
Repair file sharing after Security Update 2017-001 for macOS High Sierra 10.13.1 - kylesethgray
https://support.apple.com/en-us/HT208317
======
bichiliad
I seriously can't imagine how much pressure engineers at Apple were to ship
this patch. Considering they tend to ship infrequently, I doubt they have the
sort of QA turn-around that'd support emergency releases.

Remember that:

    
    
      - They learned about this yesterday
    
      - They had as much heads up as the general public did
    
      - They are a large company.
    

I don't disagree that the apparent QA quality from Apple software isn't what
it used to be, but we all have to take these sorts of things with a grain of
salt. I've certainly been in situations like this before.

~~~
Spooky23
I feel bad for the engineers, but seriously screw Apple on this. They have an
overcomplicated setup with little internal Kerberos implementations on every
Mac to make peer to peer networking easier.

If it’s like everything else, it’s probably ancient and crufty. The dude who
wrote it probably cashed out years ago. Some engineer rushed through and made
the original worst-case-scenario error, and the guys cleaning up the mess made
this error, which is understandable given the severity of the problem.

For a company like Apple that prints money, it’s irresponsible and reflective
of a broken engineering process. Personally I’m angry about this because on
iOS, we’re 100% dependent on their engineering process to protect my
customer’s data. Hopefully that trust is well placed.

If they don’t want to maintain Macs, don’t make them.

~~~
szc
I designed and implemented quite lot of the LocalKDC mechanism - um, roughly
about 11-12 years ago now I think. At the time it was based on the MIT version
of Kerberos. When Apple switched to using Heimdal, the LocalKDC implementation
was updated and it has been maintained since then - I am no longer the
maintainer of this software. I haven't cashed out.

As to why the LocalKDC exists? How can you do secure peer-to-peer
authentication without relying on some sort of global (and broken) or private
PKI infrastructure? SRP wasn't an option at the time.

I am sorry you are upset. Apple is really, really serious about protecting
customer data. I encourage the reading of the Apple iOS Security Guide - it
describes hardware and software techniques used to protect your data. There is
also the 2016 Blackhat presentation by Ivan Krstic that gives more insight
into the Secure Enclave.

~~~
LoSboccacc
> Apple iOS Security Guide

that goes perfectly with the trending feeling that iOS gets all the love while
OSX sits on the back burner.

~~~
szc
I personally see that the mac is getting lots and lots of love! Not my place
to say more than that.

I pointed to this resource due to the concern expressed about iOS.

------
mberning
From a quality standpoint Apple is a shadow of its former self. For me a large
number of the more recent features in macOS and iOS don’t work reliably.
Things like handoff, text message forwarding, enabling tethering from the Mac,
etc. are 50/50\. These kind of things used to be Apples bread and butter.
Taking ideas like these and making them “just work”. And now the security
regression are creeping in. I would love to see them get back to very simple
product lines and a more minimalist approach to software features.

~~~
masterleep
Handoff is definitely a weird one. I don't think I've ever gotten it to do
anything useful. Its functionality is seemingly limited to popping up a random
icon to the left of the dock from time to time to distract me.

------
excalibur
Quick show of hands, who here is surprised that this patch broke something?

~~~
acoye
I am not, Yet given the public disclosure and the criticality of the issue,
they took the most pragmatic approach.

------
k_sze
The article says “ _if_ file sharing doesn’t work”, but is it ok to just run
this command line fix anyway?

I’m not sure if file sharing is broken for me. I don’t use it _right now_. But
I’m afraid I might run into this bug in the future when I eventually use file
sharing, and then I will have forgotten about this fix, and end up spending
hours scratching my head and head-desking.

~~~
evansj
According to configureLocalKDC(1):

"The script is non-destructive and can be run multiple times."

------
cmlndz
I think this shows the poor state of Apple’s QA. Theorically there should be a
list of predefined tests with a binary output, to pass the test or not. Before
deploying anything, tests must be run and passed. It seems the procedure is
very human-dependant.

------
LCDninja
Seriously!

I can’t even install 10.13.1 on my Mac Pro 2013 - computer acts like its
bricked until rebooted a number of times (and when it finally boots we’re back
at 10.13).

This also means I can’t install the latest security update that fixes the root
problem (and yes, i’ve changed the root password to mitigate).

OSX is becoming more like Windows every day.

~~~
jason_slack
Me too!!. I was almost ready to wipe and reload.

------
pwinnski
This is why it should take more than 24 hours to put out a patch for an
operating system.

~~~
gpm
When the choice is between "allow public, easy, possibly remote, root access"
or "maybe deal with a bit of inconvenience fixing the fix" I'll take the
second one.

------
yuhong
I remember the emergency Java patch after Flashback. I think it also had an
issue.

------
nkkollaw
What a mess.

------
nixpulvis
I guess now we get to see where all the holes in apples fucking automated
tests are... meanwhile I'm happily running Arch ;)

