Do not upgrade 10.3.2 (yet) or convert to APFS

Haven't posted in some time, but thought this was important enough to give everyone a heads up. You've already seen posts on this forum that suggest caution when upgrading to APFS.

I've been following the https://meltdownattack.com/newly discovered flaw in Intel and ARM chips, which has prompted Apple among other companies to issue patches that divorce kernel execution tasks from user specific data.

 

While Apple did include the following https://support.apple.com/en-us/HT208394: "Our testing with public benchmarks has shown that the changes in the December 2017 updates resulted in no measurable reduction in the performance of macOS and iOS as measured by the GeekBench 4 benchmark, or in common Web browsing benchmarks such as Speedometer, JetStream, and ARES-6," many companies are rightfully skeptical and have run extensive tests that produce results that say otherwise.

 

The slowdown appears to be in the overhead tasks and could possibly be mitigated in the future, but for the time being it's best if you don't take the plunge just yet. If you'are already running APFS and macOS 10.3.2,

 

Credit:

https://reverse.put.as/2018/01/07/measuring-osx-meltdown-patches-performance/

 

If like me, you're already on APFS and 10.3.2, you will notice a significant difference in actual Logic performance. Even the most basic of Logic's instruments produce CPU spikes that I haven't seen in my old Late 2009 iMac. For the record I'm currently on a 2017 iMac running a 4.2GHz i7 Kaby Lake CPU. You have two options, deal with it and hope that Apple releases an update addressing the performance hit, or buy another hard drive, format it to HFS+ and install an older Sierra for now. I doubt you'll be able to use Migration Assistant to move all your apps, since HFS+ can't see APFS. Good luck!

Thanks for the heads up, great info!

 

I knew HS and APFS are not ready for prime time yet.

am not experiencing any slowdowns in logic X (or anywhere else); i AM running the OS betas (if that matters). the sky is NOT falling, and not every potential issue is an actual issue.

 

just saying...

same here 10.13.3 and APFS and nothing really noticeable yet.

10.13.2 has the security patch, and 10.13.3 allegedly has that further refined. either way, have not noticed any functional difference over the last few OS versions...

If like me, you're already on APFS and 10.3.2, you will notice a significant difference in actual Logic performance. Even the most basic of Logic's instruments produce CPU spikes that I haven't seen in my old Late 2009 iMac. For the record I'm currently on a 2017 iMac running a 4.2GHz i7 Kaby Lake CPU. You have two options, deal with it and hope that Apple releases an update addressing the performance hit, or buy another hard drive, format it to HFS+ and install an older Sierra for now. I doubt you'll be able to use Migration Assistant to move all your apps, since HFS+ can't see APFS. Good luck!

 

The little pessimist devil in me: "Or wait for Apple release their own overpriced new hardware you need to buy to run APFS smoothly!"

 

Thanks for the heads up. I will stick to El Cap as long as I can.

Thanks luckyal for posting about this issue.

The last article you linked to is really interesting. That syscall performance hit is abysmal.

Thanks for the heads up. I will stick to El Cap as long as I can.

 

Same policiy here. The only true concern I have this time, is that I'm forced (once again) to a trade off: security vs stability (and performance). Many times it's been features (or novelty) vs stability, which to me always was a no brainer: stability, of course. But Meltdown and Spectre are something else. I don't want to leave the El Cap "safe" ground, and by all means do not want to enter the APFS uncharterred "terra incognita", at least not yet, and not for quite a while. But that forces me to an unsecured OS, and I also hate this. Apple isn't the direct culprit, but not patching any other OS than HS definitely is something I find very dissatisfying (to say the least).

 

Actually, I could accept a performance hit just to get some (better?) OS/CPU security, but being forced to embrace APFS just to get that, is what I hate. Definitely.

 

Just my two cents...

Thanks for the heads up. I will stick to El Cap as long as I can.

 

Same policiy here. The only true concern I have this time, is that I'm forced (once again) to a trade off: security vs stability (and performance). Many times it's been features (or novelty) vs stability, which to me always was a no brainer: stability, of course. But Meltdown and Spectre are something else. I don't want to leave the El Cap "safe" ground, and by all means do not want to enter the APFS uncharterred "terra incognita", at least not yet, and not for quite a while. But that forces me to an unsecured OS, and I also hate this. Apple isn't the direct culprit, but not patching any other OS than HS definitely is something I find very dissatisfying (to say the least).

 

Actually, I could accept a performance hit just to get some (better?) OS/CPU security, but being forced to embrace APFS just to get that, is what I hate. Definitely.

 

Just my two cents...

 

there's already a fix for meltdown etc in 10.13.2, supposedly refined in 10.13.3 (am on those betas). apfs is a file system, and soon enough, will be the default, as we move forward with mac os.

 

there is NO harm in playing it safe, and nothing wrong with moving forward either. every thing has consequences, but, at some point, you'll BE on high sierra, and having the same concerns, as apple promotes (for example) 10.15....

 

all i'm saying is the world is not static; YOU decide what os to stay on, what version logic etc... and eventually, you update, and the cycle repeats. for now, and in the forseeable future, ALL os's will have bugs, issues, just as it's ALWAYS been. and that's the way it is in software...

nicely put fisher.

 

i personally am an update junkie. I don't run betas, but i usually go to latest stable.

 

what i do find funny about that article is that in most cases, 10.13. performed better than 10.12...

i have some mental health issues (this explains a lot), but run all the betas, and update apps as soon as updates appear. i do this, then sort out any issues (and i've had to sort out quite a few). but that's my choice, i enjoy troubleshooting, resolving challenges, or finding workarounds.

 

everyone should do what's comfortable for them, and, most important of all, what allows them to do their actual work (ie running logic). either way, no matter what we do (or don't do), we'll all encounter issues, problems... hence these forums (and all the other tech forums). am grateful that this site is SO good, and david, eric, and the whole community, is SO good....

For years, I got the latest, the newest.. I stayed on the 'cutting edge or technology'.. Now I don't have enough blood left, time or patience to sort out surprise issues that pop up.. I play it safe and wait.. Bu t to each his own..

For years, I got the latest, the newest.. I stayed on the 'cutting edge or technology'.. Now I don't have enough blood left, time or patience to sort out surprise issues that pop up.. I play it safe and wait.. Bu t to each his own..

 

i think all is well (or mostly well) about 85% of the time; there are always growing pains, but again... getting one's work done is always most important. like you said 'to each his own'...

i update if i dont have critical deadlines approaching (so i can spare a day or two troubleshooting or restoring to backup)

 

(...) Meltdown and Spectre are something else. I don't want to leave the El Cap "safe" ground, and by all means do not want to enter the APFS uncharterred "terra incognita", at least not yet, and not for quite a while. But that forces me to an unsecured OS, and I also hate this. Apple isn't the direct culprit, but not patching any other OS than HS definitely is something I find very dissatisfying (to say the least).

(...)

 

there's already a fix for meltdown etc in 10.13.2, supposedly refined in 10.13.3 (am on those betas). apfs is a file system, and soon enough, will be the default, as we move forward with mac os.

 

 

With all due respect Fisherking, I think you've missed my point (or at least reading your post makes me think so). Yes, I know the fix is already there, in 10.13.2, but that's precisely my point: only in 10.13.x, not in any "older" OS. And I'm aware Apple doesn't HAVE to update any older OS (although in the past, they have issued a number of security updates for older OSes, even after a newer one had been released). And as I wrote above, I don't blame Meltdown on Apple, they're not the culprit. But merely stating "the fix is already there, in 10.13.x" de facto forces users to update their OS if they want to get it. And updating forces to get APFS, no choice here, which, no matter what, is not safe yet IMHO. It may work like a charm for you, and it may well be tomorrow's standard, but today, it's still a brand new thing. Your own single user perfect experience is no robust, large scale statistics, and I'd usually wait for much longer (and much more larger scale use of a new thing that is as critical as a file system) before I consider a novely to be "proven enough", if you see what I mean. So...

 

there is NO harm in playing it safe

 

Yes, in this very instance there IS harm in playing it safe:

 

* Either I play it safe from a data/system/file system standpoint ("if it ain't broken, don't fix it" Policy), and stick to my current, proven 10.11.6, but then I'm UNSAFE from a security standpoint, thanks to Meltdown;

* Or I update to 10.13.2 to play it safe from a security standpoint and fix Meltdown, but IMHO I'm taking the chance to be UNSAFE from a data/system/file system standpoint because, among other things, APSF to me is not proven enough yet (not even to mention the risk I take that some of my hardware drivers would turn out to cause issues I didnot experience so far).

 

This conendrum, coming from the fact that Apple considers things to be under control because the fix is in 10.13.2 though not in older OS versions), is precisely my point.

Edited January 15, 2018 by Arnaud

@Arnaud

 

Have you seen this:

 

About the security content of Safari 11.0.2 - Apple Support

 

This is the equivalent of the 10.13.2 patch for 10.11 and 10.12.

The Meltdown and Sceptre vulnerabilities have been there for many years, possibly having already been used by e.g. cyber units, and only now have made the news because some actual doable exploits that read kernel protected memory from user space (i.e. goodbye privacy, kernel isolation, user spaces, password security, etc) were demonstrated and published end 2017.

 

Meltdown breaks isolation by using cached kernel paging tables that Intel CPUs share with user paging tables. It can be remediated with a set of fixes called KAISER, at not-insignificant performance costs.

 

Spectre is a more universal punch-through that reads protected memory from user space by reading the CPU cache before it's cleared after an induced illicit read attempt. There's no known significant remedy at this time, short of major CPU redesign going back a decade. That's the bad one, especially if you consider how well the kids at Pwn2own 2017

were able to install a malicious payload that survives reboot onto all mainstream phones and laptops in spite of all the latest security updates. Once that's done (using traditional buffer overflows etc), a Spectre payload can go to work, reading any memory on the device and doing whatever it wants with it.

 

So, frankly, the alleged remedies are mostly cosmetic feel-good. People really shouldn't be connecting work machines to the Internet, because, if nothing else, that's how stolen data gets out. As people noted a while back, use a sacrificial clunker for mail and browsing. If you need to look something up, use a temporary remote desktop (VNC) session to the clunker, that's like handling toxic waste with gloves. Change passwords often, use an aggressive firewall AND firewall policy, and consider the worst-case scenarios. As to "smart" phones, we need to always consider them sieves and 24x7 surveillance devices we pay to carry around At meetings even 10 years ago it was standard to remove the battery. My phone has a removable battery, but funny how that's hard to come by nowadays.

@Arnaud

 

Have you seen this:

 

About the security content of Safari 11.0.2 - Apple Support

 

This is the equivalent of the 10.13.2 patch for 10.11 and 10.12.

 

Eric, thanks!

 

Nope, I had not seen this, and will definitely make sure I update Safari on all computers. This seems to mitigate the Spectre issue, but I think this is different from the Meltdown matter (which is supposedly sorted out with macOS 10.13.2 but not with earlier OS versions, thus the reason for my post). But anyways, thanks again, this is definitely helpful, aside from the Meltdown issue.

 

Cheers.

This seems to mitigate the Spectre issue, but I think this is different from the Meltdown matter (which is supposedly sorted out with macOS 10.13.2 but not with earlier OS versions, thus the reason for my post).

 

Yes, you are correct this is only affecting Spectre.

a vulnerability existing does not mean that you will be a victim of it. and again, software moves forward; there will always be bugs, issues, and... possible vulnerabilities. bugs get squashed (and new ones are created), patches are created... it's an endless cycle.

 

so, again, we ourselves move forward. or not.

 

when i say 'playing it safe' i mean, staying with what works. but at some point, everyone makes some sort of upgrade. i mean, who''s still running 10.5?? yet, at that time, people were saying the exact same things: "I'll never upgrade my OS, everything works"...

 

so one day it's 2008, and then... it's 2018. progress happens, and there are always bumps in the road, but life goes on (and so do i....)

We choose, but it's good to step back and look at things with a little perspective. This has nothing to do with APSF per se, but with the update mania.

 

If I use tools in my work from a vendor of proprietary software and proprietary hardware to run it on, a full 180 degrees from "open systems", I'd be naive to consider everything they do as "progress". And IMHO it's not right to create the impression that progress with the latest software, which implies also upgrading compatible hardware, protects people from e.g. the big bad scary Spectre. And that folks should get back to business as usual, complacently surfing and chatting and feeding the marketing machine. THAT is great for Apple, and Amazon and Google etc, but not so great for us.

 

The responsible thing would be to tell people to not put all their trust in the latest and greatest, and to rather be less complacent and take additional steps to isolate their systems from the public Internet, because a hardware back-door has been discovered that, unlike garden variety OS and browser bugs, cannot be corrected at this time.

 

High Sierra or Yosemite or Snow Leopard are not the issue except inasmuch as you are lulled by the assurance of constant progress. See what I'm saying?

how does this apply to bugs or security risks discovered in older versions of the OS?

 

anyway, i know, for myself, i find nothing 'lulling' about constant progress; it's usually a rough mountain climb (i like that part). and, less than new features, what interests me is what happens 'under the hood'... there are fixes and enhancements that come with new software (along with, of course, new issues).

 

but, again, we're all free to choose our OS's, our apps, our path. we'll never be bug-free, or completely safe... just like in real life.

@fisherking I can sure relate to the love of adventure, I write code and design stuff. But I kind of want my car and coffee maker and musical tools to just work, with minimal exposure. My studio machines should be totally blocked from the Internet, but I'd sometimes get sloppy and allow connections beyond the local segment (needed for slave and file-sharing).

 

Studying the Spectre paper was a wake-up call, in fact THAT is an amazing "under the hood" story. I'm putting a lot more mindfulness into isolation now. There's no significant advantage in older or newer versions of the OS with regard to Spectre, it's not a software "weakness" or an exploitable bug that an OS or browser update can fix. Update away, pick the features vs. bugs as you wish, just don't believe that the latest makes you protected, or that the newest is always best.

 

20 years ago when I was working with banking networks, nobody would even dream of letting corporate databases, teller stations or ATM machines connect in any way to a public network, e.g. the banks ran their own cabling between data centers. My point is that in order to support e-commerce, we've grown overconfident in our progress, irresponsible and careless, and it's become a national security liability.

not sure i see where the dividing line would be; what things would you not want to just work? i want everything to work, and i enjoy moving forward boldly (or, some might say, carelessly). let me tell you how little i care about what anyone thinks...

 

i've always gotten my work done, even on betas, even with issues to work around; i've never missed a deadline.

 

so, really, all good; you go your way, i'll go mine. if we're each happy with our path, we're doing just fine...

@fernandreynaud: I see your point re: isolating your music sytrem (computer, OS, soft, etc) from the Internet, and this was my case for a looooong time untill fairly recently. But here's something practical for your consideration: you need a piece of software to be installed on that very specific music computer (say, LPX, whatever version) and to do that you need to get it through the App Store (and also get the additional downloadable stuff that comes with it, afterwards), so to do that you need an Internet connection to that very computer (not any other one), one way or the other. So you're no longer isolated. You can make it intermittent (only when you need it), but it's gonna be extermely cimbersome over time and anyways you're no longer fully isolated, you're no longer fully bullet proof, be it for a short while. That's modern life, and of course you can replace LPX with whatever 3rd-party piece of soft you need for your professional music life, that was only an example that speaks to all here. So you can't simply consider that the solution to safety is full isolation solely (though it's part of it of course), so you need to have a patched OSon that music computer even for the short while you need to be connected (not perfect, but better than Nothing, I hope you'll admit), and if that patched OS is only the most recent one (my complaint here), you're forced to an update you would not have considered on that music computer otherwise. My whole point, which is neither to say that believing in patches solves it all (I'm not so naive, I think), nor to say that updating is better or worse than nor updating in absolute terms, simply to say that the only more-or-less-good measure I can take as a user while my music computer is connected (which it must be at least from time to time), that is, ensure at least that I use a patched OS, forces me to an update that comes along with things I would not want to adopt (yet).

I just reinstalled my whole system (on High Sierra 10.3.2/LPX 10.3.3) with plugins and all, and i bought another fast external SSD where I keep my "crap" system which is testing grounds for new stuff.

 

I don't keep my main system locked out of the internet or anything because it's too limiting + i need to communicate via mail, send files all the time, and simply taking time to go to other system / bother with phone is too cumbersome

Also. Why would anyone wish to steal stuff from my computer is beyond me. MAybe when i have boatloads of money and someone actually WANTS to steal from me, I'll think different.

As @fisherking says, it's all good. Or not. Please forgive me these thoughts that arose in connection with software updates, where adopting High Sierra is I think premature.

 

@Arnaud and @plotki you make excellent points, and it's great that we can exchange experiences. Personally, I don't do e-mail or browsing on studio machines. It doesn't hurt to recognize different worlds. I for one am not enchanted at the idea that a man's domain is less a castle than a patch of street corner rubbish, ever wind-swept and sifted and sorted by bots and anyone on high who takes an interest -- to sell me stuff, if nothing else.

 

The Founding Fathers valued privacy enough to ban arbitrary searches in our country's core legal framework. I believe there was a reason, beyond the most pragmatic. It's been debated at length, but I rather side with those who consider civilized life impossible without a modicum of privacy, though of course it's never absolute, it's a matter of degree. I notice how it changes me. To each his own, with respect for everyone.

As @fisherking says, it's all good. Or not. Please forgive me these thoughts that arose in connection with software updates, where adopting High Sierra is I think premature.

 

@Arnaud and @plotki you make excellent points, and it's great that we can exchange experiences. Personally, I don't do e-mail or browsing on studio machines. It doesn't hurt to recognize different worlds. I for one am not enchanted at the idea that a man's domain is less a castle than a patch of street corner rubbish, ever wind-swept and sifted and sorted by bots and anyone on high who takes an interest -- to sell me stuff, if nothing else.

 

The Founding Fathers valued privacy enough to ban arbitrary searches in our country's core legal framework. I believe there was a reason, beyond the most pragmatic. It's been debated at length, but I rather side with those who consider civilized life impossible without a modicum of privacy, though of course it's never absolute, it's a matter of degree. I notice how it changes me. To each his own, with respect for everyone.

 

people say the same thing with each new OS: 'beware of 10.4!', 'don't upgrade to yosemite!', ad infinitum.

 

there's nothing wrong with being offline, or putting tape over your mac's camera, or... any sort of paranoia I MEAN cautious behavior. you can be bold, live in the real world, or hide out somewhere, seal up your mailbox, krazy glue the receiver to the phone; odds are, the world will find you all the same.

you're feisty, aint't ya @fisherking

you're feisty, aint't ya @fisherking

 

2 cups of coffee this morning (versus the usual one cup)....