Hacker News new | past | comments | ask | show | jobs | submit login
Apple isn’t patching all the security holes in older versions of macOS (arstechnica.com)
274 points by fahd777 on Nov 14, 2021 | hide | past | favorite | 125 comments



They also never bothered to implement the 2 factor code popup on old systems but forcing user to use 2fa.

So you now get to explain to grandma that she needs to enter her icloud password, get a password error, click on approve on her iPhone, then enter her password again with the 6 digit code shown on the iphone appended to the end of her password.


I made the mistake of reinstalling macOS on my late 2015 rMBP using internet recovery. I found myself locked in a loop where I couldn't upgrade to the latest macOS because it required 2FA.

I called Apple Support and didn't tell me this information and simply said they can't bypass or disable 2FA. It was only by researching that I discovered this workaround.

This was one of the worst user experiences I have experienced on an Apple product.


I feel like they patched in an error message explaining this on older versions of OS X, because I definitely was prompted to do it this way. Maybe just in iTunes?


That's a neat hack if you only have one input box. But all the extra code on the backend needed to differentiate between a normal password and a password+pin sounds like something which could accidentally weaken security.


It's really not that complicated given it's a fixed 6 digit appendage


A secure app shouldn’t be sending passwords in the clear though.


Maybe they’re leveraging radius for some of of that?


Or PAM, or BSD_Auth, or AD, or ... there's a lot of options.

Supposedly they can also see which capabilities the client has, allowing the fix server side. Why they did that we can only speculate, same with why its not well known.

I can imagine an engineer with a kid who got a handmedown from mom/pop, and they silently fixing it this way because its within their expertise.

I'd like to hear the authentic story behind it. Hopefully one day!


Oddly, this is explicitly spelled out in old versions of iOS. I learned of it recently because my aging iPhone 8 died and I tried to revive my iPhone 5 while waiting for a replacement. (It did start up but was basically useless otherwise.)


WHAT! How did I not know the append-the-code trick


I spent some time searching the web in my frustration thinking that 2fa was impossible on this MacBook. I think it was a stackoverflow comment somewhere that said to try this...


It's a common hack, i.e. Salesforce does same for the security token, IIRC same with github.


I've also seen the "append the 2fa code at the end of your password" trick work for other older products that only have one input box. An example is the discontinued Amazon Kindle Windows UWP app.


From memory, the error message it gives says this is what you do. Though I've long since accepted that no one ever reads what the message says.


They are not even shipping root certificates in El Capitan (os from 5 years ago) and there is no way to update them safely without another computer. This is arguably the most important aspect of the trust ecosystem and there is no way to browse safely without those.


Why don’t you consider downloading isrgrootx1.der from its official source[1] and adding it to Keychain Access to be safe?

It’s what I did on my machine running OS X 10.9. No second computer required.

1: https://letsencrypt.org/certificates/


Yes that's how you solve it. But you need the updated certificate to view this website without warning, thus the need for another computer.


> But you need the updated certificate to view this website without warning

I didn’t. IIRC they did some whacky thing on their own site such that it still worked in Chromium.


Doesn't Chromium use its own CA store, or is that different on the OS X version?


Chromium uses its own HTTPS implementation but does not currently use its own CA store. If it did, adding the aforementioned certificate would not have fixed all of the “Your Connection Is Not Private” errors I was encountering previously. :)


They would presumably use both.


Sorry, I'm not sure I understand your comment. You can presume whatever you want, but I'm telling you how it works. :)

IIRC there are plans to switch Chromium to its own certificate store on all platforms, but they seem to be a ways off.


When you add a root certificate to a browser, typically it is configured to accept BOTH the added cert and the built-in/system certs. There would certainly be no reason not to in this case.


Maybe with curl/wget?


Both of which will also need a certificate store


Use the -k switch on curl to skip certificate verification.

Use a phone, or a phone call to a trusted friend, to verify the signature of the certificate.

Obviously not instructions you can give to an ordinary user, but that line was crossed at curl.


This caught out a family member. Until you said that I thought it was user error. Gone are the days of recommending apple because 'it just works'.


To be fair El Capitan has been replaced by Sierra which is compatible with machines that are more than 10 years old.


AFAIK the youngest machine stuck on El Capitan (released 6 years ago, not 5) is a MacBook Air released 11 years and one month ago. Anything newer is at least on High Sierra (relased 4 years ago).


Does Apple not charge for OS upgrades anymore ?


The last paid version was OS X Mountain Lion (10.8, released 2012).


All I know is that they followed the default and ended up being unable to even open the app store to update their OS. Whatever OS support is available for whatever hardware, Apple effectively orphaned that machine.


I recently updated an old MacbookPro6,2 from Yosemite to High Sierra and that was a complete disaster. Took me a huge amount of time.

I think there two problems: the upgrade could not handle the way the disk was partitioned (or something else). Everything I tried kept failing until I removed the disk, and completely wiped it. Discussions I found online were not helpful.

The other part is the magic you need to download High Sierra on a newer Macbook. It is not as if you can just go to the Apple store and download it.

That said, I have been using Macbooks for work for the last 10 years or so. They always get upgraded a couple of times during their lifetimes. Usually not a big problem. So I was quite surprised how bad it went.


High Sierra introduced APFS, so I'm not surprised you might have had formatting issues. Still, I wonder how common multiple partitions really are - among nerds, sure - in the broader userbase.


I needed to upgrade my Mom's MacBook (a 2017, bad keyboard and all) to Catalina to make sure she could still get updates for Office 2016.

This has since been replaced by an M1 Air and Office 2021, but the migration was easier this way. Old versions of macOS are listed at this URL, which is how I got a link for the latest 10.15 installer.

https://support.apple.com/en-us/HT211683


Which part of upgrading macos to a supported version is not working?


The bit where Apple's OS tries to connect to Apple's update servers, and can't authenticate because Apple switched to an incompatible root CA.


Ah yeah, I've recently received for free an iMac running Macos 10.9. It's simply impossible to upgrade; the only proposed upgrade release is 10.11, the installation starts then fails in a loop. Fortunately I don't actually need to save anything from this machine, and I have another Mac to download a newer OS installer, but that's quite painful.


If it's a 2007/2008 model iMac then it will be able to run 10.11 (El Capitan). If it's a Late 2009 iMac or newer then it will be able to run at least 10.13 (High Sierra).

If the default/upgrade installation is failing then I'd try creating a bootable installer on USB [1]. If it still fails then try erasing the target drive first to do a clean install (you can do this by running Disk Utility from within the installer).

[1] Instructions here: https://support.apple.com/HT201372


It's a 2014 model, it can definitely run Macos 11. But as it has been unused for the past few years, it hasn't been upgraded and it's quite funny how utterly unusable it became: very few websites work at all (certificates problem), it's impossible to install any current application because even Firefox LTS requires 10.13 or so, and it's impossible to upgrade without using another Mac to download the update tool. That's not very user-friendly if you ask me :)


I did this exact thing for a client last week. No need for another computer I just downloaded the installer from the app store and run it as normal. Maybe they have tweaked things.


I'd love to know the "true" histogram of MacOS versions. I'm currently typing this on a machine running Mojave as it is the last one to support 32-bit code. I bet I am not the only one – 10.14 happens to match up with the last "perpetually licensed" adobe suite, for example, as well as older versions of Office.

I'm sure Apple know exactly how many people they inconvenience at any given point, and make a calculated decision about support.


According to the Steam Hardware & Software Survey [0], where the 32-bit thing hit really hard, the numbers could look a little like this:

  MacOS 11.6.0:  11.22%
  MacOS 11.5.2:   2.87%
  MacOS 10.16.0: 44.92%
  MacOS 10.15.7: 11.66%
  MacOS 10.14.6:  6.80%
  MacOS 10.13.6:  6.41%
  Other          16.12%
According to this other usage plot [1] it doesn't like the number of people staying on Mojave was any significant.

Please note that macOS 10.16 == macOS 11 and that most of these tools don't seem to recognize Big Sur and later from Catalina.

[0] https://store.steampowered.com/hwsurvey?platform=mac

[1] https://www.statista.com/statistics/944559/worldwide-macos-v...


So, roughly 70% are running Catalina or later.

This is pretty good. Macbooks do usually get software updates for many years - as do iPhones and iPads of late.

People who bought early Apple Watches (some of which were very expensive!) didn't get updates past watchOS 4 however, which was sad to see.


This was exactly my case especially with the Adobe. Then my MBP died just few days before deadline. So I got new one with M1 chip. And I had to go with Adobe subscription. Not only it was bloatware it was also buggy. Then Affinity had sale and I bought three Affinity apps for the price of three months with Adobe. Affinity Designer is better for my needs then combination of Photoshop/Illustrator. However Adobe Indesign is still much better then Affinity publisher. I could live with that but there is not good compatibility between Indesign and Publisher (unlike Affinity Designer where you can easily import/export .psd). But I will have to find workaround not because subscription sucks (I do not use Indesign daily but still almost every month). It sucks because Creative Cloud is bloatware.


The subscription still sucks.


Welcome to the world of big-tech commercial software. You either pay a subscription fee in money or your private information for ad targeting. Sometimes even both.


Not all big-tech commercial software is like this, but maybe I'm not a regular user.


There is a third option:

keygen + little snitch blocking


>I'm sure Apple know exactly how many people they inconvenience at any given point, and make a calculated decision about support.

Each Apple laptop gets upgrades to newest for roughly 6-7 years.


I'm still running Mojave. Never found the time to upgrade. Ridiculous, I know. Anyone else in the same boat?


I find fewer and fewer new features motivating an upgrade. These days it's integration or fluff like tracking the time you spend on each app. I'm on Catalina and have no incentive to upgrade, but have many incentives not to (e.g. breaking compatibility)


One aspect I find infuriating is UX changes. I like the way things were, change for change's sake is annoying.


I don’t mind visual spruce ups to keep things fresh, but over the last few years at Apple there has been a trend in “hiding things in drawers”. Buttons are removed from UIs and moved to hover actions or put inside overflow menus (which is basically a misnomer at this point as there are not enough buttons to fill a toolbar, let alone overflow one).

It’s awful, because you end up with software that is pretty in a screenshot but is objectively less simple to use, because discoverability drops like a lead balloon.

It seemed to start when Forstall was ousted and Jony Ive’s team took over software design as well as hardware. Their recent laptops have shown you can give up a little form in favour of a lot of function, so hopefully the software teams are (re-)learning the same lessons.


It would be good to just have a choice. The designers can go nuts every year, just give me a drop down and I'll pick the skin I like.


Same. Mojave on one, Catalina on the other. Of course, because these are unsupported Macs, upgrading involves OpenCore and researching what potential quirks will arise with new OS versions. I’m perfectly happy with Mojave, so why upgrade if it means I probably have to get new hardware too?

The main thing that’ll drive me to that is Xcode, which Apple ties to macOS versions, so officially you can’t develop for an OS (macOS, iOS, etc) that is more than a year older than yours. The tricks used to get around that aren’t as reliable as OpenCore.


Even worse: Sierra. Ouch. 10 years ago I used to go for every upgrade immediately (even .0’s). IMO new versions since maybe 10.8 added mostly data collecting bloat. macOS moved far away from the OS I once loved (peaked at Snow Leopard IMO). Funnily, macOS became “free” after Snow Leopard, so you’ve probably paid with your data ever since.


Not data. You pay in service subscriptions and upsold hardware (especially since some features work less well or not at all unless your OSes are upgraded across the board).


I wish I could run Mojave or Catalina on my brand new 16". It came with Monterey, which is ugly. Whoever thought light grey text on dark grey background was a good or reasonable UI choice should be fired.

It's the Windows XP Home of operating systems.


The biggest thing preventing me from upgrading to Big Sur+ is how ugly the UI is. Gone are the elegant, sleek windows of old, replaced by bubbly flat sheets and weird, incongruous menu systems. It feels like Apple was taking the piss out of the GNOME desktop and then forgot to press the "we're just joking" button before they shipped it.


It's possible that the key product people that were responsible for making macOS useful for those other than the iPhone/YouTube generation have mostly moved on from product leadership inside of Apple, whether due to changing priorities, retirement, being sidelined inside of what I am internally mentally referring to as Apple 3.0, or just getting fed up with the tacky panhandler-esque push toward services revenue at all costs, et c.

The GNOME comment is spot on. Unfortunately while the screen and cpu/gpu/apu is amazing in the new M1P/M rMBP16, it is also one of the ugliest laptops Apple has ever shipped. (The best thing they did to the overall design of the iPhone recently, hardware specs aside, was to go back to making the rounded bubble 10/11 be like the 6 in the 12/13, which, despite being an improvement, is a reversion to the past. I also can't tell the difference in the design of the 12 and 13.)

This seriously does not bode well for people who deeply appreciate simple beauty in their daily-use tools.

I was spoiled over the last decade or so of my laptop being of extremely high performance/quality AND ALSO completely unnecessarily fucking gorgeous. Now it's an ugly grey brick. I hope those days aren't over forever.


My a1502 still has Mojave, and I'm not planning on returning to MacOS until they reinstate 32-bit support. It feels like I'm screaming into the void when I tell other people about this, they almost always just shrug their shoulders and say something along the lines of "the Twitter app still works though".


32-bit support is not coming back, and nor should it. Having a mix of apps means having both 32-bit and 64-bit copies of system libraries loaded in memory all the time, which is inefficient.

For security reasons, you probably should partition your Mac, run Catalina or Big Sur* on your main partition with your personal stuff, PGP keys, and other important things, and have a separate partition with Mojave for your legacy apps. If those are mostly games, then you may be better off with a Windows partition instead of Mojave, because that would support even more games.

* A1502 does not get Monterey, I think.


(I'm not the person to whom you were replying)

One of my "important things" is a 32-bit app required for a freelance project. This freelance project also requires some 64-bit apps, so I don't see how two partitions would help here. Am I missing something? (Sincere question -- I'm looking for a new solution because I know Mojave won't be supported forever.)


If that 32-bit app has a Windows version, you could run it on current macOS using CrossOver. Performance might take a hit depending on what you're doing, but the MacBook Pro M1 runs Windows games fairly well in CrossOver. Wine might also work.

If the app only available for 32-bit macOS, I suppose your remaining options are running Mojave in a local VM, or in the cloud (AWS offers Mojave instances for example) for your freelance work.

Out of curiosity, is this an internal enterprise app, or a consumer app? Most consumer apps have alternatives for 64-bit macOS.

> I know Mojave won't be supported forever.

It's unlikely to receive further security updates at this point.

If you're not on the latest macOS, you're not getting all the security updates. You will still get many security updates if you're one version prior (Big Sur right now), and if you're two versions prior you might get a few updates (Catalina). But you're unlikely to get updates to Mojave after this year.


Unfortunately, the app is only available for 32-bit macOS. It's a consumer app, and I have yet to find an equivalent 64-bit alternative.

Thank you for the suggestions :)


Oh, I don't really care about MacOS that much. I've already moved on to Linux, which has much better support for games and legacy software (along with the development I do every day for, y'know, work). I just keep the old lappy on Mojave because it reminds me of better times. I never really do anything beyond basic text editing on it anymore.


Apple is more likely to discontinue support for x64_64 altogether in favor of arm64e than they are to bring back 32bit support. Rosetta v1 didn’t last long when transitioning from PowerPC.


With all due respect. How much time do you think it will take to download and install an update every few years?


I know... not much. And it's the same kind of argument one would use when postponing say, garden work, cleaning the oven, etc. I have taken a vacation day next week to get this done - not just the macOS upgrade of course, but a long list of pending household tasks.


Especially since the update downloads in the background and doesn't require your input after starting it. You can start the update, go do something else, come back and hour later and it's done.


Ahaha yes, and then you're left "only" with a few hours figuring out what broke in your setup because stuff like /usr/local was "liberally" modified by the update. Plus, of course, oops all your 32bit games are ded.

(Yeah sure, not your average Mac user, but still - don't discount the pain that any arbitrary update can and will inflict).


In my experience, updates have been completely painless to the point that at first you hardly notice you updated at all.


>Apple should spell out its update policies for older versions of macOS, as Microsoft does, rather than relying on its current hand-wavy release timing.

I maintain endoflife.date/iphone and endoflife.date/macos, and this has been a continuous problem - Apple doesn't provide a document that notes supported OS releases anywhere. The closest we got was in the iOS 15 releases notes which confirmed Apple would provide iOS14 with security updates (something that they clearly failed at).

Apple also released an emergency security fix for iOS12 when it was unsupported, which was nice - but Apple needs to clearly document when can users expect such fixes.

The only pages Apple does provide is list of supported devices, which only covers the latest OS, and is unreliable as a result.

https://support.apple.com/en-in/guide/iphone/iphe3fa5df43/io...


I'll say it: macOS is in decline.

It used to be we would pay a premium for slightly less good hardware, just to run the macOS.

Now, we buy hardware that is world-leading, and sponsor people to try to get Linux running on it so we can flee the mess that is macOS.


Naive question: why is it that the newest version of macos doesn't run on older machines? (The solution is, of course, to install Linux on them.)


I think their main reason is that Apple is a hardware company. They think of new features, build hardware for them, and then tweak their software (OS and applications) to aggressively use that new hardware.

Supporting older hardware is extra work that doesn’t bring in extra money. Also, oftentimes, it isn’t possible to backport features in a performant way (a lot of the ML stuff would only crawl on 10 year old hardware, features such as Handoff and PowerNap require hardware features). End result would be a 20 year old machine that runs the OS, but doesn’t work with modern software.

That wouldn’t make customers happy, and would dilute the brand of their OS releases.


I have a macbook pro late 2013 with a retina display, i7 cpu, 16gb ram and 512gb ssd that doesn’t get monterrey. I am not very happy about it, it’s a waste


It will depend on which MacOS dropped them.

Mojave for example dropped all Macs with GPUs incompatible with their Metal API.

https://arstechnica.com/features/2018/09/macos-10-14-mojave-...

The arstechnica MacOS reviews are good for working out (sometimes resorting to speculation) what makes a Mac unsupported.


Apple always drops software support for hardware when they stop providing hardware repairs. They generally consider hardware “vintage” 7 years after its introduction, but sometimes make that longer. They drop support in new macos releases only but they keep shipping updates to the two older releases as well. This means in practice hardware gets about a decade of software support, and the last two years of that without new features. Since the reasons for dropping support usually aren’t hard technical limits the community makes patchers to put new macos releases on older hardware.

To my knowledge Linux has never worked well on intel macs with a T2 chip. Asahi linux is working on bringing good support to m1 macs, so it looks like for good linux support you either need a pre-T2 mac or a post-M1 mac.


If Apple transitions to Apple silicon and is able to ditch a bunch of legacy code, will they be able to manage it the future better?


Lack of drivers, or the newer OS may require a specific instruction set or feature not present on older hardware.


But why don't they just keep the drivers etc. from the previous version? This doesn't seem to be a problem for Linux.


Linux would also require drivers to be recompiled for a new kernel. This is not an option for most proprietary drivers for products long abandoned by the manufacturer.

For the more common and popular hardware there is a good chance that open source drivers can be maintained by the community but if your laptop relies on a somewhat obscure chipset or microcontroller then your mileage will vary...a lot. Look up "Intel GMA500 Linux driver" if you need an example of the pain.

Sometimes the decision could be entirely commercial. Most notably, OSX dropped support for all nVidia GPUs from Mojave onwards despite nVidia going on record saying they are happy to continue providing drivers but Apple won't sign them.


> Most notably, OSX dropped support for all nVidia GPUs from Mojave onwards

Not those shipped with Macs. The GeForce kexts to support the NVIDIA GPU gens that Apple shipped, Fermi and Kepler, are still present even on Monterey.


Apparently they will not be in the stable release of Monterey though it is still possible to patch the drivers in.

https://github.com/chris1111/Geforce-Kepler-patcher

Fermi was never supported beyond High Sierra IIRC.


Hm, your own link shows that NVDAGF100Hal.kext is present though, so something for Fermi is _probably_ possible.

TIL that support for NV cards on Monterey is gone, it definitely was there in the betas.


macOS sees quite a lot of change under the hood from release to release that can make bringing unmodified drivers forward impractical. For example, in recent releases there’s been a push to move drivers away from the kernel and into userspace, which is naturally going to break old drivers. 32-bit support was also dropped not too long ago, which broke old 32-bit drivers.


I know one of the reasons for this (as an outsider). Over the years, the security patch codebase included other bugs that had been fixed in later code. Apple ios particularly when they are getting ready to launch a new iphone fork their code and try to keep security patches in sync, but by doing so "unfix" a lot of bugs. This has been an observed pattern for 6 or 7 major upgrades now. The bottom line, software used by tens of millions of people is hard.


They are offering free upgrades to newer versions of operating system instead. The only case where you're not getting it is when your laptop has been EOLed by Apple, which is effectively the same thing.


To note, 32bit compat has been discontinued with Catalina, so people who kept an old version around for that purpose are SOL.

Moving to a virtualized instance is an option, but then I wonder how PITA it is to keep the virtual one secure.


What are these 32-bit apps people seem to keep running?

If they are games, Boot Camp is an option on Intel macs, and CrossOver [1] is an option on Apple Silicon.

https://applesilicongames.com/games


I personally gave up on an old Lightroom version that was pre-CS cloud, and could see more professional people clinging to specific version of apps for whatever reason (private plugins, specific Apple scripts, standardized manual procedures etc.).

There must also be enterprise software that still weren’t recompiled or the vendor went under or threw the towel.

Those are a minority, but sadly we see that on every breaking change.


WXtoImg is what I miss the most. There’s a long tail of unsupported old software with unique capabilities.


I see it's no longer being updated. Does the Windows version[1] work on macOS using Wine/CrossOver?

1. https://wxtoimgrestored.xyz/downloads/


Yes, it's no longer being updated, which is why we're stuck on the 32-bit version for MacOS.

I've not gotten it to work in Wine/CrossOver, but perhaps someone more skilled than I am could get it to work. I've just used it in virtualized Linux for now.


> The simple solution for this problem is that Apple should actually provide all of the security updates for all of the operating systems that it is actively updating

That's circular reasoning. The older operating systems are only getting security updates, as the article notes, so their definition of "actively updating" is "getting security updates". When Apple isn't issuing security updates, it is not "actively updating".

Maybe what the author wants to say is something along the lines that Apple should provide timely security updates for all operating systems released over the past 10-15 years.


I am still on Majove, and do not want to upgrade to Montery due to Bugs like Memory leaks reported by people. I only have 4 gb ram on macbook air. Will Montery work with 2015 macbook air with only 4 gb ram without issue ?


Incredibly short sighted when they shipped so many laptops with 128GB drives even till quite recently where upgrading is almost impossible once you've been using the machine because even basic apps and a few files push you beyond the limit required to update.

Most of these laptops run at 2-4GB free space because MacOS already takes up a ton of space and throw on a few electron apps and its full.


It's not even much better with 256GB. I thought I'd be fine as I used to run Linux with 128GB and had loads of room. MacOS has been very tight with 256GB


I’m running a 256Gb mini. I have 100Gb free. That includes 25 years of carefully curated photos and videos. Depends what you do with it and how wasteful you are with storage.


I pity the people who bought one of those thinking they could install Xcode and still have room for a couple movies afterwards.


Please anyone, someone, does anyone think that these are all the same company? Same culture? Same quality of software?

Apple releasing 10.4

Apple releasing 10.6

Apple releasing 10.11

Apple releasing 10.15


The amount of phone-home in the macOS these days is also absolutely astounding. My new mbp16 has at least 4 different processes talking to Apple Maps servers even with location services disabled, and if you press F8 it sends the machine's unchangeable hardware serial number to Apple (linking it to your IP) without consent. (FWIW it also says on screen that it is doing this when you press F8.)


It that Maps functionality, or OS functionality? Can it be remapped in Keyboard Shortcuts?

And most importantly, what the actual fuck?..


I have pals that work at Apple, but they're not saying: I wonder what branching model they are running for macOS/iOS.


Microsoft has spoiled us these many decades by providing patches for out-of-support operating systems.


If I recall ms was forced to do so because of the atrocious security of windows


It’s their responsibility as they programmed allowing these flaws to begin with. Companies that write software and EOL it have a moral obligation to support it until the end of times, or provide an upgrade path to keep it supported.


They want to force us to update to their much worse Bug Spyware


Yawn. More Apple bashing that is not backed up by any facts.

Name me one widely deployed OS that promises its users patches ad-infinitum.

Microsoft certainly doesn't patch all older versions of Windows.

Neither do all the widely deployed Linux flavours, they all have clearly defined EOL policies.

Nor do the BSDs, e.g. OpenBSD has a "current plus previous" policy.

You have to draw a line in the sand somewhere in terms of patching historical versions. Promising your users you will patch all historical versions forever is not feasible, because it means you are promising you will patch all dependencies forever, and that will require a lot of massive teams of developers doing nothing all day but patching legacy software.


>Microsoft certainly doesn't patch all older versions of Windows.

This is not about EOL OS releases, this is about Catalina (macOS 10.15, released in 2019).

Apple advertises Catalina as still supported, last update was 15.15.7 on October 25 of this year (https://en.wikipedia.org/wiki/MacOS_version_history#Releases).

>Neither do all the widely deployed Linux flavours, they all have clearly defined EOL policies.

The big difference here you forgot to point out is that you can almost always update to the next Debian (or whatever GNU/Linux distribution you use) Stable release with the hardware you ran on the last one.

You could also get new hardware from whatever vendor you want to since Debian (and any other GNU/Linux distribution) isn't vendor locked to a company that insists on selling you soldered RAM/SSDs and thermal throttling machines.

The Debian team also consistently honors their support cycles, unlike Apple.

>Nor do the BSDs, e.g. OpenBSD has a "current plus previous" policy.

Same thing as the GNU/Linux situation i mentioned above, the operating system is not vendor locked and you can almost always update to the next release with old (in the case of *BSD maybe even ancient) hardware, this is not true for macOS.

>You have to draw a line in the sand somewhere in terms of patching historical versions. Agreed, you have to draw the line somewhere.

The issue here is that Apple drew the line and then didn't even bother to honor it.


Exactly on point regarding Debian. I've been running Debian stable since 2012 or 2013, and I've only upgraded my hardwear when a motherboard died or when I wanted a new laptop for reasons other than the OS.


This is not about EOL - the article is about Apple not patching security issues in two-year old supported OS versions (Catalina from 2019).

Microsoft certainly does patch all two years old versions of windows.


First, Big Sur was the first macOS to support ARM. Given recent developments at Apple, its no surprise their primary development focus is on OS Releases that have ARM support.

Second, as already pointed out by another poster in this thread, Apple provide free upgrades to newer OS versions for supported hardware (and the hardware support goes back a decent number of years[1]).

For the vast majority of people on Catalina, all they need to do is to upgrade to Big Sur, it is almost certain they are using compatible hardware[1].

[1] https://support.apple.com/en-us/HT211238


The key point for this IMHO is, as mentioned in the article "But it's also time for better communication on this subject. Apple should spell out its update policies for older versions of macOS, as Microsoft does, rather than relying on its current hand-wavy release timing".

If Apple properly supported Catalina, that would be great; if Apple explicitly said that Catalina is out of support / EOL and people need to upgrade to Big Sur, that could be reasonable; but if they keep the two-year-old release in some limbo that's kind of supported but poorly, that's simply poor support.

Apple needs to make a clear choice and publish a specific date for each of their releases up until which they commit to backporting security updates, so that people can know what is the expectation for e.g. Catalina, whether it is considered supported or not right now.


I really don’t get this. Apple does provide free updates for all. If you skip major versions, you’re shooting yourself in the foot and blaming Apple for allowing it.

Apple is giving you the update: Install it and now it’s up to date. They don’t have to support multiple versions of the same thing indefinitely.

The situations (devices) where the update isn’t possible (i.e. they’re outdated too early) can probably be counted on one hand.


I agree that they don’t have to support multiple versions of the same thing indefinitely, however they do have to say what they are supporting and for how long they're going to support what.

The fact that Big Sur was released does not automatically mean anything about the support for Catalina, because there are all kinds of reasons not to make a major version upgrade even if the hardware is still compatible with the new version; the major upgrades do break certain aspects of software and implement changes to functionality and UI, not just fixes for security bugs.

The core issue is that simple questions like "Is Catalina being supported as of 14th November 2021 or not" and "Which is the date when Big Sur support ends and you are expected to migrate to Monterey or later for security updates" deserve a clear answer from Apple, and it seems that they are refusing to answering that with any official, published policy.


Only when using a release that is EOL is it shooting yourself in the foot in regards to security. It doesn't matter if the new release is free or not (Linux and BSD are), not everyone wants to track the latest release for whatever reason they like and there's no problem with that if it still receives timely security updates, which is a standard practice on every other OS. If Apple doesn't want to do this, it should be clearly stated. Otherwise as this behavior is outside of the norm, Apple should be rightly critised for it.


For iOS14, Apple provided users a prompt to optionally upgrade to 15 while guaranteeing security updates to ios14. This is the relevant text on the Apple website:

>iOS may now offer a choice between two software update versions in the Settings app. You can update to the latest version of iOS 15 as soon as it’s released for the latest features and most complete set of security updates. Or continue on iOS 14 and still get important security updates.

>https://www.apple.com/ios/ios-15/features/

Apple is not even meeting it's own guarantees.


The problem is they don't allow the latest MacOS on not very old hardware. If they allowed the latest OS there would be less call to keep the older versions patched.

> Name me one widely deployed OS that promises its users patches ad-infinitum.

> Microsoft certainly doesn't patch all older versions of Windows.

> Neither do all the widely deployed Linux flavours.

But the latest and greatest Windows and Linux releases are installable on older devices.

I extended the life of a 2011 iMac which stopped recieving updates from Apple by installing the latest Fedora.

Most Linux distributions draw the line at 32 bit hardware.

Windows 11 was controversial in that it dropped support for older computers. But this shows what the expectations are.


> But the latest and greatest Windows and Linux releases are installable on older devices.

This was certainly true until recently when Microsoft went all Windows 11, which only works on a small, whitelisted subset of X86-compatible CPUs and also mandated TPM 2.0.

Now only Linux offers semi-guaranteed support for older hardware.


To note: Windows 10 is still supported and will be up to 2025. And when that date arrives, Microsoft has a history of patching out of support Operating Systems. Mostly because they have large enterprise contracts which last longer than the EOL of their OS.

Also Microsoft provides an official guide on how to install Windows 11 on older hardware. My neighbor has Windows 11 on his 10 year old laptop running an i7 2500 and it's butter smooth.


> But the latest and greatest Windows and Linux releases are installable on older devices.

So is OS X Big Sur[1] and Monterey[2]

For the majority of people all they need to do is pull their finger out and upgrade the OS from Catalina to Big Sur or Monterey.

    [1]https://support.apple.com/en-us/HT211238
    [2]https://support.apple.com/en-us/HT212551


Those show about 8 years. My 2011 iMac was dropped by Mojave (7 years).

Modern computers should last a lot longer than that, especially if you can pass them on to users with less demanding requirements.

And fortunately Macs do last longer than that, but you have to install Linux or Windows to keep them up to date.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: