Skip to content

Behind OS X’s modern face lies an aging collection of Unix tools

Note: This article has been heavily modified, as I was a total knucklehead and completely forgot about GPL v3—thanks to Geordie Korper for pointing it out in the comments. Basically, the cause of the aging Unix tools in OS X is GPL v3. I've updated the following table to include the license information. In every case but one (nano), GPL v3 is the license on the non-updated apps. So that's that…I'll leave this up, though, in case anyone's curious about this stuff.

As I covered recently, the version of bash that ships with OS X is quite old, and as such, is vulnerable to the recently-revealed bash security hole.

At some point, Apple will release an OS X update containing a patched version of bash. (Update released.)

So while Apple has patched bash, this version of the shell is simply ancient. Just how old is it? bash 3.2.53(1) is roughly seven years behind the current version, 4.3.25. Seven years is like, well, forever, in Internet time!

With that bash age gap in mind, I took at look at a number of common Unix apps—in both Mavericks and Yosemite—to see which versions were in use. Then I checked the same apps in MacPorts, a tool that makes it simple to install many Unix apps.

(MacPorts doesn't necessarily have the absolute latest version of every Unix app, but they do stay relatively current. For instance, they already have a patched version of bash that fixes the above vulnerability.)

The results were interesting, to say the least—many of the core Unix utilities in OS X are years and multiple versions behind their open source, er, sources. You can thank GPL v3 for that, as noted above (and covered in more detail below). But that still leaves the big question:

Does it matter?

That is, should we care that these tools aren't keeping up with their latest and (presumably) greatest versions? Is it a problem, or merely a statement that what we have works well enough for the majority of users? (For those who don't want to bother reading, my general opinion is no, it doesn't matter.)

MavericksYosemiteMacPorts
ToolCurr. LicenseVersion© DateVersion© DateVersion© Date
bashGPL v33.2.51(1)20073.2.51(1)20074.3.252014
curlMIT/X7.30Apr 12 '137.37.1Jul 16 '147.38Sep 10 '14
emacsGPL v322.1.1200722.1.1200724.3.12013
gitGPL v21.9.3
Apple Git-50
May 9 '141.8.3.4
Apple Git-47
Jul 22 '132.1.0Aug 15 '14
grepGPL v32.5.1Oct 29 '042.5.1Oct 29 '042.20Jun 3 '14
manUnknown1.6c--1.6c--1.6g--
nanoGPL v32.0.6Aug 24 '132.0.6Aug 24 '132.2.6Nov 26 '13
opensslApache0.9.8zaJun 5 '140.9.8zaJun 5 '141.0.1iAug 6 '14
perlArtistic5.16.220125.18.220135.20.02014
phpPHP5.4.30Jul 29 '145.5.14Aug 30 '145.6.0Aug 31 '14
rsyncGPL v32.6.920062.6.920063.1.12014
sqlite3Public Domain3.7.13Jul 17 '123.8.5Aug 15 '143.8.6Aug 15 '14
sshBSD6.2p28 Dec '116.2p28 Dec '116.6.1p16 Aug '14
sudoISC1.7.10p7Feb 27 '131.7.10p7Feb 27 '131.8.8Sep 29 '13
tcshBSD6.17.00Jul 10 '096.17.00Jul 10 '096.18.01Feb 14 '12
vi/vimBSD7.3Aug 15 '107.3Aug 15 '107.410 Aug '13
zshMIT5.0.2Dec 21 '125.0.5Jan 6 '145.0.6Aug 29 '14
Links to license definitions: ApacheArtistic • BSD • GPL v2 • GPL v3ISC • MIT/X • PHP • Public Domain

(Highlighted entries reflect tools that are getting updates in Yosemite.)

As you can see, most versions of the Apple-supplied tools are far behind the MacPorts versions (and some of those might even be older than current versions).

The question I have, and that I'm not sure who at Apple might be willing or able to answer it, is this:

Are those versions really as old as they appear, or have some fixes and/or features been backported into older version numbers?

I know in at least one case that fixes have been backported: openssl 0.9.8za is not a "real" release, but one created by Apple (and released in OS X 10.9.5) that contains fixes for a number of CVEs (2014-0076, 2014-195, 2014-0221, 2014-0224, and 2014-3470). So openssl clearly gets some backported security updates.

But what about the other apps? Just looking at version numbers, I suspect that bash may also have such backported fixes—its version number is not identical in structure to the official release on MacPorts. But that leaves a huge number of tools that are simply old, apparently lacking both security and feature updates. And old is really old in many cases. Here's what that means for a few key tools I rely on.

bash

As noted earlier, OS X uses a very old version of bash—seven years older than the current release, and four years older than the release of bash 4.0. That release was a big one, with a huge number of changes and improvements.

As but one example, consider the help output for bash commands such as cd, history, etc. Here's what help dirs displays in the OS X version of bash:

And here's how it displays in the MacPorts version of bash:

There's no functional difference between the two dirs commands in terms of options, but the command's help is much easier to read in the newer version of bash. I may not use help much, but when I do, it's nice to have a well-formatted page to read.

The problem with updating bash yourself is that it's tied into the lowest levels of OS X. So while MacPorts makes it easy to install and run a newer version of bash for your own scripts, system-provided scripts and processes will still call the old bash. I've actually replaced all versions of bash, as I described yesterday, which is potentially very dangerous. So far, though, things are working normally.

I would expect Apple to patch the security hole in bash, but not to do so by giving us a 4.x version to install.

git

For those not familiar, git is a version control system; I don't use it myself, but know quite a few people who do. I bring it up here not because it's out of date (it's not), but because it's taking a step backwards in Yosemite. As of today, at least, the version of git in the latest developer preview is actually older than the version we have in Mavericks. (Note that Apple apparently ships a customized version of git, based on the Apple Git-50 designation in the version number.) I assume this is a temporary issue, and we'll see an updated version when Yosemite ships.

rsync

I use rsync a lot—it's an incredibly useful command line tool for syncing files across hard drives and to/from remote systems. I rely on it for my multi-drive, multi-site backup system. Version 2.6.9 (the current OS X version) was released in 2006—over eight years ago! The next version after 2.6.9 was 3.0, and it was released in 2008! Apple is over six years behind on the major version upgrade, and a further 10 updates have come out since 3.0; MacPorts is current at version 3.1.1.

There are a lot of new features in the rsync 3 release, many of which make the tool run faster and preserve more file data than its predecessor. So why hasn't OS X kept up with this release? Perhaps Disk Utility uses rsync in some manner? But if not, then why is it languishing? I've personally switched to the MacPorts installation, and have not had any issues with it.

emacs

Personally, I'm a BBEdit or vi guy, but I know a lot of folks who love and rely on emacs. The OS X version is seven years—and nine releases—from current. Tons of new features and bug fixes in those releases, including better Unicode support, along with some security patches. Does the OS X emacs have the security fixes? I have no idea, and I'm not sure how to tell. As best I can tell, emacs is a standalone tool (not integrated into any core OS X features), so why hasn't Apple given us a newer version in seven years?

sqlite

Apple uses sqlite for a number of database tasks, such as tracking Mail messages. Given how well it's tied into the system, perhaps it's not surprising that it's fallen behind the official releases. What is surprising is just how far behind it is—a full 22 releases since it was last updated. But then again, perhaps this is "if it's not broke, and we rely on it, don't fix it."

The good news is that sqlite3 is getting an update to nearly-current status in Yosemite.

ssh

This one surprises me—given how important security is in the remote connectivity services provided by openssh, I figured Apple would keep this one current. But unless they're hiding backported fixes in old version numbers, the stock version of ssh is roughly three years old, missing four fairly major updates (6.3, 6.4, 6.5, 6.6).

Are we really relying on an out-of-date version of ssh lacking key security updates? I've emailed Apple Security, asking if they can share anything about how they update ssh, but I'm not really expecting a response.

sudo

While sudo looks quite out of date, it's not quite as bad as it appears. That's because the 1.7 branch is the maintenance branch, which receives no new features, just bug fixes. Within the maintenance branch, there's only one newer release, 1.7.10p8. That release contains one security bug fix, though it doesn't appear to be a serious hole.

Those in search of new sudo features (is there a large number of such people?) can use MacPorts to install versions in the "current" 1.8.x tree, which does get new features.

The GNU GPL

Thanks Geordie Korper for commenting on the obvious, which I completely overlooked in my original posting: the likely cause of the aging code base is the GNU General Public License version 3. This is a new version of the license—released in June of 2007—that governs many open source apps.

As noted at the beginning of the article, it's clearly GPL v3 that's preventing many of these tools from being updated. Exactly what it is about the v3 license that scares Apple away? I'm not sure; some web searching seems to indicate that it might be related to the patente language in v3, which is there as a direct result of a Microsoft-Novell deal.

But who knows for sure…whatever the reason, Apple feels it can't legally include GPL v3 apps with OS X any more. And that's a shame, because some of these apps are very good. Thankfully, you can install newer versions yourself, with nothing more than some clicks and a bit of typing. How?

You can install newer versions of the above tools (and many other apps) via an OS X package manager. There are many to choose from; I personally use MacPorts, but there's also Fink and Homebrew. Pick the one that works best for you, and you don't have to live with Apple's ancient tools. These package managers not only make it easy to get new versions, they also keep them separate from the OS X versions, so as to not cause issues down the road.

Wrapping it all up

So back to the big question: Does it matter?

Generalizing, I'm of the opinion it doesn't really matter. Most OS X users never venture near the command line, so the age of the bundled tools won't make any difference to them. As long as the GUI side of the OS does what they want, they'll be happy.

Taking off the generalist's hat, I'm curious as to how Apple handles security fixes for the older versions of these tools. If they're backporting them into the current release, but keeping the version number the same, that's a dangerous path to follow. (See how well that worked for GM?) Still, backporting means we at least have the security fixes; if they're not patching the releases, it's not good news. Maybe some day we'll see a version of the GPL that Apple can live with, but I doubt it—Apple is not exactly a poster child for the Free Software Foundation's mission.

11 thoughts on “Behind OS X’s modern face lies an aging collection of Unix tools”

    1. Oh wow, I totally forgot about GPL v3. I’m sure you’re right, and that’s why these tools are languishing.

      thanks;
      -rob.

  1. Newer doesn't mean better. A more fair comparison is to compare the versions against a long-term support enterprise Linux distro. Looking at Centos 7 (which should be equivalent to RHEL 7) I see.
    bash 4.2.45
    curl 7.29.0
    git 1.8.3.1
    perl 5.16.3
    sqlite 3.17.17

    So it seems Apple isn't necessarily behind when compared to a flagship Linux distro.

    1. What are its versions of emacs, grep, and rsync? Geordie hit the nail on the head, I think -- it's GPL v3 that's keeping Apple away from newer versions. I updated the article to reflect this fact, with a column showing the current license for each app. Those Apple lags on are all GPL v3.

      -rob.

      1. Just one minor note about grep.
        OSX is using BSD grep version 2.5.1-FreeBSD which is BSD licensed.
        The one in MacPorts is GNU grep using GPLv3 license

    2. Wouldn't it be more correct to compare to something like a desktop distribution rather than server distribution. Maybe look at Ubuntu or Fedora Linux.

  2. clearly if you brought a mac to use emacs you're in the wrong side of things, and btw just because more code is aded doesn't mean it's getting any better, more secure usable and stable..., take a look at gnome 3 or KDE... not to mention many comercial products out there...
    Probably no one dares to talk about debian and it's wicked policy for stable packages...

  3. Richard Soderberg

    You can look at the Darwin repository for each major release of OS X [1] to see the source code they're using for certain tools. For instance, 10.9.5 OpenSSH at [2] contains a ChangeLog indicating that it's 6.2p2, which provides a base from which you could compare to upstream and see what changes have been made.

    [1] http://opensource.apple.com/
    [2] http://opensource.apple.com/release/os-x-1095/

    There also historical comparison availalbe. 10.8 shipped OpenSSH-175 (5.9p1), 10.8.2 shipped OpenSSH-175.1 (5.9p1), and 10.9 shipped OpenSSH-186 (6.2p2).

    Comparing the 10.9 release date (2013-10-22) to the 6.2p2 release date (2013-05-16), it appears that they did import a relatively recent version of OpenSSH at that time.

    However, 10.10 contains OpenSSH-189 (6.2p2), so it seems they did not choose to upgrade major releases for the upcoming release. I am curious what changed from -186 to -189, but the Darwin source code for 10.10 won't be available until it's released.

    Food for thought!

  4. IANAL, but usually what companies avoid about GPL-3 is (a) the patent stuff and (b) the anti-tivoization clause.

    It's not just Apple BTW. A lot of companies have decided not to ship GPL-3'd software. Of course, the FSF thinks that's a success, so I doubt GPL-4 will be any "better" by corporations' metrics.

    GPL-3 is also the reason why Apple stopped up updating GCC/libstdc++ beyond 4.2, invested in the development of clang/libc++ and finally removed GCC from OS X completely.

    To be honest, I welcome the new line of BSD- or similarly licensed tools that slowly replace the GPL-3 ones, but some GPL-3 tools are still invaluable for me at the moment.

  5. Your first sentence needs to be fixed.

    Time or version number had nothing to do with the bash exploit you're referring to. Even the newest version of bash you're comparing it to was vulnerable. Hence the term Zero Day.

    Don't get me wrong, I'd love it if I could just apt-get the most recent version of everything from an OSX command line as well, just... don't create straw men. Newer does not equal better.

    1. I wasn't trying to imply that newer = better, but merely that in this case, newer from macports = fixed security hole. The newest bash, at the time I wrote this, was indeed patched, so the sentence still makes sense to me -- what strikes you as wrong about it?

      -rob.

Comments are closed.