Hacker News new | past | comments | ask | show | jobs | submit login

I just downloaded Zoom for Mac, saw that it was a .pkg file. Great, I can see what files it installs before I install it.

I open the .pkg, click Continue so it can run its script, then a second later Installer quits and the app launches. What?!

Turns out, Zoom installs the entire app in the 'preinstall' script of the installer package! Inside there's a copy of '7z', and the app is extracted with that. The preinstall script is littered with typos and poor grammar.

I'm not one of those people who thinks that Apple is going to force all Mac software to come through the App Store, but when I see stuff this stupid...I start to wonder.

This is exactly what creeped me out when I first installed Zoom years ago.

Very few people cared when I commented this https://news.ycombinator.com/item?id=20398084

Suffice it to say, I no longer trust Zoom to be running in my regular user account. I have a separate user on my Mac to isolate it. If you have the means, you might even consider a spare computer or a VM to run Zoom.

I use my iPad for Zoom. One of the few times I'm glad the App Store and sandbox exist.

Even their iOS/iPadOS app is annoying, because the first time you open it and sign in, it pops 3 (!) permission dialogs (Calendar, Notifications, and TouchID/FaceID). Way too aggressive IMO.

Now, if only they'd make a Mac App Store version of Zoom. I'd be so happy...

Man, it's disappointing to hear this has stayed the same for so long. In the future, Apple should sandbox 'preflight' to disallow writing files, and then enforce it as a condition of notarization.

More details from @c1truz_ on Twitter: https://twitter.com/c1truz_/status/1244737672930824193

I feel like Zoom has a history of doing shady things under the vail of "ease of use" (referring to the uninstall complaints a few months ago).

I do think on macOS the average user doesn't understand DMG files, run apps from inside the DMG instead of copying them to /Applications and deleting the disk image. My guess is that most people install Zoom after a meeting has started and this was the quickest, fewest dialog method of getting it up and running.

Stop apologizing for them. It's literally two more clicks, and anyone who has gone through the flow expects those clicks. Also, if Installer never realizes it installed something, it won't even offer to delete the installer .pkg.

I'm pointing this out not as an excuse for Zoom, but as an example of long-standing friction in macOS. I think it's worth pointing out they've had the same motivations in the past. Like Dropbox, I hope the OS improves so this isn't necessary and knowing this is a pattern (and not a one-off) with the company I will avoid them when possible.

There are already good solutions to this issue. In particular, simply placing the app package in a zip file, then checking to see if it's installed correctly when opened.

My annoyance with macOS/Apple is that this isn't standard and default. Therefore, not consistent and can be confusing (especially if you're trying to join a call in progress). Because of this, Zoom chose to reduce the number of dialogs thrown up.

> run apps from inside the DMG instead of copying them to /Applications and deleting the disk image

First, there's nothing wrong with that.

Also, some apps display a message asking to be moved to /Applications when launched from a DMG.

> First, there's nothing wrong with that.

Sure, you can technically run .app from most places. It becomes problematic in that you can't write to that directory or self update the app if it's still in the DMG. If you reboot you have to know to remount before launching. Not having it in /Applications also becomes a mess if you're in a multi-user environment.

> Also, some apps display a message asking to be moved to /Applications when launched from a DMG.

This is the kind of friction and extra dialog boxes I'm sure they were avoiding.

Personally, I hate pkg files. I wish macOS had a better flow for unsavvy users to deal with DMG and app files.

There is also a feature called App Translocation that further restricts the abilities of applications launched from disk images.

Unsigned disk images.

I read this like 10 minutes after installing Zoom on my Mac. Yikes. Anyone have a list of files and processes I can tweeze out (beyond the obvious files, which I've already purged)?

Next time, open the .pkg with Pacifier.

I think you mean Pacifist (https://www.charlessoft.com/) which you can use to extract the app directly

Since this .pkg completely subverts how packages are supposed to work, none of the files show up in Pacifist. Everything is in 'Scripts', which is a .cpio.gz.

While I also dislike this type of thing, remember that Zoom's business is built on getting people into calls as quickly as possible. Seconds matter.

So I can totally understand why they would want to use 7zip to shave kilobytes off the download size.

7zip isn’t the complaint, it’s that the installer installs the app before the user OKs it.

Honestly zoom is something that I would never let near a personal computer. What really surprised me is that there’s a “zoomgov.” (a friend at a defense contractor showed me) Either our government is enjoying the benefits of being able to force companies to be audited because of defense budgets or things have become way more relaxed than they should be. Judging by our “stockpiles” and inability to get critical equipment I’m guessing the second one.

> 7zip isn’t the complaint, it’s that the installer installs the app before the user OKs it.

...I was about to write a reply saying "well in that case I don't understand what the GP is complaining about", but then I opened up the installer again.

I didn't fully take in what the parent was saying. Zoom is completely short-circuiting the normal macOS package install flow. You click continue once to acknowledge that "this package will run a program to determine if the software can be installed", and then Zoom is suddenly installed and the installer exits.

I can understand why they did it, but it's not good.

Although, Apple deserves some blame here. Firstly because their non-app-store software install flow has been screwed up since the release of Lion, and secondly because why can't you use Installer's "Show Files" option before the preinstall step?

I'm not a MacOS user, but I'm having a really hard time getting my head around this:

1. You download an installer.

2. You activate that installer.

3. Your system tells you that the installer can run some code.

4. You agree to the installer running some code.

5. The installer installs some software, via the code that you said the installer could run.

Seems perfectly acceptable to me. If you literally cannot open up the archive file to inspect its contents without running some code inside it, that's not Zoom's problem. It's just a really stupid decision on the part of Apple.

> Your system tells you that the installer can run some code.

The message reads "this package will run a program _to determine if the software can be installed_". Old iWork updates used this to see you had a previous version of iWork on your computer. nVidia's Web Drivers used it to check if your Mac had an nVidia card. No other macOS pkg that I'm aware of makes actual changes made to your system during this step. That's not what the user agreed to.

Behind the consent message is a grayed-out "next" button that you never get to click.

I suppose this system was ripe for abuse, but that doesn't excuse the people who abuse it.

This is a legacy path in the installer they are abusing.

Pre-install scripts are only supposed to do things like check if you have prerequisites installed, eg if your app requires some version of Python or whatever.

Instead they are abusing that to just install everything immediately.

There is literally no reason for it beyond saving one or two clicks.

Apparently, there's an upgrade for HIPPA compliance, too. I have no idea what that entails or how to tell from the client-side if that's in place. I was working with a medical provider and had to switch to remote sessions. Our first VC was cancelled last minute because they were upgrading the account for HIPPA.

This is a great point. People understand installers/.pkg files far better than `.app`'s wrapped in a DMG. Those often get launched inside the DMG which has a ton of other issues, rather than being dragged to the Application folder.

Also packages allow for easier deployment rather than dmg's.

This isn't the point, it's the fact that the installer is being abused to install an app without even giving the user the option to proceed or not. Nothing should be installed as part of the preflight.

Par for the course with Zoom, so it seems.

I don't think it installs it I think it just calls the resource from the package.

NVM I decided to inspect the package with `pkgutil`

Here's the offending code

```################################### function install_app_to_path(){ #path=$1 InstallPath="$1/.zoomus_"$(date)"" mkdir -p "$InstallPath" mkdir -p "$InstallPath/Frameworks" if [[ $? != 0 ]] ; then rm -rf "$InstallPath" return 1 fi

    if [[ -d "$1/zoom.us.app" ]] ; then
        rm -f "$1/zoom.us.app/Contents/Info.plist"
        mv "$1/zoom.us.app/Contents" "$InstallPath/trash"

    if [[ $? != 0 ]] ; then
        rm -rf "$InstallPath"
        return 4

    rm -rf "$1/zoom.us.app"
    if [[ $? != 0 ]] ; then
        rm -rf "$InstallPath"
        return 4

    mdfind 'kMDItemCFBundleIdentifier == "us.zoom.xos"'> .zoom.us.applist.txt

    echo "["$(date)"]un7z zm.7z =================================" >>"$LOG_PATH"
    if [[ -f res.7z ]] ; then
        ./7zr x -mmt ./res.7z -o"$InstallPath/Frameworks"&

    if [[ -f resReitna.7z ]] ; then
        ./7zr x -mmt ./resReitna.7z -o"$InstallPath/Frameworks"&

    if [[ -f bundles.7z ]] ; then
        ./7zr x -mmt ./bundles.7z -o"$InstallPath/Frameworks"&

    un7zresult=$(./7zr x -mmt ./zm.7z -o"$InstallPath" 2>>"$LOG_PATH")
    echo "["$(date)"]check un7z return:$ret, $un7zresult">>"$LOG_PATH"
    echo "["$(date)"]un7z all finished">>"$LOG_PATH"
    if [[ $ret != 0 ]] ; then
        rm -rf "$InstallPath"
        return 3

    mv "$InstallPath/Frameworks/"* "$InstallPath/zoom.us.app/Contents/Frameworks">>"$LOG_PATH"
    mv "$InstallPath/zoom.us.app" "$1" >>"$LOG_PATH"
    if [[ $? != 0 ]] ; then
        rm -rf "$InstallPath"
        return 1

    if [[ "$APP_PATH" == "$GLOBAL_APP_PATH" ]] ; then
        chmod -R 775 "$APP_PATH"
        chown -R :admin "$APP_PATH"

    echo "["$(date)"]mv $InstallPath/zoom.us.app into $1">>"$LOG_PATH"

    rm -rf "$InstallPath"&
    return 0

This is just horrendous.

ugly? Most definitely, offensive? Not really.

Among other things, it offends me that this runs in a preinstall script.

> Seconds matter.

Whenever I have been told that I have a meeting coming up with some kind of conferencing software that I don't have installed, I immediately install it. I don't wait until 3 minutes before the call to try and install. All kinds of things could happen, such as incompatibilities or missing passcodes.

Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact