laptop). And most developers I know have macs. They
probably don't want to make the OS significantly worse for developers...

~~~
vsskanth
After this, you can be sure the developer interest will go down even further

------
gautamcgoel
This why having a vibrant open-source ecosystem is so important. Firstly, the
needs of users is the main priority (as opposed to profit or liability
minimization or advertising...), and secondly, users have so many options to
pick from. For example, if you don't like systemd, you are free to pick an OS
without it.

------
vortico
I used to use Mac pretty heavily for design and audio work, but around 10.14
because of Apple switching the way they do things, I've now entirely switched
to Windows for that, and Linux for everything else. I just don't want to deal
with the nonsense described in this post, among several other things.

------
mleonhard
I don't want to send over the Internet a record of every program I run. Is
there a way to opt-out completely?

~~~
dahfizz
Buy a machine not from Apple.

------
headmelted
“ Another way to reduce the delays is by disabling System Integrity
Protection. I say reduce, because I still do get some delays even with SIP
disabled, but the system does overall feel much faster, and I would strongly
recommend anyone who thinks their system is sluggish to do the same.”

Nope.

------
jasoneckert
"Another way to reduce the delays is by disabling System Integrity
Protection."

Definitely agree on this one here - I've noticed a big speed improvement when
disabling SIP debugging with "csrutil enable --without debug" while in
recovery mode.

I should note that the main reason I disable SIP isn't for speed, but to
install the yabai window manager to make Aqua far more useful as a developer.
I wrote a recent blog post on this, actually
([https://triosdevelopers.com/jason.eckert/blog/Entries/2020/5...](https://triosdevelopers.com/jason.eckert/blog/Entries/2020/5/18_Setting_up_macOS_for_development.html)).

~~~
saagarjha
I believe disabling System Integrity Protection actually carries over to
everything you boot off the computer.

------
heinrichhartman
> [...] it appears that low-level system API such as exec and getxattr now do
> synchronous network activity before returning to the caller.

WTAF. If this is really true, this is a reason for me to leave the platform
for good. This is just in-acceptable in so many ways.

------
enriquto
> a degraded user experience, as the first time a user runs a new executable,
> Apple delays execution while waiting for a reply from their server.

Wow, this is extremely infuriating! I just ran the "hello world" test script
with the network connection disabled and it took 5 seconds to run!

    
    
         $ echo $'#!/bin/sh\necho Hello' > /tmp/test.sh && chmod a+x /tmp/test.sh
         $ time /tmp/test.sh && time /tmp/test.sh
         Hello
         /tmp/test.sh  0.00s user 0.00s system 0% cpu 4.991 total
         Hello
         /tmp/test.sh  0.00s user 0.00s system 77% cpu 0.005 total

------
crazygringo
I'm so confused about the comments here.

There are a bunch of people who can't reproduce the slowness at all, but
nearly all downvoted or you have to wade through 100's of comments to get to
them.

The majority of comments are just dumping on Macs, nothing whatsoever to do
with the content of the article, and seem to be blindly assuming it's true.

And I can't seem to find any substantive discussion of whether this is
actually _real_ or not, or just some weird bug on the author's machine.

I don't see any evidence that Catalina is "slow by design", just a single
anecdote from the author. I was definitely hoping for some more substantive
critique/discussion...

~~~
defnotashton2
Op linked validated bug reports.. One of which Apple responded with "by
design" of which op derived the title.

The down votes are because it seems pretty clear that the people who don't
experience have long lived instances of their os and likely have grandfathered
or disabled security settings. There are a lot of people saying ita pretty
easy to replicate with a new os.

And it is, I just did it. Did you?

~~~
crazygringo
No they didn't, there's no link. They said it's "FB7674490" but Googling that
reveals nothing, so I can't read it.

I don't know what the bug report said, or what specifically was by design.
Surely "the entire machine freeze for 1-2 seconds every 10th minute, not to
mention everything just being sluggish" is not by design.

And I _was_ unable to replicate it (I was one of the comments that got
downvoted), although I don't have the luxury of trying a fresh OS. I haven't
disabled any security settings, and I don't know what would have been
grandfathered -- that's not mentioned anywhere in the article as a factor.

So that's what's bothering me -- the assumption that contradictory evidence
isn't valid while the original post somehow is, and no discussion around that,
or what tradeoffs there might be.

Now, finally, there are actually some substantive comments from people testing
it. There wasn't before though, and it's _still_ unclear as to whether this
really is bad design, a wise tradeoff, or if the author's machine has
something else going on. Because their experience of a frustratingly slow Mac
is just not the norm at all.

------
vbsteven
With Apple degrading the developer experience with each release and Microsoft
working hard on things like WSL(2) and the new "package manager" I think
within a year or 2 lots of developers will go back to Windows-based machines.

~~~
xvector
As a security engineer myself, what Apple is doing here is completely fucking
insane. I honestly cannot believe that anyone thought it was a good idea.

------
sorryitstrue
An issue I've been dealing with forever on my mbp 2013 is the machine just
pausing input for 2-4 secs (video and audio don't hitch, just keyboard/mouse
input).

I recently took the trouble to completely wipe the disk and reinstall macos
mojave and it's still happening so it's not due to cruft installed over time
in OSX. I dunno. I'll deal with it until it gives up the ghost and probably
move to a windows machine with the work they're putting into WSL2

------
rch
High quality laptops shipping with Linux have been available for some time
now. I know of a couple of companies that are providing an option for
employees to switch.

------
harpratap
This coupled with the horrible docker 100% cpu usage bug
([https://github.com/docker/for-
mac/issues/3499](https://github.com/docker/for-mac/issues/3499)) might be the
top reasons why I hate WFH right now. My Linux desktop in office was so much
faster at everything (granted its desktop vs laptop but still, it's a laggy
mess developing on OSX now)

------
csomar
It gets even worse. I was doing some web dev in the last couple months and I
noticed that my "localhost" was ridiculously slow. At first, I thought it was
NPM/Gulp but then I noticed that it behaved irrationally, sometimes it is slow
and sometimes it works.

The problem was: Parental Control. Apparently, every request was checked and
thus slowed the whole thing down. Needless to say, a couple days at least were
wasted in this.

------
jaykru
Has anybody in the tech media picked up on this? Doesn't seem like it from a
cursory browse of my favorite sites (HN do your magic) This seems like
something that Apple really ought to be taken to task for. I'm sure the
privacy concerns if not the performance will rile up the broader non-HN public
if only the information reaches them. Perhaps then we can get Apple to move to
a less stupid system.

------
trollied
The only time I’ve seen similar delays is when my mac decides it needs to do
something on an external disk that needs to spin up. I have a 12Tb external
that can take 10 seconds to spin up, so get a 10 second stall waiting for I/O
once in a while.

I do wonder if the author has something similar going on, either with a
directly attached disk or a network share.

------
trashburger
Did the site get hit by the Slashdot effect? Can't access it.

Archive:
[https://web.archive.org/web/20200522164507/https://sigpipe.m...](https://web.archive.org/web/20200522164507/https://sigpipe.macromates.com/2020/macos-
catalina-slow-by-design/)

------
blinkingled
Apple has an opportunity here - to fix all these issues in the first release
of ARM macOS and disable some more functions that "don't really work well" or
are "insecure" \- all of a sudden ARM Mac will be so much better there will be
many blog posts and videos about it smugly proclaiming how Intel could not
keep up!

------
sub7
Just switch to Windows and WSL. For most cases, it works just great/not
noticeably slower.

There's a lot of bullshit on Windows too but nothing near OSX levels of
wannabe big brother shit.

Can't think of a better long term short right now in the market than Apple
(and sister cult Tesla but the electric story is at least in the early days so
they may do ok)

~~~
kasabali
Windows has SmartScreen and MAPS (which was previously called "SpyNet") turned
on by default, on top of telemetry level that goes to eleven and cannot be
turned off in consumer editions.

They're not implemented in a braindead way that's being discussed here but
they're at the same level big brotherness-wise, if not worse.

------
crazygringo
Sorry but it's just not happening for me, on macOS 10.15.3, on my late 2016
MBP. (And I've certainly never done anything like disable SIP.)

I run the commands and get:

    
    
      Hello
      /tmp/test.sh  0.00s user 0.00s system 8% cpu 0.045 total
      Hello
      /tmp/test.sh  0.00s user 0.00s system 75% cpu 0.005 total
    

If I'm reading this correctly, the first run takes less than a twentieth of a
second, and the second a two-hundredth? I've never experienced anything like
"have the entire machine freeze for 1-2 seconds every 10th minute". And I have
the slowest internet package I can buy.

The only delay that's ever noticeable is when running a program I've installed
for the first time, which yes usually seems to take a few seconds, before
often telling me the application couldn't be verified or something, do I want
to run it anyways. Which makes sense if you're running a checksum on a 400 MB
application binary. But after that first time, starting an app is always
instant.

Can anyone else elucidate what the author is talking about? They're presenting
it as a universal, but maybe there's something else going on with their
machine? Clearly something's wrong on their end, but possibly it's just some
kind of bug. I'd avoid jumping to conclusions that executables taking a second
to launch is "by design".

EDIT: switching from zsh to sh gives more granular results:

    
    
      Hello
      
      real 0m0.009s
      user 0m0.002s
      sys 0m0.003s
      Hello
      
      real 0m0.005s
      user 0m0.001s
      sys 0m0.003s

------
sigjuice
I intend to stay on Mojave for as long as possible, but I am curious to try
out Catalina. I believe it is easy enough to install Catalina on an external
SSD. My concern is whether this would be safe enough and if my computer would
remain unmodified (e.g. could there be changes to firmware settings or
firmware updates?)

------
john_alan
I can see the delay when I remove my terminal from the DevTools permission in
Security preferences.

So it's real.

However, scripts are NOT notarised, so what is it doing?

EDIT:

So after digging the scripts are being "checked" for malware, as part of
XProtect.

This is interesting, it seems to be hashing scripts and testing to see if its
known malware.

Anyway, easy to disable, but weird stuff.

------
anderspitman
"Modern" OSX, iOS, and Android are so secure and safe they even protect you
from using your computer.

------
kup0
10.15.1 and then 10.15.4 both introduced random kernel panics on my iMac. Only
way to solve was to reinstall MacOS on top of itself (via Recovery, kept
files/apps intact).

Still no idea what or why the panics would happen, or why the reinstall solved
it.

Catalina has been a very bumpy road for me so far.

------
mshockwave
I don't think they do the notarization for shell scripts and program you build
from source. I've been doing large scale software development on my Catalina
for quite some time and I observed zero performance degradation compared to
previous OS X version.

------
e40
I really hope the mess that is Catalina is fixed in the next round, or I might
be on Mojave until I can switch to another OS. I've been on macOS for a long
time, and I really like it. I'm productive on it. But Catalina... no, I won't
touch that.

------
s800
Anyone of packet captures of this behavior? I'm still on 10.14, or I would
check it myself.

------
mattbillenstein
Man, I think I was having this issue earlier in the year and thought it was
some funkyness with the firewall or application -- custom golang apps.

Who at apple thought it was a good idea to hop on the internet when invoking
an application without any warning? This is loony.

------
commandlinefan
I can't upgrade IntelliJ any more, because it's trying to write to privileged
file locations that I (the owner of the computer) no longer have access to.
Believe me, I've tried to work around this, macOS has it locked down
completely.

~~~
tebruno99
I use and upgrade IntelliJ fine. Install Jetbrains Toolbox and everything is
installed in your home dir. What kind of locations are you having troubles
with?

~~~
noworriesnate
I agree: use Jetbrains Toolbox.

A few months ago I installed Rider (an IntelliJ-based IDE) on my Mac without
toolbox, and upgrading it was a pain. I don't remember the details, but using
JetBrains toolbox makes upgrading as simple as clicking a button and waiting
until the download / install is complete.

------
apatheticonion
Just wanted to drop this here but WSL & WSL2 makes a compelling case to move
to Windows.

------
discourses
I have this kind of issues on Mojave. I blamed the firewall. With ethernet
disconnected, everything runs smoothly. Connected: random freezes of 1-2 secs.

Why does it need the internet all the time?

------
dre-hh
Upgraded only in Spring. Waited long enough. Never have been I saw wrong. Now
when I want to reboot my computer I just try to pair my Bluetooth headphones -
instant hard reboot

~~~
saagarjha
Does this literally panic your machine?

------
markdog12
Can we get a MacOS @BruceDawson0xB up in here?

[https://twitter.com/BruceDawson0xB](https://twitter.com/BruceDawson0xB)

------
msie
Lack of upgradability of MacBook Pros, numerous bugs in Catalina (ImageCapture
Im looking at you), T2 chip and secure boot issues. It all adds up...

------
gitgud
Why would they send off binary hashes synchronously before execution of the
program?

Are they checking if the app is dangerous? Are they logging all my activity?

------
soapdog
If microsoft was doing this there'd be a riot but since it is Apple but will
rationalize this bad behaviour and say it is for the best.

------
fulldecent2
NSA had a "hardening macOS" guide on GitHub that I can't find.

I wonder if that defeats the phone home that this article is highlighting.

------
bad_user
I like the fine grained permissions on Catalina, but along with dropping
support for 32 bits binaries, this is getting ridiculous.

------
AlexanderDhoore
I noticed recently that the first `git` command I run takes longer. This is
insane. What's the status of debian on macbook?

~~~
ben-schaaf
Last I heard you can't even access the SSD on newer macbooks. If you want a
good experience with running Linux on a laptop, don't use a Mac.

------
sj4nz
Did anyone try the setting the terminal to "Developer Tools" permissions and
find that things go worse?

------
stephc_int13
Wow, this is incredible and clearly a huge step in the wrong direction.

I clearly won't switch to their system anytime soon...

------
mickotron
My 2011 era MacBook Pro has run Linux most of its life. It runs super fast
compared to its performance under MacOS even a year into its existence.

I've heard people ask me "why bother with Linux when MacOS is Unix?". Well
technically it is from its heritage, but it gets less unixy by the day.

------
LeoNatan25
Disabling SIP and amfi kills all the process startup delay and limitations.

------
bfrog
I feel like this is one of those times, a wut moment.

------
seemslegit
The slowness seems like the smallest concern here

------
dwighttk
How many new applications are you people running?

------
zapf
One more reason to stay away from corporate OSes

------
RyanShook
So should we disable SIP on our Macs?

------
rmrfrmrf
By this logic, HTTPS is "slow by design" and a nefarious plot by Big
Certificate to siphon money away from tech companies.

------
zelly
Linux is waiting for you.

------
waynesonfire
now I understand the importance of niche OS.

------
MintelIE
When will computer and OS companies start telling us exactly what data they’re
taking and who they give it to? I was an Apple user from 2002 until last year.
I just can’t be spied on and telemetized any more. It’s not beneficial to me
and I can see all kinds of downsides. Especially since big tech has it in for
anybody politically to the right of Bernie.

------
andarleen
I switched to a sleek amd based setup and ubuntu, 64 gigs of ram, tons of nvme
storage and for a decent price. Sad to see macos go out my daily toolkit, but
fortunately i no longer have to deal with this kind of crap. I still use mac
occasionally but day by day it becomes less relevant.

------
shmerl
Switch to Linux and forget about it.

------
beders
You should know by now:

Apple is the Father, Apple is the Mother.

After Apple has re-invented or re-written the MSFT playbook of the 90s,
nothing surprises me anymore.

Yet I cling to these machines, that take away the freedom to do with my
hardware as I please. It's odd.

~~~
inimino
The UX is good. Freedom has always been a little more subtle.

------
bluedino
In many unrelated ways, Mac OS X has just always been slow.

The first computers I ran OS X on were a Pismo Powerbook and one of the first
iMacs. Both with upgraded hard drives and maxed out RAM. They were almost
unusable, and we'd put classic OS back on them, a new release of OS X would
come out, and repeat.

I later got a chance to use a shiny new G5. I couldn't believe how slow it
felt. Same goes for the PowerBook G4. The first Intel MacBook Pro didn't feel
any faster.

Somewhere around the i5, Mac OS started to feel 'okay'. But I'd always still
feel blown away at how fast a similar machine felt running Windows or Linux.

But I've stuck with it ever since 2010. I remember talking about my 16",
saying "It's really fast...for a Mac."

------
api
All of these complaints are about security features.

Yes these features could be better implemented, but I'm happy they're there.
It's very important to be able to opt out of them, but I like that they're the
default.

Notarization needs a cleanup pass and the rest of it seems like it needs an
optimization pass.

P.S. The rationale for notarization is to not distribute and thus advertise
the filters and detection mechanisms Apple uses to detect malware. If these
things were distributed then malware authors could analyze and evade them.
Security through obscurity does make a certain amount of sense here as the
Church-Turing thesis means there are an infinite number of ways to implement
any given thing including malware and there is no single filter or analytical
step that can detect all possible malware permutations.

~~~
inimino
Being able to run arbitrary software on the hardware Apple has graciously lent
me is an annoying level of power that I'm not fully comfortable with either.
I'm liable to shoot my foot off if Apple the all-seeing doesn't save me from
myself.

