Apple can’t (yet) stop you syncing a folder somewhere on the disk. Other services offer this feature - sync.com for example, which I switched to after Dropbox announced this change.
Dropbox wants to offer some features that are only available through Apple’s API. They want to be on the App Store. But they need to weigh that against what still is their primary feature, and literally how the product was described when sold. “A folder synchronized across all your devices.”
I am not a product manager, but I simply would not throw out my main feature and the thing that differentiates me in the market, in order to provide some features Apple wants, where the only difference between me and OneDrive is the icon.
I agree, but I think it’s important to point out: I believe the main feature they need is to sync the full file tree without having to download the actual files until needed. I don’t know how others do it, but I assume that you’d have to manually maintain mappings between a subtree in the cloud to one on disk, or alternatively run out of disk space if you want to have everything synced.
Non-techies will find it incredibly annoying to map individual subtrees leading to missing files, upfront sync costs when you need those, and running out of disk space. Dropbox cannot afford to simply throw their hands up and blame the users for not being technical enough.
That said, this hack (pretending your files are on disk) is arguably a fragile one, and perhaps shouldn’t exist in the first place (assuming it’s not a networked file system, which I believe it’s not). Or at the very least, they could have attempted to publish a standard. But if dropbox is just another proprietary piece of software running hacks, I can’t really blame Apple.
Why not? It's a very handy feature for a lot of users who don't have the disk space available to store their complete Dropbox folder. And it's much easier to understand and work with than manually managing selective sync.
Or at the very least, they could have attempted to publish a standard. But if dropbox is just another proprietary piece of software running hacks, I can’t really blame Apple.
Right. The issue is that you need to intercept file I/O to make transparent sync work. Dropbox did this before using a kernel extension, so that it can hook into the kernel kauth framework [1]. However, having third-party code running in kernel space is a huge liability, besides opening a huge possibility for state-sanctioned backdoors, it opens another venue for security vulnerabilities that give kernel-level access. So Apple decided that the kauth API should go (probably for other reasons), but more importantly that thirt-party kexts should go.
In general, I am very happy that Apple is on a mission to ban kexts, I don't want closed source third-party code to run in the kernel. However, it seems that Apple provides replacement userspace APIs, but is not really receptive to issues that developers have with them.
> In general, I am very happy that Apple is on a mission to ban kexts, I don't want closed source third-party code to run in the kernel
Will you still be able to run open-source or first party (for example, written by yourself) kernel extensions? Or will future macos versions require jailbreaks to get a real root permissions? Genuine question, I'm not too familiar with Apple products and I'm trying to understand why is this a good change. It looks like a limitation imposed on users.
FWIW, running code in the kernel is not "real root permissions", it's kernel-mode privledges, which are much different and arguably much more dangerous.
For my money, running custom kernel-mode code is not a concern. Apple is infatuated with remote device attestation for some reason though, so preventing OS modification is paramount for them right now. It's a limitation, but one that's hard to get mad about when Macbooks have a mostly-open bootloader.
To answer this question explicitly, it's currently possible to jump through some hoops to run kernel extensions, but Apple has been slowly tightening the requirements over the past few years. here's what Apple currently has to say about them.
> Kexts are no longer recommended for macOS. Kexts risk the integrity and reliability of the operating system. Users should prefer solutions that don’t require extending the kernel and use system extensions instead.
"System extensions", in this context, refers to extensions that the OS loads into userspace. Apple is developing userspace extension APIs to perform actions that were traditionally handled by popular kexts. The File Provider API is one of these system extensions. Dropbox used to rely on a kernel extension to intercept file access. File Providers allow them to do the same thing, but, as evidenced by this article, there are limitations as to where the files can live, and there are some bugs.
So if the File Provider API is so bad, and it's sill possible to load kexts, why doesn't Dropbox continue to use a kext?
- In 2015, Apple updated the OS to require that kexts be signed by a certificate in the Apple Developer program. This allows Apple to decide who can sign kernel extensions, and allows them to revoke the signing certificate for individual extensions.
- In 2017, Apple updated the OS to require a multi-step user confirmation before installing a kext. This initially caused some headaches for system administrators automating the deployment of multiple machines, but eventually solutions to this were implemented.
- In 2020, Apple started shipping ARM-based Macs, and by default, they don't allow the loading of any third-party extensions. Instead, users have to go through a process to enable them, and this process can be disabled on managed machines. Here's how Apple describes that process.
> Kext management by the user requires a restart to recoveryOS to downgrade security settings. The user must press and hold the power button to restart into recoveryOS and authenticate as an administrator. Only when recoveryOS is entered using the power button press will the Secure Enclave accept the change of policy. The user must then select the checkbox Reduced Security and the option “Allow user management of kernel extensions from identified developers” and restart the Mac.
All of these requirements can also be bypassed (if the machine is unmanaged or the sysadmin allows it) by turning off System Integrity Protection, which is a similar process as described above. However, disabling SIP disables a lot of security protections in the OS, and turning it off shows a lot of scary dialogues to dissuade users from doing it.
And for most users, SIP is a good tradeoff. It protects against a lot of things that malware can do. It prevents code injection, so dtrace doesn't work with SIP on, but if you're not using dtrace, there's little reason to turn it off.
Either way, the process is complicated enough that not enough users will do it in order to provide a mass market for Dropbox. Apple is also pushing Dropbox to use the File Provider API with the implicit threat of revoking Dropbox's signing certificate for their kext. Apple will not issue signing certificates for products that can be implemented using the userspace system extensions instead, and it's likely that they will continue to restrict the loading of kexts further in the future. Even if users can disable the signing requirement by disabling SIP now, there's no guarantee Apple will allow that to work in the future.
What I find surprising is that Dropbox is apparently willing to just fit in the narrow space Apple has carved out for them.
Especially now, when companies are cutting their spend, this is an extraordinary misstep. If I am already paying for iCloud, Google Apps, or Office 365, I can get exactly what Dropbox offers for free, and better integrated with the other productivity apps.
So why exactly would anyone use Dropbox now? There is nothing to differentiate them.
It’s hard to see this as anything other than the beginning of the end for Dropbox.
So why exactly would anyone use Dropbox now? There is nothing to differentiate them.
Their sync is just must faster and they actually do block-level sync, which the other major providers still haven't implemented yet after over ten years. I understand why people go to the competition, but I think it's a mistake. The FAANG offerings just provide enough (especially disk space) to lure people into their ecosystems, but they don't really care much about file sync, and therefore they are all quite miserable.
It is a bit like Microsoft Teams. Companies choose Teams because they have an Office365 subscription for Microsoft Office anyway and it is cheaper than Slack. On the surface, Slack does not seem to have much of a competitive advantage anymore. So, if you are simply bean counting, it's clear that you should switch to Teams. But in the meanwhile, everyone using Teams feels miserable to be trapped in it.
Because the rest of the company is on Dropbox already, and it's easier to stay there than migrate everybody. Single personal-use accounts aren't their bread and butter.
> I believe the main feature they need is to sync the full file tree without having to download the actual files until needed. I don’t know how others do it, but I assume that you’d have to manually maintain mappings between a subtree in the cloud to one on disk, or alternatively run out of disk space if you want to have everything synced
I thought the whole point of file syncing software was to sync all files. If I do not have internet access, then would I not be guaranteed to use all the files in my Dropbox folder?
Dropbox wants to offer some features that are only available through Apple’s API. They want to be on the App Store. But they need to weigh that against what still is their primary feature, and literally how the product was described when sold. “A folder synchronized across all your devices.”
I am not a product manager, but I simply would not throw out my main feature and the thing that differentiates me in the market, in order to provide some features Apple wants, where the only difference between me and OneDrive is the icon.