Apple's Mac OS X Update Breaks Perl

mir writes "It looks like if you use CPAN to install modules, Apple's latest security update might just have broken your Perl. According to Tatsuhiko Miyagawa 'The Security Update brings (old) IO.bundle with version 1.22 but your IO.pm has been updated to the latest 1.23 on CPAN shell. (But hey, 1.23 was released in 2006...Why do you bring that ancient version back, Apple!?)'."

Apple

"It just works"

Re:Apple

[telchine]

Some would argue that Perl has been broken for a long time before Apple started meddling!

Re:Apple

[ThePhilips]

This is not a first Apple's blopper. Any OS vendor might have those.

The question is how long would it take for Apple to fix that. In the blog post linked Fedora Perl issues actually took about year to deliver fix for RHEL.

While compiling and using your own build of Perl (or using Fink) on Mac OS X is absolutely OK, under RHEL that might easily screw up your RH support contract...

Re:Apple

[Gadget_Guy]

Oh, I see. I was under the impression that the phrase "It just works" was a synonym for something like "It simply works". Apparently it is a synonym for "It barely works".

OK, that was a bit unfair. Every OS gets the occasional problem when doing updates. Assuming that there is a forthcoming fix in the near future, there is no need to obsess about it.

Fighting over the same file

[Ed+Avis]

Why are Apple's updater and Perl's CPAN shell both trying to update the same file? If the file's there as part of the Apple OS then only the OS's package manager should touch it, and Perl should leave it alone (installing its own version in /usr/local if necessary). It's exactly the same on Linux distributions: the CPAN shell doesn't try to mess with the system perl which is updated using rpm or dpkg.

Re:Fighting over the same file

[warren.oates]

We don't exactly have "package managers" in OS X. The BSD side of OS X is only barely "maintained" at all, and then in some truly obscure and incoherent bubble-headed Cupertino fashion. Anything you really want to actually work with, you have to maintain yourself: PHP, Apache, rsync, ffmpeg, Perl -- all the seriously useful stuff like that you put into /usr/local and set your $PATH accordingly. You _cannot_ trust Apple not to break things.

Re:Fighting over the same file

[99BottlesOfBeerInMyF]

We don't exactly have "package managers" in OS X.

Sure we do, a bunch of them. That's kind of the problem.

Anything you really want to actually work with, you have to maintain yourself

That's a bit of an overstatement. Anything you want a cutting edge version of you'd do well to install and maintain yourself outside of Apple's update path, but for most people just using the Apple installed versions is fine.

Re:Fighting over the same file

[pegdhcp]

Why are Apple's updater and Perl's CPAN shell both trying to update the same file?

Probably this is the real point, as mentioned in the TFA:

"This is another reason why you shouldn't use Perl that comes from vendors," Miyagawa says. "Apple isn't any different from Fedora on this!"

I might add Mandriva, SuSe and most others. Distribution managers want it just run and be stable for users who do not want to know what is going on inside. If there is a need for messing with details, originally packaged software by developer is the best alternative...

Re:Fighting over the same file

[Alrescha]

"Why are Apple's updater and Perl's CPAN shell both trying to update the same file? If the file's there as part of the Apple OS then only the OS's package manager should touch it, and Perl should leave it alone (installing its own version in /usr/local if necessary)."

Why must we learn these lessons again and again? Back in the beginning of time (1983), we learned the following:

Rule #1: Never change *anything* that [vendor] sends you

Rule #2: Always keep your stuff separate from [vendor]

(thank you Melinda)

Re:Fighting over the same file

[Ed+Avis]

On a modern Linux distribution, it's actually okay to modify stuff that the vendor sends you, provided you do it using the same infrastructure as the vendor. For example, on an RPM-based system, you can easily build and install your own local RPM packages, with dependencies and all that, and they integrate nicely with the vendor-supplied ones. I wanted a newer version of the Perl LWP library than was in Fedora 10, so I grabbed the source RPM, updated it and built my own RPM package which I installed. Fedora then won't overwrite this unless they push out an even newer LWP release. Exactly the same can be done with dpkg-based systems.

If your vendor is incompetent, or you are paranoid and don't trust them, or some mixture of the two, then there may still be political reasons not to alter the vendor packages and instead put duplicate copies in a different directory. But nowadays there aren't always technical reasons why you shouldn't.

Re:Fighting over the same file

[99BottlesOfBeerInMyF]

Serious question. When they could use Debian instead, and given these problems, why does anyone use Apple servers?

If you're a sysadmin, I imagine it is because you need one of the few bits Apple does better right now (like CalDAV) or some Apple specific technology to support Mac clients (Spotlight Server).

If you're not a sysadmin, because you're looking for an easy to admin server that you don't need any real skills to get configured and keep running.

Why does this "break" anything?

[mi]

The Security Update brings (old) IO.bundle with version 1.22 but your IO.pm has been updated to the latest 1.23 on CPAN shell. (But hey, 1.23 was released in 2006...Why do you bring that ancient version back, Apple!?)'."

The real question is (or ought to be), why is the 1-digit difference in the minor version number break things? If the 1.22 -> 1.23 change was important (as in interface-changing or something), shouldn't the new version have been named 1.3 or even 2.0?

Re:Why does this "break" anything?

It's an XS module: They include components that are written in a language other than Perl, and have to be compiled against perl.

Which means that if the perl binary they are pointing to changes, they break. The code itself is fine: You just need to recompile.

Apple helpfully recompiled all the ones they shipped, so they would work. The only problem is for people who updated the modules that Apple shipped: They now have a miss-match between the Perl code that is running (that they updated) and the code that is compiled (that Apple shipped).

Basically, you've got a library header and the library object. If the header and the object don't match exactly, you've got problems. No interface was changed, no major important pieces were changed, but now you've got 1.23 headers and a 1.22 object. Change one or the other, and everything will be fine again.

Re:Why does this "break" anything?

[PerlDudeXL]

This is a classic problem with most *nix distribution packages and CPAN usage. This is not Apple specific.

Re:Why does this "break" anything?

[fl!ptop]

shouldn't the new version have been named 1.3 or even 2.0?

from the IO.pm changelog:

IO 1.23 -- Sat Mar 25 19:28:28 CST 2006

• Adjust the regression tests to use t/test.pl when $ENV{PERL_CORE} is defined
• Reduce number of calls to getpeername
• Call qualify on format name passed to format_write. Bug reported by Johan Vromans
• Reduce calls to getprotobyname/number. Patch from Gisle Aas
• Remove references to file TEST used in core so appropriate tests are skipped during an install from CPAN
• Add method say to IO::Handle
• Performance improvement for IO::File::open
• Don't warn about a directory being closed in the DESTROY

looks to me like it's mostly bug fixes and optimization, and not a major rewrite (which would more likely warrant a major version change).

re: OS X and package management

[King_TJ]

Umm, what about Fink?

http://www.finkproject.org/

Re: OS X and package management

[1stvamp]

Or MacPorts, formerly DarwinPorts: http://macports.org/

Re:Apple: Breakin' a bunch of crap recently

[elrous0]

All part of Apple's plan to ensure that no one can ever use a Mac for gaming.

Use CPAN? You deserve to lose

[Jay+Maynard]

CPAN is the closest thing to DLL hell on Unix systems. Modules are updated willy-nilly. No attempt is made to preserve compatibility between versions, or between modules and their dependencies. A company I used to work for had to totally abandon a large program because it was impossible to keep it working in the face of CPAN-driven upgrades, even if they did manage to get it installed the first time (by totally bypassing CPAN).

Re:Use CPAN? You deserve to lose

This is certainly a comment by someone who doesn't understand a single piece of Perl, and how Perl developers work.

CPAN *is* Perl, if you take it out, Perl has little more value than any other modern VHLL (python, ruby etc).

The problem is that if you're going to develop a large system, you need both a development methodology and a maintainance methodology, if you don't plan those, "You deserve to lose".

In a modern environment, like Debian, you manage all your CPAN dependencies as debian packages, hopefully integrating them into the debian main archive (through the pkg-perl group). That way, it will be easier to keep them up-to-date both in Debian and obviously in your machine later, where you will be able to do just a apt-get dist-upgrade to have that done.

daniel

Re:Use CPAN? You deserve to lose

Huh? The opposite is true. CPAN, if anything, is more akin to a Linux distribution's package repository.

Would you say the same thing about, say, Debian's apt-get and friends?

Chances are you wouldn't, but that's exactly what CPAN's like. You have to use it correctly, though, and chances are that if you had trouble with it, you weren't.

(In particular, you should not blindly install updates all the time when there's no need, without even so much as testing them on non-production systems first. Again, consider following the trunk of any Linux distro, package-wise - would you expect things that aren't part of the distro to never break when libraries etc. are updated and new versions installed? Of course not.)

Re:Use CPAN? You deserve to lose

[fl!ptop]

CPAN is the closest thing to DLL hell on Unix systems

while i prefer centos for my production systems and don't use osx, i recommend implementing a solution i've found to work well. first, disable any rpmforge repos on your production machine. second, install new cpan stuff on your development server. test, then install on the production machine (if it passes the tests).

if you need a cpan module that's not available from the regular repositories, or from rpmforge, *never* install anything from cpan using make, make all, etc. always make an rpm using the makerpm.pl script, and install that instead. and never, ever install anything that's a Bundle::somepackage. build all the dependent packages by hand using makerpm.pl instead.

i've found that these methods help cool the 'dll hell' on my production machine. i rarely have any problems. i can't comment on how well this would work w/ a debian-based system that doesn't use rpm, however. not sure what kind of package management osx uses, either.

Re:Use CPAN? You deserve to lose

[mabinogi]

CPAN _was_ an excellent thing - in 1997.
Now, the GP is exactly right - it's a mess.

You absolutely need to install the latest perl before you use it - because the perl (or the modules installed with it) installed with your OS is always too old for any particular module you want to install, and even then you have a chance that the module you want is either broken, or depends on a currently broken module.

CPAN is the heart of perl, but that doesn't mean it's perfect. It seriously needs fixing.

Re:Apple: Breakin' a bunch of crap recently

[Colonel+Korn]

Right. Let's see... Quicktime still works but the Sims 2 doesn't. Quicktime doesn't seem to break anything else, so logically, it MUST be Apple's fault. I think the rest of the Quicktime users who aren't playing the Sims 2 would disagree with your placement of blame. :)

Brainwashed much? You're basically implying that if I hit you in the head with a hammer and you're knocked out, but the hammer, nearby mailbox, and tree are unharmed, that proves that the hammer isn't to blame - your head is.

Scripting Languages not good for most applications

[MrData]

In the flamebait but true category, this is further evidence why scripting languages are not suitable for most application development ... because they are much more brittle than a traditionally compiled application. True you can site examples of traditionally compiled applications breaking due to missing dependencies, in which (like with this Perl example) the underlying deployment platform is a fault, but this type of problem is much more common with scripting languages (Perl, PHP, Python, etc), and vastly harder to debug and defend against.

Super bad for Servers

[geekmansworld]

As an XServe administrator, Apple's cryptic security updates are really starting to get on my nerves.

You would expect that, since it is based on multiple open-source projects that are freely available, Apple would push compiled updates through Software Update to its OS X Server users. Instead, they wait so long to patch things (like Amavis or the BIND patch for Dan Kaminsky's DNS bug) that I just get frustrated and apply the patch myself. Then, when a Apple Software Update does come down the pipe, I have to consider if installing it will break my configuration and land me in hot water with my boss when he can't get his e-mail anymore.

Apple needs to decide if they're going to regularly and consistently update the open-source software that their Server OS runs. If not, leave it alone and let the users apply and configure updates. This wishy-washy, middle-ground, Jobsy-come-lately approach is just an annoyance and an inconvenience.

Re:Super bad for Servers

[ducomputergeek]

I love Apple laptops and desktops. Hate Xserve and I've found OSX-Server to be nothing to write home about. When I was an Apple Certified consultant, I saw a much higher than average failure rate with Xserve hardware. It got to the point to where we'd only deploy OSX-server on PowerMac/MacPro machines. I know some people love their OSX-server tools admin package. It is a pretty slick GUI. I will give them that. But really, I can do just about anything OSX-Server can on a default OSX install. And for the price, I can build reliable servers with FreeBSD a lot cheaper with the same functionality, and arugably even more functionality than OSX-Server.

Re:Super bad for Servers

[fuzzyfuzzyfungus]

The question isn't Apple vs. Microsoft, it is Apple vs. other Unixlikes. Why run OSX server rather than Solaris, one of the BSDs, or linux?

Re: OS X and package management

[SuperIceBoy]

Same here. I don't understand why I need the X11 sources compiled from fink just to get apache 2 and php.

Not sure about on Mac, but on FreeBSD I define WITHOUT_X11 so that it doesn't do that.

Re:Progress!

[morgan_greywolf]

Not to pick nits too much here, but

1) Apple stopped using 5.25" FDDs well before the 1990s. Every Mac that came with a floppy drive from their inception in 1984 came with a 3.5" FDD.

2) You can always buy a third-party CRT if you want a CRT on your Mac, iMac excepted (obviously). Aside from that, having used expensive color-calibrated displays and printers and so forth with high-end color management, etc., I'll let you all in on a big secret: There's no such thing as true color matching. The laws of physics don't allow for it (light vs. pigment).

3) By the time most need to replace the battery in your notebook, it's usually time to get a new notebook. ;)

4) Another big secret: It's perfectly possible to write clear, self-documenting code in Perl. It's only the fact that Perl programmers seem to refuse to do this that allows Python to exist ;).

Didn't break my Perl, did break Catalyst

[Kostya]

The update reverted Scalar::Util, which disabled the weak reference stuff needed by a lot of Catalyst libs. I just re-installed it and it worked again.

But on all my new machines, I just use a local lib instead of the system stuff. I don't need sudo access and then the whole lib gets backed up by Time Machine. If you just upgrade the system perl, you have to re-do it every time you restore from a Time Machine backup (it doesn't copy system stuff as near as I can tell).

Also, as some have observed, CPAN is a bad idea. I say this as someone who got screwed when Catalyst went to 5.7100 (I was at 5.7015). When I did a restore to a new machine, CPAN got all the new Catalyst libs and all my customizations blew up spectacularly.

If you are doing serious Perl development on your local Mac, use a local lib and do not rely on CPAN to automatically handle your dependencies. Install things by hand or create a (perl) script to handle the deps for you. That's what we had to do, as we needed to make sure the module version we used matched our production systems--where we do NOT use CPAN and where we upgrade manually and with careful thought.

Re: OS X and package management

[TJamieson]

With MacPorts you can provide a keyword before installing to see what options an install might have.

So for instance, for apache2 you might type:
port install apache2

to install. Before doing this, try:
port variants apache2

This should produce a list. Hopefully X11 is in there (I can't verify right now). Anyway, find any options you want to enable or disable, and reform your install to look like this:
port install apache2 +enable_option -disable_option

This will usually let you strip away a goofy dep like X11 from programs that don't really need it.

Re:Apple: Breakin' a bunch of crap recently

[Tokerat]

Quicktime is used on the Mac for much more than just showing a video - converting sound and image files from any format to any format (the reason my program can play AIFF, wav, MP3, AAC, etc is because Quicktime converts it to a stardard format for me). Therefore if the game is multiplatform like the Sims and all the sound effects are .wav files, Quicktime will probably be used as the standard API to convert them for playback.

Hear Hear (for client, too)!

[MisterSquid]

Apple seems to have a separation between its left-brain UNIX underpinnings and its right-brain Quartz GUI.

For example, with the last several Security Updates, which contain very little information about what all's rolled in, Apple modifies /etc/postfix/main.cf

inet_interfaces = all

to

inet_interfaces = localhost.

This effectively breaks all Internet-accessible postfix installs. Now, the question is why does Apple apply this to postfix installations explicitly enabled as Internet-accessible? I can't think of any good answer for this except as part of some other bass-ackwards security measures Apple applies in a schizophrenic attitude to the server functions of its UNIX-based client OS.

For another example, the Aiport Extreme Base Station prior to firmware 7.3.1 had a version of DMZ host (default host in Apple bizarro-world) that worked flawlessly. In April 2007 or thereabouts, Apple rolls out firmware 7.3.1, since which default host is broken for only for BIND (UDP port 53) and all mail ports (587, 110. 995, etc) but works for WoW, BitTorrent, and all other ports. WTF?! If I set my router to designate one computer as the default/universal host, why is it still blocking certain ports that have to be opened using port mapping?

This split-mind on UNIX vs. GUI seems to pervade Apple's mentality everywhere which is especially problematic to people like me that are not full-time developers but make extensive use of UNIX-layer services.

Really stupid stuff, Apple. I wish you'd cut it out.

Re:Scripting Languages not good for most applicati

[dodobh]

No, this is a compiled language problem. The module is an XS module, and it has components written in C. The Perl update causes a mismatch between the library referenced by the user's compile and the system supplied one.

Just another form of DLL hell.

If this was a Pure Perl module, this issue would never have mattered. Scripting languages have the same problems as any compiled language when you break libraries.

And if you are upgrading your base code in production without any form of testing, your code deserves to crash.

Re:Scripting Languages not good for most applicati

[shutdown+-p+now]

this type of problem is much more common with scripting languages

I don't see how this follows in any way. Can you give some examples of why it would be more common for scripting languages? In this case, the compat problem is not with a Perl script, as I understand it - it's with a binary Perl extension that got linked against the wrong version of Perl library; so, really, it is rather an example of how brittle compiled stuff is...

Only occurred if core system was modified

[Killer+Eye]

This problem occurred only for people who updated their system's Perl distro via CPAN.

A vendor is free to do what it wants in the part of the system it supports. This isn't new, it's been done for decades on Unix with the distinction between the /usr/local hierarchy (a.k.a. "your crap, not ours") and the rest of /usr (i.e. "our crap, not yours").

People need to know that it's better to install customizations in /usr/local/lib/perl5, or even their home directory, than to fiddle with the vendor setup. This not only avoids vendor clobbering, but the separation is cleaner: mistakes are easier to contain and undo, you can easily test whether a problem is with your customizations or the vendor defaults, you don't necessarily need admin privileges, etc.

Comparing Apple's Release Cycle to MS

[aztracker1]

That's funny... since 2000, MS has had two releases you'd have to pay to upgrade to... How many has Apple had? more than two... As for being constrained to the release cycle most new software runs in XP still... how much new Mac software runs in less than 10.3? not much.

I actually like OSX, it has a consistent UI on a Unix core. But your arguments only show your ignorance. For the record I like different aspects of a lot of OSes. There are even parts of Vista I like (mainly the restructuring of the user paths... though would rather have an "ALL" user back, opposed to the new location for global settings. I like that Linux has a FLOSS mindset, even if the zealots can't find a balance with commercial software.

I don' like a lot of the more politically minded decisions MS and others have taken. I find it ironic that Linux fanbois will use Samba, but ignore Mono because of patent concerns. Zealots from every corner are wrong, and spread FUD, it's what they do... the truth is generally somewhere in the middle.

-- happy Windows, Linux, BSD & Mac User