I have turned off comments as it felt like things were about to turn ugly. There are other relevant posts to comment upon. Keep it on topic and no personal attacks, please. Thanks to everyone who contributed to a very interesting conversation/debate.
I was debugging a random crasher problem today and noticed that something called Smart Crash Reports appeared in the inventory of my Cocoa app’s list of frameworks and bundles.
As it turns out, Sandvox silently installs Smart Crash Report in ~/Library/Input Managers/ when it is launched. As an input manager, SCR is thusly loaded into every Cocoa app launched and subsequently uses various non-supported mechanisms to modify the behavior of said application.
Completely unacceptable. Sandvox is now gone from my system and will not return until this feature is “opt in” only.
I know that the whole Haxie thing has caused a bit of controversy in the community. I suppose I should outline my position before anyone tries to do it for me.
Bottom line: Haxies work by modifying the system to do things that it was either not designed to do or by enabling features that were disable for a reason.
I cannot afford to work with a system in such a state; neither professionally nor personally. And if I did choose to run in such a state, I would not expect to be able to receive any kind of support from the operating system vendor or any third party application vendors.
Hell, I do run iPhoto with a hack installed. I lived by FlickrExport until Aperture was released. And it uses Smart Crash Reporter. Big difference: it links directly into the app and only modifies the one application.
It doesn’t matter how brilliant the mod authors are (and the Unsanity guys are really really smart), using such a mod, in effect, voids the warranty.
If you want to run with such things, go for it.
Update 1: Sandvox definitely did not indicate that it was going to install SCR when it was first launched. It gave a standard Beta disclaimer after it had already installed SCR.
Update 2: Responding to Rosyna of Unsanity:
1. SCR is *not* a haxie. It doesn’t use APE and therefore it cannot be a haxie.
OK. Sure. I admit it. I’m not up on the vocabulary of these things entirely. Haxies screw with the system in a similar fashion as the way an Input Manager (that really isn’t an Input Manager) screws with the system.
2. It uses completely supported methods by Apple and the Objective-C runtime to do what it does.
Supported how? Input Managers, method swizzling, class posing, and categories that override existing methods are all operations that can be done via publicly declared API, but that doesn’t make modification of the runtime behavior of existing applications a supported feature.
3. Sandvox asked you if you wanted to install it. You clicked yes. And now you’re complaining because you didn’t read the dialog?
Update: As others have tested, the app does not tell the user that SCR has been installed.
That an app would install something that modifies all other apps is really bad. That it would do so again and again after I rm -rf’d the thing it installed is inexcusable.
4. It doesn’t modify all applications. It *only* changes CrashReporter.app. However, due to a limitation in InputManagers, -init is still called. However, in an application that is not the CrashReporter, SCR does nothing. See http://www.unsanity.com/support.php?vf=32 for more information.
As an Input Manager, it will be loaded by every application. In and of itself, that is enough of an intrusion for it to be unacceptable to me. Maybe not for others and, as I said in the original post, to each his own.
The mere presence of an unknown dylib shoved into the applications on my system is problematic regardless of how many instructions it executes upon load.
It also sounds as if you’re saying that developers should not have access to crash logs and that it’s perfectly ok for there to be crashing bugs in an Application without the author ever finding out. Apple won’t send the crash logs to the developer, that’s why SCR exists.
I guess I should have outlined more of my position as that is certainly not what was intended.
It would be great if there were a universal solution via which all crash logs could be shared with all relevant parties. That would be truly awesome. But that solution hasn’t been presented yet. I have no idea why though I would imagine that their are non-technical issues that may be rather significant.
Conceptually, SCR is an incredibly valuable tool. The implementation is problematic. It modifies an existing mechanism on the system for which modification is not supported. If Apple were to change crash reporter significantly in any random update, the interaction of the two could break one or the other completely.
A less intrusive solution would be a standalone implementation of a crash reporting and report delivery tool that does not work by modifying existing system behavior. It isn’t that hard to do and others have done so. Hell, I wrote just such a product many many years ago.
(comments re-enabled for now. keep it polite and technically relevant, please)