OS X is not ready for sandboxing

In my previous post, I talked a bit about the high-level approach Apple was taking to sandboxing and the problems therein. Sadly, Apple has not changed their position on this at all yet. So, for now, it appears we have to live with it. I've expected this, so I've been targeting Pear Note for Mac 3 (which just came out in beta) to work in a sandboxed environment. This means I've gotten familiar with dealing with sandboxing, which has led me to the conclusion that OS X is not ready for apps to be sandboxed.

To me as a developer, an operating system is primarily a set of frameworks, of APIs, of functionality provided to applications to let them work. OS X has a long history of providing some great frameworks, from Cocoa to QuickTime and more. These have primarily been developed before the days of sandboxing. So, it's no surprise that many of these made assumptions that cause them to malfunction in a properly sandboxed environment.

The good news is that Apple has a work-around. They call them temporary entitlements, and they allow you to grant your application broad access. So, I figured I would develop Pear Note 3 with a design that could work in a properly sandboxed environment. Then, when I encountered bugs in Apple's own frameworks, I would file those bugs with Apple and in the end grant myself broad temporary entitlements to get Pear Note to work while waiting for Apple to fix their bugs.

And that's what I did. Not surprisingly, I found several bugs. What surprised me was that when I gave myself the broad temporary entitlements, Pear Note still didn't work. One method from QTKit (-[QTMovie writeToFile:] in case you were wondering) fails even with full filesystem access granted. Worse, it does not generate a denial in the system log to give a clue as to why it isn't working. As you can probably guess, writing out audio/video is a pretty important thing for Pear Note, so this wasn't something I could just live without.

So, for now, Pear Note 3 is not sandboxed. If Apple doesn't fix bugs quickly or extend the March 1 deadline out, I'm not sure what I'm going to do. I've already done all the work to make Pear Note ready for sandboxing and would just have to throw a switch to turn it on, but I can't do that until Apple fixes at least this bug.

My point here is not that there's one bug preventing me from sandboxing my app, but that there are lots of bugs preventing developers from sandboxing their apps. Putting aside the debate about whether Apple should be mandating sandboxing and what classes of apps can't be run inside a sandbox, you're left with a bunch of apps that sandboxing was designed for that still can't use it yet because the OS frameworks aren't ready. Pear Note is not unique here, which is why you can look on your system today and see that almost no apps are sandboxed.

It reminds me a lot of when Apple added garbage collection to Objective-C in Leopard. I actually used garbage collection in the first version of Pear Note, but it quickly became apparent that some of Apple's own frameworks (notably QTKit) didn't behave well when used with garbage collection. Thankfully nothing prevented me from throwing out garbage collection until it was ready (which actually never happened). Apple's mandate will prevent us from waiting to use sandboxing until it is ready.

I hope Apple extends the deadline on sandboxing. More than that, I hope that Apple fixes the problems with older frameworks not working with sandboxing. QTKit/QuickTime haven't gotten much love lately, which makes me fearful that their sandboxing bugs may never be fixed.