Solipsism Gradient

A correction regarding Apple’s mini-DisplayPort connector. The DisplayPort organization’s page is none too clear, and the actual standards aren’t available for free, but it now appears that Apple has been instrumental in working with them to define the new mini connector; unlike past “minis” adopted by Apple, this seems to be a bona-fide standard. So there’s real hope of it being more widely adopted by other manufacturers.

I don’t see any major advantage in the full-size DisplayPort connector, except perhaps for the optional locking mechanism on the plug. Don’t expect it to appear in any Apple products; in any event, mini-to-full cables will probably be sold by third parties.

There’s an interesting picture on the interoperability page: it shows what appears to be a previous-generation MacBook, with USB, FW400, FW800, S-VHS and the full-size DisplayPort connector. Looks like a Photoshop job to me…

The XML version of the surprisingly popular U.S. International keyboard layout is finally out. I was writing a drag & drop installer for it, but had to put that on the backburner for now; there’s lots of more important things for me to do.

Many thanks to Rafael Fischmann of MacMagazine for making a step-by-step screencast (in Portuguese) about it! Installing a keyboard layout seems to be a stumbling block for less-technical users, so every little bit helps.

It’s now almost a week since I’ve ordered a MacBook Air, and it arrived two days later. As usual, the packaging is superb and everything worked out of the box. I spent a couple of days upgrading and installing software, getting a faster WiFi network up at home, and generally testing things. I was unable to get a USB-Ethernet adapter though; neither Apple’s nor third-party models can be found in local stores so far.

The Air is everything I expected; excellent design, very light, runs somewhat hot under heavy CPU loads, takes longer than it should when recharging – I measured 4 hours to recharge from empty to full with the machine sleeping.

What I didn’t quite expect, with all the whining about it being slow, was the speed. Building Quay on it is at least twice as fast as on my not-quite-2-years-old iMac G5 (2GHz, single CPU). I suppose that hard drive-dependent operations will prove slower, but then it’s a puny 1.8″ drive.

All in all, I’m planning to use the Air as my main development machine away from home, and it should be fully set up in time for our upcoming Europe trip in May.

Two interesting developments came up while I’m studying for my next post about code signing.

Firstly, every developer who has signed up for the $99/year program has gotten a letter which says, in part:

We have received your enrollment request. At this time, the iPhone Developer Program is available to a limited number of developers and we plan to expand during the beta period. We will contact you again regarding your enrollment status at the appropriate time.

The message for non-US developers also mentions that the program will be implemented in the US first. At this point, some developers went off in a huff, interpreting it as a rejection, and numerous complaints and conspiracy theories have been aired. So far (as I know) nobody who applied to the $99 program has been formally accepted – the ones who said they were are apparently newbies interpreting their ability to download the SDK as “acceptance”. On the other hand, a handful of companies have stated they’ve been accepted into the $299 enterprise program.

Well, my understanding of English may be faulty (it’s only my fourth language, after all) but let’s look at the 3 sentences I quoted above:

We have received your enrollment request.

Nice of them to reply.

At this time, the iPhone Developer Program is available to a limited number of developers and we plan to expand during the beta period.

This is just repeating what Steve Jobs said during the iPhone event… nobody would expect Apple to accept all applicants immediately and at the same time. There certainly are several thousands at the very least.

We will contact you again regarding your enrollment status at the appropriate time.

Meaning, as soon as we dig out from under, we’ll check your application. I see no problem there either.

Apparently, some people are indeed interpreting this as a poorly worded rejection, or at best as an ambiguous directive that you have to go to the end of the line or try again. Now, I’m the type of person who has difficulty in understanding the logic of “I’m afraid I’ll have to tell you that your credit card has been declined” – the first time I heard that in person I couldn’t follow at all (heh! he’s afraid of what? will he have to say what in some unspecified future? Why doesn’t he then say whatever he will have to say, then?) But I can’t see anything like that buried in that last line either.

Second item is that the SDK’s restriction on background process has been much-commented on, among others by John Gruber and Mike Ash. Along the way, there have been complaints about this and other restrictions imposed on third-party applications. Some have even pointed out (I can’t confirm or deny) that the APIs published in the SDK are just a small subset of the APIs ferreted out by people examining the previous iPhone firmware. Some commenters even seem to believe that Apple not publishing certain APIs is illegal in some way… witness the comments about unpublished APIs called by WebKit/Safari some weeks ago.

Well, Apple can certainly opt to tell people not to use certain APIs. In fact, on the Mac in the past, some large software publishers went ahead and used some of those “hidden” APIs anyway, with the result that Mac OS X still has to support lots of legacy calls that are broken, but can’t even be properly fixed without breaking those applications!

So, on the iPhone, they’re certainly making sure to avoid the legacy/unsupported/hidden API problem at all costs. Apparently the SDK license says that applications may not use any unpublished API, period. Note that this does NOT mean that Apple will have to examine your precious source code line-by-line; no, they’ll just run a tool that looks at your executable, sees what symbols in which frameworks are referenced, and produce a listing of whatever non-documented stuff you’re calling.

So, there are no documented APIs that let you run an application in the background, or start a background process. I’m sure we all agree that having any GUI application continue in the background after another GUI application starts will be too resource-hogging – after all, if you allow one, you have to allow any. From what I’ve read, no Apple application does that either; a few seem to have a background process or daemon running to take care of communications, but that’s of course much more lightweight.

I agree with Mike that obviously the iPhone OS does support multitasking in a generic way. I also agree that the relatively limited RAM (I heard that 64M are available to a third-party application) and CPU speed are no obstacles. To mention an even older example than he gives, I managed to write an embedded system running on a 4MHz Z80A CPU, with 32K of RAM, that handled a GUI, a foreground thread, and two background threads tracing several realtime signals on a screen.

But make no mistake, embedded systems are hard to keep responsive, even if you have no arbitrary code running at all. Apple apparently elected not to have full virtual memory swapping in the iPhone OS; here again, it’s not a limitation of the hardware (Flash memory can support swapping) or of the OS (it’s Unix-based after all) or of the CPU (it does have page tables etc.).

No, I think Apple simply is trying to keep “teh snappy” always happening, keep battery duration as high as possible, and avoid Flash RAM filling up by swapping. Also, swapping pages takes time and burns battery power. A wait of 2 or 3 seconds may be shrugged off if you sit at a desktop computer but may be unacceptable if you’re trying to answer a call on the iPhone.

Consider the MacBook Air with SSD. It has 64GB of flash and 2GB of RAM, with full swapping virtual memory of course. I’ve seen people leaving 20 or 30 applications running on a Mac and not noticing that their swap files grew to 12 or 20GB… but even that may already become a problem on the Air. I suppose Apple didn’t want to face telling people that they should leave 2 or 3GB free on their 8GB iPhone… and risk crashing or hanging when it suddenly fills up.

Still, I feel that if you do have a compelling application that absolutely depends on having a background process running, you’ll probably be able to ask Apple for an exemption… if you can prove that your process won’t hog the system. Also, Leopard (for one) has facilities to start processes on-demand – using launchd, you can have the system watch a certain port or socket and start up your process when data arrives there. No doubt we’ll see more such facilities being deployed.

Mike Ash recently posted about code signing. We’d talked about the subject a few days before and that is a great summary of Mike’s thoughts about it.

Code signing on Mac OS X is still evolving, but with the release of the iPhone SDK, the subject is suddenly being thrust into the limelight. To quote the Wikipedia article:

Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed by use of a cryptographic hash.

In the past, code signing has been used on several platforms with differing intents and implementations; Microsoft, for instance, has a driver signing program that lets only Microsoft-certified device drivers run without warnings on Vista. In contrast, here’s a statement from an Apple engineer on the apple-cdsa mailing list:

Windows “code signing” is not only completely different in design and implementation, it also has a completely different *intent*. The Windows version tries to determine whether *Microsoft* thinks your program (or driver etc.) should be used. Mac OS X Code Signing is a general medium to let the manufacturer and user negotiate as to whether/how they want to trust each other, with the system providing the infrastructure to make this possible.

From what I’ve learned about the subject so far, the Mac OS X implementation seems indeed to be aimed in this direction – there’s very little documentation available. Even less is, of course, available for the iPhone OS implementation, and details are under NDA. But let me try to explain what I learned so far.

Mac OS X code signing is an implementation of the X.509 standard public key infrastructure. It depends on a cryptographical algorithm which gives reasonable assurance that signatures cannot be forged with currently wide-available technology. Of course that’s a rapidly moving target, and the twiddly mathematical details are beyond the scope of this post (and, in parts, of my poor brain too).

So, you can have signed executables (single binary files) and signed bundles (which can applications, frameworks, plug-ins and so forth). A signed bundle is easily distinguished by the presence of an extra “CodeResources” file inside the bundle’s Contents folder. This file is a XML file containing, among other data, a dictionary that contains a hash code for every file inside a bundle. It also has a list of “optional” files or folders; this allows you to remove things like unwanted localizations from an application without invalidating the signature. Of course, if you later re-add a localization its hash codes must match the one inside the file. Additionally, a signature is added to the bundle’s executable.

If you check Mac OS X’s system folder and applications, you’ll find that, beginning with Leopard, every framework, application and command-line tool is signed. This signature, by various convoluted means, is checkable (currently only by Apple’s codesign command-line tool). It also points back at Apple’s “root certificate“. This certificate is is a component in X.509’s chain of trust tree, which basically tells you which authorities certify that a particular signature is valid; in effect, when you reach the root of such a tree you have to decide whether the root certificate can be trusted. (X.509 also can be used for distributed, or peer-to-peer, trust networks.) Let’s see how you can check this in practice. Open Terminal and try this:

$ codesign -vvvv /Applications/Safari.app
/Applications/Safari.app: valid on disk
/Applications/Safari.app: satisfies its Designated Requirement

(as usual, type the line after the $ prompt and you should see the resulting lines.)

So this means that the Safari application is signed and its signature is intact. Otherwise, you’d get either a “code object is not signed” message, or if the signature has been tampered with, a “code or signature modified” message. Now let’s try a small variation on the command:

$ codesign -dvvvv /Applications/Safari.app
Executable=/Applications/Safari.app/Contents/MacOS/Safari
Identifier=com.apple.Safari
Format=bundle with Mach-O universal (i386 ppc7400)
CodeDirectory v=20001 size=7621 flags=0x0(none) hashes=375+3 location=embedded
Signature size=4064
Authority=Software Signing
Authority=Apple Code Signing Certification Authority
Authority=Apple Root CA
Info.plist entries=23
Sealed Resources rules=9 files=283
Internal requirements count=1 size=68

This gives more information. Specifically, we see that there are 3 “certification authorities” included into the signature, and that there is one “internal requirement”. To see this requirement, try:

$ codesign -dr- /Applications/Safari.app
Executable=/Applications/Safari.app/Contents/MacOS/Safari
host => anchor apple and identifier "com.apple.translate"
# designated => identifier "com.apple.Safari" and anchor apple

This is admittedly hard to wrap your neurons around. From what I understood, the “requirements” are actually a little language that establishes what conditions the signed bundle should satisfy. But satisfy to able to… what? Now there’s where everything is (on purpose) still a little vague. “anchor apple” apparently means that the basic requirement is that Apple’s root certificates be present and trusted. Open the Keychain Access utility, click on “certificates”, and you’ll see somewhere in the list a certificate called “Apple Root Certificate Authority”. You can double-click on it to see details.

But what is all this useful for? Your proverbial “Aunt Tillie” will certainly not be interested in typing commands into Terminal, following certificate chains, and reading up on trust audit procedures. Apple’s keychain software tries to make all that as transparent as possible. Simply logging into Mac OS X can open parts of the keychain, and when Aunt Tillie goes to her banking site, the bank’s certificate should be checked against the keychain’s certificates and with the issuing certification authority, and everything should “just work”. For that to be reliable, Safari’s code signature should also be checked – otherwise it could be hacked by some malicious entity to say that the bank’s site checks out OK even when it’s some phishing site masquerading as that bank!

Signatures and certificates are also checked by the parental control preference panel, by Mail when it receives signed e-mail, and so forth. You may be familiar with the dialog asking if a recently-updated application may access the keychain to store or retrieve passwords; for signed applications, this dialog will be issued only once. If a newly-installed update has the same signature as the previous version, which had already been authorized to access the keychain, it’s assumed to also be trusted to do so.

A similar scenario applies to critical code such as the codesign executable itself. Ideally, such code should refuse to run if it’s modified; Apple has some facilities already in place to do so, and even to detect if an executable ihas been modified while it’s already running by some malicious code injection. However, that sort of thing isn’t widely used yet; mostly because it would break certain facilities, like Input Managers, that people currently rely on.

One aspect I haven’t touched upon yet is the so-called “self-signed certificate”. This is a certificate which is its own root certificate, like the top certificates of the various ‘big” authorities. The difference is that these authorities are large companies that undergo serious auditions and verifications. As an example, Quay is currently self-signed; I’m still evaluating how to publish my certificate in a way that easily allows my users to check if new versions have indeed been signed by myself. Let’s run one of the same verifications on Quay:

$ codesign -dvvvv -r- /Applications/Quay.app
Executable=/Applications/Quay.app/Contents/MacOS/Quay
Identifier=net.brockerhoff.Quay
Format=bundle with Mach-O universal (i386 ppc)
CodeDirectory v=20001 size=245 flags=0x300(kill,hard) hashes=6+3 location=embedded
Signature size=1671
Authority=Rainer Brockerhoff
Signed Time=Mar 8, 2008 08/03 22:28:09
Info.plist entries=14
Sealed Resources rules=4 files=18
host => anchor apple and identifier "com.apple.translate"
# designated => identifier "net.brockerhoff.Quay" and anchor leaf = H"4cbb97c74336f7ee6aa566122a5e7688e1c725dc"

See the difference? It shows only my name as authority, and a SHA1 hashcode at the end. I could publish this hashcode on my site and it would be not too difficult for a technically knowledgeable user to verify that his copy of Quay matches that.

What does this really mean? Actually, not too much. It means that two versions of Quay that give identical names and hashcodes, which additionally match the ones published on this site, giving reasonable assurance that the author of both versions and of the site are the same; but nothing at all beyond that. However, there are ways around that – SHA1 hashcodes can be duplicated with some effort, though perhaps not yet for certificates, and this site doesn’t have a secure (https) variant. A malicious person could easily strip away my code signatures, resign everything with a new self-signed certificate using my name, make a phishing site that looks like mine, and so forth, and to a normal user everything would appear to be OK. Would someone do that for a €7 utility program? Very probably not worth the trouble, but you can’t be sure.

Then again, I could invest in a secure site, an official certificate signed by a trusted authority – perhaps even by Apple itself – and all that would just make the code signature itself more reliable; it wouldn’t necessarily correspond to what extent the code itself can be trusted to always “do the right thing”.

As Mike points out, there’s a huge gap between “signed” and “trusted”. Ultimately you have to trust somebody, or you would be too scared to buy a box at a computer store and open it, much less connect that computer to the Internet or let your children touch it. If I buy a certificate from Apple, and use that to sign my code, you have to trust someone in the certificate chain even if my code seems to “just work”… it wouldn’t necessarily mean that Apple has audited and quadruple-checked my source code. Indeed, it doesn’t even touch the question of whether Apple as a company can be trusted!

All that is still largely theoretical; Mac OS X still runs unsigned code with no problem, even though with some small restrictions regarding use of the keychain, the firewall, and internet access as I mentioned above. But Apple engineers say that in the future code signing will become mandatory. In the next post, I’ll try to discuss the implications of that – especially regarding the upcoming iPhone OS 2.0, where it will be mandatory from the outset.

uliwitness wrote:

Oh, BTW, also found your review of the FireWire power specs interesting. I was hoping someone with better electrical skills than me would eventually post the fundamental maths involved to prove/disprove the “No FireWire cuz it needs too much juice” theory that’s been bandied about.

The post was already too long, so I didn’t mention the possibility of using the Sony 4-pin FireWire connector, which doesn’t supply any power; it’s also much smaller, getting around some of the space argument too.

Still, it’d be a hassle needing an external power supply for those small portable FW drives; most of them don’t come with one. Also I’m not sure whether Apple would have to pay Sony for that.

As I also said previously, each extra USB connector would also need more space and power, though less (2.5W) than FireWire.

The snowball effect I was writing about is also very evident in the design of the MacBook Air. I’ve posted before about some aspects of this (I was wrong about it having fewer internal screws, though).

Just saw this: Japanese engineers trash MacBook Air. Here’s the original article in somewhat clumsy English. Some choice quotes:

“Can we say that the MacBook Air has a perfect, sophisticated external appearance, but its insides are full of waste?”

…

What astonished all those engineers was the fact that the computer had a very costly structure. For example, it used an extremely large number of screws to attach components. About 30 screws were used to attach the keyboard alone.

…

“When it comes to Japanese PC manufacturers, their manufacturing plants will complain or add their own technical efforts to lower cost, if a proposed structural design was insufficient,” one of the engineers said. “The MacBook Air gives me an impression that its manufacturing plant packaged the computer exactly as ordered by Apple.”

…

Based on the results of our teardown project, we guess Apple is not paying much attention to both workmanship of the hardware design and comprehensive cost reduction…The MacBook Air’s mysterious internal design might be a violent antithesis against Japanese manufacturing, which allows no compromise even in detailed parts of the hardware.

This is a very interesting insight into manufacturing. Can you imagine Steve Jobs’ reaction to somebody at the Air factory deciding to take out 25 of the 30 screws that hold the keyboard? Heads would roll!

No doubt all those screws (and the other things they considered “waste”) contribute to the Air’s extremely solid feel that’s remarked upon by everybody who has handled one. Contrast this to all the “this thing must be soo fragile” comments, just after the launch, by people who had not handled one. Obviously people are used to small electronic devices following the (apparent) Japanese practice of shaving off internal “waste” to save a little space and money and ignore the consequence of a flimsy feel… something that would be especially accentuated in such a thin device as the Air.

So, this article betrays a fundamental misunderstanding of Apple’s design strengths and intentions. Their definition of “workmanship and… cost reduction” is very different. From what I can tell, the Air was designed from the outset to be extremely thin and rugged, while maintaining adequate battery life and performance. These considerations snowball to the extent that the battery uses up 2/3 of the space, and seems to be (along with the keyboard) itself a structural element.

Everything else flows logically from that. To put in a FireWire connector means reserving resources for a 7W additional power drain – that’s 1A extra current at the 7.2V battery. It also means an extra power supply to jack this up to the 9 to 12V required at the connector, extra PCB traces, and so forth. The battery has a capacity of 37 watt-hours, meaning that at the rated duration of 5 hours, the average power draw is slightly over 7W; this would double when a FireWire drive is connected, meaning battery life would be only half, 2.5 hours. Also, the extra connector would mean widening the flip-down door and shaving off maybe 2cm off the battery on that side… more capacity reduction. The 45W external power supply would also have to be beefed up, and the internal charging circuitry as well… this means more heat dissipation. It would probably have been necessary to make the battery itself thicker, maybe 5mm or more.

Now look at a typical Ethernet connector; it’s thicker than the Air’s door, so some millimeters would have had to be added to the Air’s thickness, too; as well as taking the extra chunk out of the battery as well.

Same applies to an internal DVD drive. If it doesn’t work as a burner too, they’d have complained – but imagine the power requirements, or read the Lenovo x300 review; Lenovo engineers are very capable too, but they decided on different trade-offs. I have handled some other brands of small laptops from Toshiba and I must say I was unimpressed by the feel and finish.

Finally, imagine the Air with a removable battery. This means extra connectors, a case opening, of course with either a full-width extra wall (meaning at least 4mm extra thickness) or some heavy-duty latches (considering the battery is 2/3 of the size and a similar proportion of the weight of the Air). Consider the loss of rigidity that would imply, and the extra size and weight that would have to be “wasted” to counteract that.

So that’s my point. Any change in the Air’s design immediately snowballs into a larger, heavier, hotter and (probably) less solid-feeling machine. Jobs obviously thought it was worthwhile to concentrate on those aspects, and it’s rather shortsighted to conclude that “Apple is not paying much attention to … workmanship”.

Some more thoughts about the Air.

I finally saw the pertinent parts of the keynote and paid attention to the shots of the Air’s interior and of the main board. Wow, that thing is cramped; 2/3 of it is battery. There’ve been serious announcements of progress in battery technology and for the next years we can expect even slimmer machines and/or longer capacity; still, it seems that Apple now considers 5 hours (if real) as a good compromise between bulk/weight and battery life.

The Air no doubt makes use of Apple’s recent patent (sorry, no time to find a URL for it) for glueing together a precision-cast aluminum chassis – meaning very few internal mounting screws and posts, much tighter tolerances, and serious amounts of weight and dimensions shaved off, as well as better heat distribution. It also means that the case feels like a single unit; it’s significant that people who’ve handled the Air report that it feels very solid, not at all fragile like it looks. Especially the moveable port door is said to feel solidly reliable.

People calling for a removable battery no doubt are unaware that such a thing would mean a huge case opening, meaning extra ribbing elsewhere to counteract the rigidity loss, mounting screws and a good lock, what amounts to a double wall inside the unit when the battery is mounted, a pair of connectors and so forth. Meaning perhaps 200g extra in weight, 4mm in depth and $50 (at least) added to the bill of materials… all to accomodate maybe 10% of users who need an extra battery for flying tourist class?

I remember from my hardware design days how there are cascading design choices like this. Someone comes in and says “can’t we do such-and-such” and they fall off their chair when you explain the consequences. Another example is the much-bemoaned lack of peripheral ports. But consider FireWire. Yes, Apple pioneered FireWire and it’s a great technology… but check the power requirements:

…[it] can supply up to 45 watts of power per port at up to 30 volts…

That would be the entire 45W of the external power supply right there! Admittedly Apple’s other laptops already lower that to about half by supplying less voltage. For instance, the FireWire developer note says for MacBooks:

The MacBook’s six-pin FireWire connector provides unregulated 9 V to 12 V power with a maximum load of 0.75 A. Developers should design to use 7 W sustained power, or less.

Contrast this to the new MacPro, which can supply 18W per port (28W total on all four ports), and you see how laptop power design considerations are important. Supplying 0.75A to get the standard 7W on a FireWire connector would have meant larger board traces, probably a thicker board, an extra power supply chip for the higher voltage, extra dissipation, cooling… not worth it. Lowering that requirement to 5W or less would mean many external drives not working properly.

The same reasoning applies to USB. A standard USB port must supply 0.5A continuously at 5V – 2.5W. The new MacPro and the latest revisions of the laptops (including the Air) support a special high-power mode where one port can supply 1.1A (5.5W). This was meant originally to allow the keyboard to work as a powered hub, supplying the regular 0.5A on each of its ports. The Air probably needs it for its external DVD drive, although the USB Developer Note says this only works for the keyboard – and supposedly the Air’s external drive doesn’t work on other Macs. Time will tell, but here too an extra USB port would have meant beefing up the machine, though not as much as a FireWire port would have.

Somewhat more puzzling is the limitation of the 80GB 1.8″ drive, as there are larger drives sold in iPods. Either Apple is already supply-constrained for those, or the slight differences in thickness and power consumption are significant; in any event, I expect the Air’s next revision to offer larger drives. Same for RAM; coming back to the pictures of the main board, notice there’s no space for extra RAM chips, meaning that 4GB will only be possible when the next chip series doubles capacity. (And a RAM socket? With a door? Forget it.)

Finally, all this is a great opportunity for acessory makers; expect a 4-port USB hub (powered, of course) with built-in gigabit Ethernet and media slots, for instance. Even for Apple itself, it might be interesting if Time Capsule allowed a plug-in DVD drive for remote access; it would just mean a firmware update, but I suppose the Air’s drive would be too much for the Capsule’s power supply.