Maedus said:
Widgets must scare the hell out of you then. From what I would assume, iPhoto has it built in the application itself and basically all it does is send a request to an Apple server saying, "I'm iPhoto 5.0.4. Is there a higher version than me?" and Apple's servers go, "Yes, there's 6.0.0. Here's the details on it." Much like AdiumX telling me when I'm out of date or even Software Update. I cannot see this being a vulnerability unless Apple itself gets hacked and everything is rerouted, which in that case, I'd say everybody performing system updates would be screwed a lot worse than somebody's iPhoto asking if there is an update or not. All and all, I'd say a web browser even with antivirus and firewalls and javascript disabled and pop-ups blocked would be a bigger security risk than iPhoto asking if there's a higher version or not. Though I'm just spouting common sense off the top of my head, so I may be wrong. Take it with a grain of salt.
But as for this being intrusive and horrible and borderline adware, etc. I just have to say that while you may hate it, I like it. I like that AdiumX tells me when it needs updating so I don't have to keep checking their website. And I like that Apple does the same thing in case I don't have Software Update running automatically or checking only once a month, which I do because I'm on dial-up and sometimes that becomes a real nuisance when you're downloading something and Software Update keeps deciding to run when I least want it to. Plus, I might push off non-critical updates until there are enough of them to make a night of downloading them all, especially if any require restarts. So iPhoto notifying me will probably make me check Software Update and see what I need to download or see why I need to download it.
Also, if I didn't really keep up with how Apple releases things or read MacRumors, I might not have known iLife '06 was out already and I sure as heck wouldn't be checking the Apple Store every day to see when it's been released. Or maybe I wanted it but wasn't ready to purchase it yet and things got busy and I forgot it was even out, but I start up iPhoto and viola, a notification and I remember I've been wanting it. And if I don't like it, I can always turn it off.
And I never hated Microsoft being helpful with reminding you to update or notifying you of something important. I only hate it when their "help" makes things harder or when they have a dialogue box that has the "Do Not Show Again" check box and you check it and yet the next time that situation occurs, that dialogue box comes up again asking you what you want to do and the "Do Not Show Again" is STILL checked! What I've always hated about Microsoft wasn't any of their software but the fact that they monopolized the market AND used their position of power to dominate the competition and to strangle any rivals. If they were a monopoly because their products were that good (or if people actually wanted them that much) and not because they used their money to buy out key personnel of their competition so that they can't compete or make it too costly to operate within their market, then I wouldn't hate Microsoft.
First of all, why on earth would widgets scare the hell out of me? In order to download a widget, the user must deliberately click a widget link on a webpage that is providing a widget in order for it to be downloaded and installed. Like downloading anything else, whether it's an application or a file or media content of some kind, it's a user-initiated action for a specific request to be performed that the user is obviously fully cognizant of.
However, in the first release of 10.4, which would automatically install widgets into the users widgets folder without requiring further action from the user, the specter of the "evil widget" was raised, where theoretically an evil widget provider could install evil into a user's widget folder just by the user simply visiting a web page and not clicking anything. The theoretical evil widget would then begin to download itself in the background while you were just staring at the webpage. Even still, the evil widget would have several high hurtles to overcome before it could manage to do it's nefarious work. First, even though it downloads in the background, Safari's download manager, which checks the content of files downloaded from the net, would warn that you are downloading an "application" and require via a dialog box that you approve before Safari would complete the download. Second, if the evil widget somehow made it past that barrier (or if you were using a browser other than Safari) the evil widget could only install itself into the widget folder. It couldn't automatically launch itself. The user would still need to visit the dashboard, then open the dashboard bar, then select the evil widget, and finally drag the evil widget into the dashboard where it was presumed that finally the evil widget would invoke unimaginable chaos and world-wide disorder.
Although the theoretical evil widget remained just that - theoretical - and nothing was ever released into the wild, eyebrows were apparently raised at Apple HQ, the result of which can be seen by the way widgets are handled from versions 10.4.2 to present. Now, any new non-Apple widget that is downloaded, regardless of what browser is used, is trapped inside a special security pane of Dashboard, where the user can initially review, examine, sample and test drive the widget. Then the user, via the security pane dialog, must accept the widget for it to be installed or send it to the trash. What, me worry?
The point here is an example of the level of security that so far has been one of OS X's chief hallmarks. Nothing installs itself and runs without the user's action and consent, whether it's by the user installing via drag and drop, or authenticating a software installation by administrator password, or by approving an application that's being launched on the system for the first time via a user dialog box.
I don't have an issue with the
content of this iLife thing, I have an issue with how it got on my system. As I said before, this happened with Garageband 2, which is about the only iLife app I use. Garageband 2, like Garageband 1 before it, has no conceivable need to connect to the internet. There is nothing in Garageband 2 that is web-enabled or web-dependant. There is no automatic software update preference in Garageband. There is a manual software update check via a menu item in Garageband's application menu, but I've never run it once going back to Garageband 1. Nevertheless, suddenly the iLife ad showed up when I launched Garageband a few days ago.
I suppose an argument can be made that if a user checks a preference in an iLife application for automatic software update notification, then the door is wide open for the latest iLife 06 ads. I think it's a pretty poor argument overall, in that the honest, real world user expectation is notification of software updates for the software they own, not software versions they do not. But in the case of Garageband, the argument is dead on arrival, because there is no automatic software update notification feature. There is no "opt-in" of any kind, shape or form. So the question still remains, how did it get there? How did it bypass all of the hallowed security features of OS X, features that are designed and implemented to, among other things, prevent this sort of thing from happening in the first place? This is Windows type stuff, not OS X.
It doesn't matter how benign it is, or that others may view it (or excuse it) as desirable. That's not the point. I don't care that it was "just an ad." If you in any way care about the oft-touted security features of OS X, then you should care how this thing managed to compose and display it's own unique window separate from all other running applications without any action at all on the part of the user. That's the issue.
