Rogue Amoeba - Under The Microscope

Software Update Updating Software It Shouldn't Be Updating

Tue, 01 May 2007

In short, this is why you should always use bundle IDs instead of names to search for an application in code.

What's happening in this screenshot is that Software Update is telling me it has a new version of Backup (Apple's Backup software for use with .Mac), because it's found an application called Backup in my Applications folder.

If you like, you can recreate this for yourself.

0) If you have Backup installed, move it out of the Applications folder. Make an archive of it in the Finder for safe-keeping, then delete the application itself.

1) Open Automator and create a new action¹.

2) Select Save As... from the File menu.

3) Call it Backup, set the File Format to "Application", and save it to your Applications folder.

4) Run Software Update and enjoy.

If you allow Software Update to install the new versions of Backup, it will overwrite your custom Backup application. The end result? Data loss.

My friend Chris D. found this bug recently while creating a Backup action with Automator. Being new to the Mac, he was unfamiliar with Apple's Backup application (it's not installed by default in OS X 10.4) and so he simply called his backup action "Backup". He then saved it to the Applications folder so iCal could run it.

A few days later, Software Update ran and offered to update his battery firmware and Backup. Trusting Software Update (as I'm sure Apple desires), he went ahead with this update. It wasn't until his backup failed to occur that he took some time and figured out what had happened.

Fortunately, he smartly kept a backup of his own custom Backup application, which he'll need to rename now.

Apple engineers in the crowd can find this in Radar, bug #5174089.

Footnotes:
1. This can be as simple as you like, it really doesn't matter. Just drag a single item from the Action list, such as Find Address Book Items (the first item in the list), to the well on the right. ↩

Posted by Paul | Permalink | View/Post Comments (6)

Comments

Rosyna
Tue May 1 15:51:27 2007

Looks like the problem comes from this file: http://swcdn.apple.com/content/downloads/55/23/061-2046/JK9rDwdF3vqNRDnGztWvZDnszttHPCQhVZ/061-2046.English.dist

Specifically,

volumeNeedsUpdate()

It's getting the bundle from an absolute paths (paths are evil) and then it's getting the version from the path. Since the automator doodad is version 1.0.3 and 1.0.3 is less than 3.1, it says there needs to be an update. Paths are evil.

The script should be checking the bundle id, before the version (or never checking the path at all).

What's funny about this, is it's making sure version is not NULL. But the _PadVersionString() is making sure that version is NEVER NULL.

Oh, since the CFBundle logic will think anything is a bundle, you can actually just place a folder named Backup.app in the Applications folder and get Backup.app for free.

what's neat is that this can be fixed server side and apple can say, "Problem, what problem? Works for me"

Daniel Parks
Tue May 1 16:23:20 2007

Wow… just like Rosyna says, I created a folder called Backup.app in /Applications, ran software update, and now I have the real Backup. (Not that I actually want Backup.) It even starts up. I've never payed for .Mac.

Interesting that the comment in the file Rosyna linked to mentions Backup specifically — somehow I would have expected this kind of check to be in more general code.

David
Tue May 1 16:33:01 2007

You don't actually get the full version of Backup. If you run Software Update, it does install Backup. However, if you don't have a .Mac account signed in in System Preferences, it will only run in trial mode, limiting it to 100MB. Seems Apple are still reasonably smart.

Rosyna
Tue May 1 16:36:14 2007

Well, it is the full version, just the software itself does an additional check.

What's really funny... I just downloaded a 130meg update to Aperture using this same method (well, it requires you have an Info.plist file inside the folder...)

And this is generic code, the link I pasted is specifically for backup.app. It's a generated XML file. The server side includes includes for other stuff/common code based on what's in the other XML files I looked at.

Daniel Parks
Wed May 2 03:02:11 2007

Hm — I think there is a misunderstanding. The XML file seems to describe the update for Backup, and includes JavaScript to run to see if the update is applicable.

The JavaScript in the file has code that appears to have been written (perhaps “written” via copy & paste) specifically for Backup. I don't think the code was generated — the comment in volumeNeedsUpdate() includes the name of the application.

I would have expected something that every update does to be handled by more abstracted code.

Kind of academic, I suppose.

Looking at this again, I realize that I was being foolish. Apple isn’t stupid; software update is just a convenient tool to download and apply software updates — not full software packages. D’oh.

Nick
Wed May 2 07:09:57 2007

Software Update has always been very dumb in this regard. In the early days of Mac OS X, it would leave bundle turds in /Applications if you moved any of the applications it expected to update.

Around 10.2, they developed a mechanism to update moved packages, but only if the update packager used it. The Mac OS X team used it fairly reliably, but iLife and other Apple software failed frequently. With iLife, the usual symptom was that a required update wouldn't be provided.

Mac OS X updates still fail from time to time; a security update to 10.4 left a Font Book turd in my /Applications folder because Font Book wasn't there.

This post is archived, and commenting has been closed.