Foreword Mac OS X 10.7 was first shown to the public in October 2010. The presentation was understated, especially compared to the bold rhetoric that accompanied the launches of the iPhone ("Apple reinvents the phone") and the iPad ("a magical and revolutionary device at an unbelievable price"). Instead, Steve Jobs simply called the new operating system "a sneak peek at where we're going with Mac OS X." Behind Jobs, the screen listed the seven previous major releases of Mac OS X: Cheetah, Puma, Jaguar, Panther, Tiger, Leopard, and Snow Leopard. Such brief retrospectives are de rigueur at major Mac OS X announcements, but long-time Apple watchers might have felt a slight tingle this time. The public "big cat" branding for Mac OS X only began with Jaguar; code names for the two earlier versions were not well known outside the developer community and were certainly not part of Apple's official marketing message for those releases. Why bring the cat theme back to the forefront now?

Steve Jobs presents the first seven releases of Mac OS X in a slightly unusual format

The answer came on the next slide. The next major release of Mac OS X would be called Lion. Jobs didn't make a big deal out of it; Lion's just another big cat name, right? Within seconds, we were on to the next slide, where Jobs was pitching the new release's message: not "king of the jungle" or "the biggest big cat," but the "back to the Mac" theme underlying the entire event. Mac OS X had spawned iOS, and now Apple Mac OS X 10.7 Lion: the Ars Technica Review: Foreword!

i

was bringing innovations from its mobile operating system back to Mac OS X. Apple had good reason to shy away from presenting Lion as the pinnacle that its name implies. The last two major releases of Mac OS X were both profoundly shaped by the meteoric rise of their younger sibling, iOS. Leopard arrived later than expected, and in the same year that the iPhone was introduced. Its successor, Snow Leopard, famously arrived with , concentrating instead on internal enhancements and bug fixes. Despite plausible official explanations, it was hard to shake the feeling that Apple's burgeoning mobile platform was stealing resources—not to mention the spotlight—from the Mac. In this context, the name Lion starts to take on darker connotations. At the very least, it seems like the end of the big cat branding—after all, where can you go after Lion? Is this process of taking the best from iOS and bringing it back to the Mac platform just the first phase of a complete assimilation? Is Lion the end of the line for Mac OS X itself? Let's put aside the pessimistic prognostication for now and consider Lion as a product, not a portent. Apple pegs Lion at 250+ new features, which doesn't quite match the 300 touted for Leopard, but I guess it all depends on what you consider a "feature" (and what that "+" is supposed to mean). Still, this is the most significant release of Mac OS X in many years—perhaps the most significant release ever. Though the number of new APIs introduced in Lion may fall short of the landmark Tiger and Leopard releases, the most important changes in Lion are radical accelerations of past trends. Apple appears tired of dragging people kicking and screaming into the future; with Lion, it has simply decided to leave without us.

Mac OS X 10.7 Lion: the Ars Technica Review: Foreword!

ii

About the Author John Siracusa has a B.S. in Computer Engineering from Boston University. He has been a Mac user since 1984, a Unix geek since 1993, and has spent the last decade as a professional web developer and freelance technology writer. When he's not destroying the Ars Technica CMS with 45,000-word articles, John enjoys gaming, exercising his TiVo, writing open source software, and pining for the pizza and bagels of his childhood home of Long Island, NY. John lives in Newton, Massachusetts with his wife, two children, and an attic full of classic Mac and NeXT hardware. • Find John Siracusa on Twitter: http://twitter.com/siracusa

About Ars Technica When Hippocrates said that "life is short, art is long," he did not mean that art outlives the artist. The "father of medicine" instead diagnosed a basic fact of life: true art or skill takes a lifetime of effort to perfect, and the path is fraught with "occasional crises, perilous experiences, and difficult judgments." Technology is the "art" at the forefront of our changing world, and we're here to help it all, even the difficult judgments. At Ars Technica—the name is Latin-derived for the "art of technology"—we specialize in original news and reviews, analysis of technology trends, and expert advice on topics ranging from the most fundamental aspects of technology to the many ways technology is helping us enjoy our world. We work for the reader who not only needs to keep up on technology, but is passionate about it. We at Ars take great pride in our unique combination of technical savvy and wideranging interest in the human arts and sciences. Our editorial team is at home on Linux, Mac, and Windows; they know both the home and the enterprise; they understand law and politics; and they specialize in bringing readers the right answer, the first time. It's no wonder that Ars has become a "go-to" destination for those who need to sift the wheat from the chaff. Ars Technica is also unique in a number of ways. We are a proud leader in conversational media, a new and exciting answer to the reader's need and desire for fresh voices, informed reporting, and reader engagement. Ars writers aren't afraid of wit or strongly-held opinions, and readers find both on display throughout our work. But at Ars, "opinion" never devolves into dogma; we strive for measured judgments and carefully relayed contexts. Those who come to Ars looking for computing religion won't

Mac OS X 10.7: the Ars Technica Review: About the Author!

iii

find it, and that's why millions of readers trust our take on the day's tech news and look forward to our original reporting. Then there's our formidable community. While "community" has lately become a Web buzzword, Ars has been building a real online community since its founding over eight years ago. We encourage reader feedback and participation in conversation via discussion on every article, as well as in the renowned Ars OpenForum—one of the Internet's true treasure troves, and one of the largest, documented community databases of tips, technical help, and camaraderie on the planet. It was once said that sine scientia ars nihil est, that is, "without knowledge, art is nothing." We agree, but there's also a corollary: sine ars, scientia nihil est. Find Ars Technica elsewhere on the web: • Twitter: http://twitter.com/arstechnica • Facebook: http://facebook.com/arstechnica

Mac OS X 10.7: the Ars Technica Review: About the Author!

iv

Table of Contents Installation!

1

Reconsidering fundamentals!

7

Lion's new look!

7

Scroll bars!

10

Window resizing!

17

Animation!

19

Here's to the crazy ones!

20

Window management!

25

Application management!

27

Document model!

30

Process model!

36

The pitch!

38

The reality !

38

Internals !

40

Security!

40

Sandboxing!

40

Privilege separation!

42

Automatic Reference Counting!

44

Enter (and exit) garbage collection!

44

Cocoa memory management!

46

Enter ARC!

47

ARC versus garbage collection!

48

ARC versus the world!

50

The state of the file system! Mac OS X 10.7: the Ars Technica Review!

52 v

What's wrong with HFS+!

53

File system changes in Lion!

55

File system future!

64

Document revisions!

65

Resolution independence!

67

Applications!

70

The Finder!

70

Mail!

73

Safari!

77

Grab bag!

80

System Preferences!

80

Auto-correction!

86

Mobile Time Machine!

87

Lock screen!

88

Emoji!

89

Terminal!

89

About This Mac!

90

Recommendations!

96

All that you can't leave behind!

97

Credits!

99

Copyright Information!

99

Mac OS X 10.7: the Ars Technica Review!

vi

A brief note on branding: on Apple's website and in some—but not all—marketing materials, Apple refers to its new Mac operating system as "OS X Lion." This may well turn out to be the name going forward, but given the current state of confusion and my own stubborn nostalgia, I'm going to call it "Mac OS X" throughout this review. Indulge me.

Installation Lion's system requirements don't differ much from Snow Leopard's. You still need an Intel-based Mac, though this time it must also be 64-bit. The last 32-bit Intel Mac was discontinued in August of 2007; Apple chose a similar four-year cut-off for dropping PowerPC support, with minimal customer backlash. Time marches on. But sometimes time marches on a bit too fast. Though this is the second version of Mac OS X that doesn't support PowerPC processors, this is the first version that won't run PowerPC applications. In Snow Leopard, the Rosetta translation engine allowed PowerPC applications to run, and run well, often faster than they ran on the (admittedly older) PowerPC Macs for which they were developed. Lion no longer includes Rosetta, even as an optional install. No one expects eternal support for PowerPC software, and any developer that doesn't yet have Intel-native versions of all its applications is clearly not particularly dedicated to the Mac platform. Nevertheless, people still rely on some PowerPC applications. For example, I have an old PowerPC version of Photoshop. Though Photoshop has long since gone Intel-native, it's an expensive upgrade for someone like me who uses the program only rarely. The PowerPC version suits my needs just fine, but it won't run at all in Lion. Another common example is Quicken 2007, still the most capable Mac version of Intuit's finance software, and still PowerPC-only. This is clearly Intuit's fault, not Apple's, but from a regular user's perspective, it's hard to understand why Apple would remove an existing, completed feature that helped so many people. In reality, every feature has some associated maintenance cost. This is perhaps even more true of a binary translation framework that may have deep hooks into the operating system. I'm willing to give Apple the benefit of the doubt and assume that disentangling PowerPC-related code from the operating system once and for all was important enough to justify the customer inconvenience. But it still stings a little. The future shock continues with the purchase and installation process. Lion is the first version of Mac OS X to be distributed through Apple's recently introduced Mac App Store. In fact, the Mac App Store is the only place where you can buy Lion.

Mac OS X 10.7 Lion: the Ars Technica Review: Installation!

1

Apple's decision last year to sell its iLife and iWork applications through the Mac App Store was not unexpected, but the presence of Apple's professional photography application, Aperture, caught some people off guard—as did its greatly reduced price ($80 vs. $200 for the boxed version). The developer preview releases of Lion were also distributed through the Mac App Store. Apple's developer releases have been distributed digitally for many years now, but the switch from downloading disk images from Apple's developer website to "redeeming" promo codes and downloading new builds from the Mac App Store raised some eyebrows. When Apple announced that its new Final Cut Pro X professional video editing application would—you guessed it—be distributed through the Mac App Store, and at a greatly reduced price, even the most dense Apple watchers started to get the the hint. And so we have Lion, priced at a mere $29 (the same as its "no new features" predecessor), available exclusively through the Mac App Store. It's an audacious move, yes, but not unexpected. Apple is so done with stamping bits onto plastic discs, putting the discs into cardboard boxes, putting those boxes onto trucks, planes, and boats, and shipping them all over the world to retail stores or to mail-order resellers who will eventually put those same boxes onto a different set of trucks, trains, and planes for final delivery to customers, who will then remove the disc, throw away the cardboard, and instruct their computers to extract the bits. No, from here on out, it's digital distribution all the way. (This, I suppose, marks the end of my longstanding tradition of showing the product boxes or optical discs that Mac OS X ships on. Instead, you can see the installer application icon on the right.) Lion is a large download and fast network connections are still not ubiquitous. But new Macs will come with Lion, so the most relevant question is, how many people who plan to upgrade an existing Mac to Lion don't have a fast network connection? The class of people who perform OS upgrades probably has a higher penetration of high-speed Internet access than the general population. I also suspect that Apple retail stores may be willing to help out customers who just can't manage to download a 3.76GB installer in a reasonable amount of time. In the meantime, if you're reading this, chances are good that you have a fast broadband connection; feel free to stop reading right now, launch the Mac App Store, and start your multi-gigabyte download before continuing. What you'll be rewarded with at the end is an icon in your Applications folder labeled "Install Mac OS X Lion."

Mac OS X 10.7 Lion: the Ars Technica Review: Installation!

2

Once you have the installer application, you could (were you so inclined) dig into it (control-click, then Show Package Contents) and find the meaty center, a 3.74GB disk image (InstallESD.dmg, stored in the Contents/SharedSupport folder). You could then use that disk image to, say, burn a Lion installation DVD or create an emergency external boot disk. I doubt any of these things are officially supported by Apple, but the point is that there's nothing exotic about the Lion installer. Like all past versions of Mac OS X, Lion has no serial number, no product activation, and no DRM of any kind. In fact, the Mac App Store's licensing policy is even more permissive than past releases of Mac OS X. Here's an excerpt from Lion's license agreement: If you obtained a license for the Apple Software from the Mac App Store, then subject to the terms and conditions of this License and as permitted by the Mac App Store Usage Rules set forth in the App Store Terms and Conditions (http:// www.apple.com/legal/itunes/ww/) ("Usage Rules"), you are granted a limited, non-transferable, non-exclusive license: (i) to download, install, use and run for personal, non-commercial use, one (1) copy of the Apple Software directly on each Apple-branded computer running Mac OS X Snow Leopard or Mac OS X Snow Leopard Server ("Mac Computer") that you own or control; The references to Snow Leopard are a bit confusing, but keep in mind that you need Snow Leopard to purchase and download Lion for the first time. I suspect the license agreement will be updated once Lion has been out for a while. There's also another interesting clause in the license, from that same section: (iii) to install, use and run up to two (2) additional copies or instances of the Apple Software within virtual operating system environments on each Mac Computer you own or control that is already running the Apple Software. Putting it all together, Apple says you're allowed to run up to three copies of Lion—one real, two inside virtual machines—on every Mac that you own, all for the low, low price of $29. Not a bad deal. The installer itself is dead simple, foreshadowing the pervasive simplification in Apple's new OS. There are no optional installs and no customization. The only response the user provides is agreeing to the obligatory EULA, and the only configurable install parameter is the target disk. But wait a second—how exactly is this going to work? Surely an entirely new operating system can't be installed on top of the currently running operating system by an Mac OS X 10.7 Lion: the Ars Technica Review: Installation!

3

application stored on the same volume. Without a plastic disc to boot from, how is it even possible to upgrade a standalone Mac with just one hard drive?

These questions probably won't occur to an average consumer, which is sort of the point, I guess. Sure enough, if you just close your eyes, launch the installer application, and click your way through the handful of screens it presents, your Mac will reboot into what looks like the standard Mac OS X installer application from years past. When it's done, your Mac will reboot into Lion. Magic! Okay, it's not magic. The answer is actually technically obvious, but also quite unprecedented in the Mac's history. Once you've selected the target disk, the Lion installer application will repartition the disk, carving out a 650MB slice of the disk for its own use. Don't worry, all existing data on the disk will be preserved. (Mac OS X has had the ability to add partitions to existing disks without destroying any data for many years now.) All that's required is enough free space to reshuffle the data as needed to make room for the new partition. Here's an example from my testing. I started with a single 250GB hard drive split into two equal partitions: the first named "Lion Ex," currently running Snow Leopard, and the

Mac OS X 10.7 Lion: the Ars Technica Review: Installation!

4

intended target of the Lion install, and the second named "Timex," the Time Machine backup volume for Lion Ex. The output from the diskutil list command appears below. /dev/disk1 #: TYPE NAME 0: GUID_partition_scheme 1: EFI 2: Apple_HFS Lion Ex 3: Apple_HFS Timex

SIZE *250.1 209.7 125.0 124.6

GB MB GB GB

IDENTIFIER disk1 disk1s1 disk1s2 disk1s3

Now here's that same disk after installing Lion, with the new partition highlighted: /dev/disk1 #: TYPE NAME 0: GUID_partition_scheme 1: EFI 2: Apple_HFS Lion Ex 3: Apple_Boot Recovery HD 4: Apple_HFS Timex

SIZE *250.1 209.7 124.5 654.6 124.6

GB MB GB MB GB

IDENTIFIER disk1 disk1s1 disk1s2 disk1s3 disk1s4

The new partition is actually considered a different type: Apple_Boot. The Recovery HD volume won't be automatically mounted upon boot and therefore won't appear in the Finder. It's not even visible in the Disk Utility application, appearing only as a tiny blank space in the partition map for the disk. But as shown above, the command-line diskutil program can see it. Diskutil can mount it too. Doing so reveals the partition as a normal HFS+ volume. The top level contains a directory named com.apple.recovery.boot which in turn contains a few small files related to booting along with an invisible 430MB internally compressed disk image file named BaseSystem.dmg. Mount that disk image and you find a 1.52GB bootable Mac OS X volume containing Safari, most of the contents of the standard /Applications/ Utilities folder (Disk Utility, Startup Disk, Terminal, etc.), plus a Mac OS X Lion installer application. In other words, it looks a lot like a standard Mac OS X installer DVD. This is the partition that the Mac will boot from when you install Lion. The files to install will be read from the Lion installer application downloaded earlier from the Mac App Store. After the installation is complete, the Recovery HD partition remains on the disk. Hold down ⌘R during system startup to automatically boot into the Recovery HD partition. (Holding down the option key during startup—not a new feature in Lion—will also show the Recovery HD partition as one of the boot volume choices.)

Mac OS X 10.7 Lion: the Ars Technica Review: Installation!

5

Booting from the recovery partition really means mounting and then booting from the BaseSystem.dmg disk image on the recovery partition. Doing so presents a list of the traditional Mac OS X install disc options, including restoring from a Time Machine backup, reinstalling Mac OS X, running Disk Utility, resetting your password, and so on. There's also an option to get help online, which will launch Safari. Including Safari on the recovery partition is a nice touch, since most people's first stop when diagnosing a problem is Google, not the Genius Bar. The upshot is that after all the file compression magic added in Snow Leopard to reduce the footprint of the OS, Lion steals over half a gigabyte of your disk space as part of its installation process, and never gives it back. The partition's name makes Apple's intent clear: it's meant as a last-ditch mechanism to diagnose and repair a Mac with a hosed boot volume. (Hosed, that is, in the software sense; existing as it does on the boot disk itself, the recovery partition won't be much use if the disk has hardware problems.) Apparently Apple has decided that the ability to boot a Mac into a known-good (software) state is well worth sacrificing a small amount of disk space. MacBook Air owners or other Mac users with diminutive solid-state disk drives may disagree, however. In that case, the disk space can be reclaimed by some judicious repartitioning with Disk Utility (or the diskutility command-line tool) while booted from another disk. But don't be surprised when the fellow at the Genius Bar frowns a little at your deviation from the Apple Way.

Mac OS X 10.7 Lion: the Ars Technica Review: Installation!

6

Reconsidering fundamentals The user-visible changes in Lion are legion. You'll be hard-pressed to find any part of the user interface that remains completely unchanged from Snow Leopard, from the look and feel all the way down to basic behaviors like application and document management. In Lion, Apple has taken a hard look at the assumptions underlying the last ten years of Mac OS X's development—and has decided that a lot of them need to change. Get ready.

Lion's new look Let's ease into things with a tour of Lion's revised user interface graphics. Though Apple still uses the name "Aqua" to refer to Lion's interface, the look is a far cry from the lickable, candy-coated appearance that launched the brand. If you can imagine three dials labeled "color," "contrast," and "contour," Apple has been turning them down slowly for years. Lion accelerates that process.

Mac OS X 10.7: the Ars Technica Review: Reconsidering fundamentals!

7

Standard controls in Lion and Snow Leopard

The shapes have started to change, too. The traditional capsule shape of the standard button has given way to a squared-off, Chiclets-style appearance. The tubular shape of the progress bars, a fixture since even before the dawn of Mac OS X, has been replaced with a vaguely puffy stripe of material. Radio buttons, checkboxes, slider thumbs, segmented controls, "tab" controls —nearly everything that used to protrude from the screen now looks as if it was pounded down with a rubber hammer. Even the elements that look identical, like the plain gray window title bars, are slightly different from their Snow Leopard counterparts. The new look is not a radical departure— everything hasn't gone jet black and grown fur, for example— but this is the first time that nearly every element of the standard GUI has been changed in a way that's identifiable without a color meter or a magnifying glass. For the most part, the new look speaks in a softer voice than its predecessor. The total removal of blue highlights from several controls (e.g., pop-up menus, combo boxes, slider thumbs, and tab controls) makes most interfaces appear slightly less garish. On

Mac OS X 10.7: the Ars Technica Review: Reconsidering fundamentals!

8

the other hand, the additional green in the blue highlights that still do exist makes those controls appear more saccharine. Apple says that its goal with the Lion user interface was to highlight content by deemphasizing the surrounding user interface elements. You can see this most clearly in sidebar and toolbar icons, which are now monochromatic in most of the important bundled applications. But this has the unfortunate side effect of making interface elements less distinguishable from each other, especially at the small sizes typical in sidebars. I'm not sure the "increased emphasis on content" is enough to balance Left: Lion, Right: Snow Leopard out the loss, especially in applications like the Finder. Appearance changes can have effects beyond emphasis, fashion, and mood. Take the "traffic light" red, yellow, and green window widgets, for example. As you can see in the images on the right, they've gotten smaller in Lion. Or rather, the colored portion has gotten smaller; thd actual clickable area has lost only one pixel in height and five pixels in total width across all three widgets. But the psychological effect of the shrunken appearance is something else entirely. Despite the tiny difference in the functional size, I find myself being ever-so-slightly more careful when targeting these widgets in Lion. It's a little annoying, especially since it's not clear to me how the new, smaller size fits into Lion's new look. Does such a small reduction in size really serve to better emphasize window content? After all, none of the other controls have gotten any smaller. Other aspects of the new look have clearer intentions. The flatter, more matte look of most controls, and especially the squared-off shape of the standard button, all bring to mind the look of Apple's other operating system, iOS. One control in particular takes the iOS connection even further. Finally, there's Apple's budding love affair with a particular linen texture. It first made its appearance as the background pattern for the notifications sheet in iOS 5. In Lion, it's featured even more prominently as the background for the newly restyled login screen, now featuring circular frames for user icons. (Also note the subset of menu bar status icons still visible in the top-right corner of the screen.)

Mac OS X 10.7: the Ars Technica Review: Reconsidering fundamentals!

9

Linen for your login screen

Scroll bars Scroll bars, which Apple likes to call "scrollers" these days, are among the leastchanged interface elements in Mac OS X. While the rest of the Aqua interface was refined—edges sharpened, pinstripes removed, shines flattened—scrollbars stubbornly retained their original Aqua look for over a decade.

A scroll bar from Mac OS X DP3, released in 2000

A scroll bar from Mac OS X 10.6, released in 2009

Scroll bars haven't been entirely static in Mac OS X, however. For many years, iTunes has had its own custom scroll bar look.

A scroll bar from iTunes 10.2.2, released in 2011

Mac OS X 10.7: the Ars Technica Review: Reconsidering fundamentals!

10

When these new scroll bars were first introduced in iTunes 7 in 2006, there was some speculation that this was a trial run for a new look that would soon spread throughout the OS. That didn't happen. But now, five years later, scroll bars are finally changing system-wide in Mac OS X. Here's a scroll bar from Lion:

A scroll bar from Mac OS X 10.7 Lion

The smeared gradient and fuzzy edges of the iTunes scroll thumb are nowhere to be seen. Instead, we have a narrow, monochrome, sharp-edged lozenge. Just like the window widgets, the scroll thumb appears slightly smaller than its Snow Leopard counterpart. (In this case, total scroll bar width and the clickable area are actually the same as in Snow Leopard.) The change in appearance might distract you from what's really different: where are the scroll arrows? You know, the little buttons on either end of the scroll bar (or grouped together on one end) that you click to move the scroll thumb a bit at a time? Well, they're gone. But wait, there's more. Here's a Finder window.

The complete contents of Lion's Applications folder…or is it?

Though I can assure you that Lion comes with more than eight applications, you wouldn't know it from looking at this screenshot. Forget about the arrows, where are the scroll bars?

Mac OS X 10.7: the Ars Technica Review: Reconsidering fundamentals!

11

Placing the cursor into the window and using the scroll wheel on the mouse or twofinger scrolling on a trackpad reveals what you might have already guessed based on the shape and appearance of the new scroll thumbs. Extremely thin, monochrome scroll thumbs fade in as the scrolling begins, and disappear shortly after it ends. These transient scroll thumbs appear on top of the window's content, not in alleys reserved for them on the edges of the window.

Initiating scrolling (via mouse wheel or trackpad reveals) overlay scroll bars. More applications below!

These ghostly overlay scroll bars are straight out of iOS. When they were introduced in 2007 on the iPhone's 3.5-inch screen, they made perfect sense. Dedicating one or more finger-width strips of the screen for always-visible, touch-draggable scroll bars would have been a colossal waste of pixels (and anything less than a finger's width of pixels would have been too narrow to comfortably use). Overlay scroll bars were essential in iOS, and completely in keeping with its direct manipulation theme. In iOS, you don't manipulate an on-screen control to scroll, you simply grab the whole screen with your finger and move it. An iOS Scroll Bar

Apple isn't (yet) asking us to start poking our fingers at our Mac's screen, but it does now ship every Mac with some kind of touch-based input device: internal trackpads on laptops, and external trackpads or touch-sensitive mice on desktops. Lion further cements the dominance of touch by making all touch-based Mac OS X 10.7: the Ars Technica Review: Reconsidering fundamentals!

12

scrolling work like it does on a touchscreen. Touching your finger to a control surface and moving it downwards will move the document downwards, revealing more content at top and hiding some of the content that was previously visible on the bottom. This sounds perfectly logical, but it also happens to be exactly the opposite how scrolling has traditionally worked with mouse scroll wheels. The effect is extremely disconcerting, as our fingers unconsciously flick at the scroll-wheel while our eyes see the document moving the "wrong" way.

Scroll direction setting in the Mouse preference pane. Checked means the new Lion scrolling direction is in effect.

Thankfully, there is a preference to restore the old mapping of finger movement to scroll direction. There's a second setting in the Trackpad preference pane, phrased in the opposite way. Unfortunately, the settings are linked; you can't have different values for each kind of input device. Though the unification of scrolling gestures is logical, it's difficult to get used to after so many years of doing things the other way. The most common scrolling direction is downwards, and the most natural finger movement is curling inwards. These two things align when using a mouse wheel with the "old" scrolling direction setting. Old habits aside, it may be that the difference between touching a screen directly and touching a separate device on a horizontal surface in front of the screen is just too great to justify a single input vocabulary. Either way, there's sure to be an uncomfortable transition period for everyone. For example, the two-finger swipe to the left or right used to switch between screens in Launchpad (described later) feels "backwards" when the scroll direction preference is set to the traditional, pre-Lion behavior. Perhaps just seeing a screen covered with a grid of icons unconsciously triggers the "iOS expectations" region of our brains. (And if you set the scroll direction to "feel right" for two-finger swiping in Launchpad, then the four-finger swipe between Spaces feels backwards! Sigh.) Scroll bars do more than just let us scroll. First, their state tells us whether there's anything more to see. A window with "inactive" (usually shown as dimmed) scroll bars indicates that there is no content beyond what is currently visible in the window. Second, when a document has more content than can fit in a window, the scroll bars tell us our current position within that document. Finally, the size of the scroll thumb itself—

Mac OS X 10.7: the Ars Technica Review: Reconsidering fundamentals!

13

or the amount of room the scroll thumb has to move within the scroll bar, if you want to look at it that way—gives some hint about the total size of the content. Most computer users aren't conscious of such subtleties, but their combined effects are profound. Long-time Mac users might remember a time when scroll thumbs were perfectly square regardless of the total size of a window's content. When I think back to my time using those scroll bars, I don't recall any problems. But just try using these so-called "nonproportional" scroll bars today. The modern computer user's mind revolts at the lack of information, usually Classic Mac scrollbars treating it instead as misleading information about the total size of a window's content. ("This window looked like it had pages and pages of content, but when I dragged the tiny square scroll thumb all the way from the top to the bottom, it only revealed two new lines of text!") Only when this cue is gone do you realize how much you've been relying on it. And keep in mind that proportional scroll thumbs are the most subtle of the cues that scroll bars provide. The others are even more widely relied upon. The complete lack of visible scroll bars leaves a huge information void. Let's put aside the familiar for a moment. In the absence of scroll bars, are there other visual cues that could provide the same information? Well, if truncated content appears at the edge of a window, it's usually a safe bet that there's more content in that direction. The prevalence of whitespace (between icons in the Finder, between lines of text, etc.) can make such truncation less obvious or even undetectable, but at least it's something. For total content size and position within the document, there's no alternative even that good. But fear not, gentle scroller. Like the scroll direction, scroll bar visibility has a dedicated preference (in the General preference pane):

Scroll bar settings in the General preference pane

The default setting, "Automatically based on input type," will use overlay scroll bars as long as there's at least one touch-capable input device attached (though the trackpad on laptops doesn't count if any other external pointing devices are connected). If you don't like this kind of second-guessing, just choose one of the other options. The "When

Mac OS X 10.7: the Ars Technica Review: Reconsidering fundamentals!

14

scrolling" option means always use overlay scroll bars, and the "Always" option means always show scroll bars, using the appearance shown earlier. Lion includes new APIs for briefly "flashing" the overlay scroll bars (i.e., showing them, then fading them out). Most applications included with Lion briefly show the scroll bars for windows that have just appeared on the screen, have just been resized, or have just scrolled to a new position (e.g., when showing the next match while searching within a document). This helps soften the blow of the missing information previously provided by always-visible scroll bars, but only a little. Applications with other UI elements whose correct placement relies on the existence of a reserved 16-pixel stripe for the scroll bar outside the content area of the window may be forced to display what Apple calls "legacy" scroll bars. (Apple's term for non-overlay scroll bars tells you all you need to know about which way the wind is blowing on this issue.) You can see an example of one such UI element in the image on the right. The document scale pop-up menu (currently showing "100%") pushes the horizontal scroll bar to the left to make room for itself. Clearly, this will not work if the scroll bar overlays the content area and is hidden most of the time. Apple suggests that such Extra UI in the scroll bar area applications find new homes for these interface elements, at which point the AppKit framework in Lion will allow them to display overlay scroll bars. Lion's scroll bars are a microcosm of Apple's new philosophy for Mac OS X. This is definitely a case of reconsidering a fundamental part of the operating system—one that hasn't changed this radically in decades, if ever. It's also nearly a straight port from iOS, which is in keeping with Apple's professed "back to the Mac" mission. But most importantly, it's a concrete example of Apple's newfound dedication to simplicity. In particular, this change reveals the tremendous weight that Apple gives to visual simplicity. A complete lack of visible scroll bars certainly does make the average Mac OS X screen look a lot less busy. A lack of visual clutter has been a hallmark of Apple's hardware and software design for years, and iOS has only accelerated this theme. Also, practically speaking, the sum of all those 16-pixel-wide stripes reserved for scroll bars on window edges may add up to a nontrivial increase in the number of pixels available for displaying content on a Mac's screen. But there is a price to be paid for this simplicity; one person's noise is another person's essential source of information. Visual information, like the size and position of a scroll

Mac OS X 10.7: the Ars Technica Review: Reconsidering fundamentals!

15

thumb, is one of the most efficient ways to communicate with humans. (Compare with, say, numeric readouts showing document dimensions and the current position as a percentage.) These sacrifices were an essential part of the iPhone's success. The iPad, though larger, is clearly part of the same touch-based family of products, and is wisely built on the same foundation. But the Mac is a different kettle of fish—and not just because the screen sizes involved may be vastly larger, making the space savings of hidden scroll bars much less important. The Mac user interface, with its menus, radio buttons, checkboxes, windows, title bars, and yes, scroll bars, is built on an entirely different interactivity model than iOS. The Mac UI was built for a pixel-accurate indirect pointing device; iOS was built for direct manipulation with one or more fingers. The visual similarity of on-screen elements and the technical feasibility of porting them from one OS to the other should not blind us to these essential differences. It's interesting that all of the scrolling changes in Lion have preferences that allow them to be reverted to their pre-Lion behaviors. The defaults clearly indicate the direction that Apple wants to go, but the settings to reverse them—public, with real GUIs, rather than undocumented plist hacks—suggest caution, or perhaps even some internal strife surrounding these features. Such caution is well-founded. Hidden scroll bars in particular have trade-offs that change dramatically based on the size of the screen and the input device being used. Like many features in Lion, the scrolling changes are most useful and appropriate on the Macs that are closest to iOS devices in terms of size and input method (the 11-inch MacBook Air being the best example). But on a Mac Pro with dual 27" 2560x1440-pixel displays attached, Lion's scrolling defaults make far less sense.

Mac OS X 10.7: the Ars Technica Review: Reconsidering fundamentals!

16

Window resizing A lack of traditional scroll bars also means the elimination of the small patch of pixels in the lower-right corner of a window where the vertical and horizontal scroll bars meet. Since 1984, this area has been home to the one and only control used to resize a window. Setting the scroll bar appearance preference to "always visible" restores the clickable real estate, albeit sans the traditional "grip lines."

Resize widget

Despite the plain appearance, this resize control works as expected; what's unexpected is the cursor change that accompanies the action. The double-arrow cursor has been used in other operating systems for years, mostly to differentiate two-axis resizing (width and height) from single-axis resizing (height only or width only). When there's only one resize control per window, it's obvious that it can be used to change both the width and the height. Lion's new cursor can mean only one thing…

Window resizing from all edges (composite image)

Mac OS X 10.7: the Ars Technica Review: Reconsidering fundamentals!

17

That's right, long-suffering switchers, Lion finally allows windows to be resized from any edge and from all four corners, with a special cursor for each of the eight starting points. (When a window is at its size limit, the cursors show an arrow pointing in a single direction—a nice touch.) As you can see from the image above, what Apple hasn't done is add borders to the windows. So where, exactly, do we "grab" when resizing from a borderless window edge? There's no way around it: some pixels must be sacrificed to the gods of Fitts's law. A few pixels within the outer edge of the content area of the window (two to three, depending on where you count from) are commandeered for window resizing purposes. You can still click on these areas, and the click event will correctly propagate to the application that owns the window, but you'll be clicking with a resize cursor instead of a normal arrow cursor. Two to three pixels doesn't make for a very wide target, however, which is why Apple has chosen to appropriate pixels from both sides of the window border. Four to five pixels outside the content area of the window are also clickable for window resizing purposes. Clicks in these areas don't get sent to the window (they're out of the window's bounds) and they don't get sent to whatever happens to be behind the active window— you know, the thing that you ostensibly just clicked on. Effectively, Lion windows have thin, invisible borders around them used only for resizing. (Unlike Mac OS 8 and 9 windows, which had real, visible borders, Lion windows can't be dragged by their borders.) When overlay scroll bars are in use, the full 16x16 pixel home of the traditional resize widget in the lower-right corner is clickable, making this still the easiest target for window resizing, whether it's visible or not. Lion has a few more surprises on window edges, one of which is window size-related. Left: Zoom widget, Right: Unzoom Windows belonging to applications that support Lion's new full-screen mode may show an embossed double arrow icon on the far-right side of their title bars. Clicking it will cause the window to fill the entire screen. Other windows, the Dock, and even the menu bar are hidden in this mode. The window's title bar also disappears, making it unclear how to exit this mode. But just stab the cursor at the top of the screen and the menu bar to slides back down into view, containing all the expected menus plus a

Mac OS X 10.7: the Ars Technica Review: Reconsidering fundamentals!

18

reversed version of the double arrow symbol. Click the inward-facing arrows to take the current window out of full-screen mode.

Animation Mac OS X has always used animation in its user interface, starting with the genie effect over a decade ago, and really ramping up with the introduction of the Core Animation framework three years ago. Lion continues this trend. In nearly all new or changed applications in Lion, if something conceivable can be animated, it is. The Finder is a good example. Even features whose functionality hasn't actually changed in Lion, such as dragging multiple items from one window to another, are given a fresh coating of animation and fades. At its best, animation explicitly communicates information that was either absent or only implied before. For example, the genie animation tells the user where a window goes when it's minimized. In other cases, such as the water ripple effect in Dashboard, animation can add a bit of fun to an interface. But danger lurks. A newly discovered animation might delight the user the first time it's shown, but the 350th time might not seem quite so magical. This is especially true if the animation adds a delay to the task, and if that task is done frequently as part of a timesensitive overall task. The Dashboard water ripple is acceptable because adding a new widget to the screen is an infrequent task. But if the screen rippled every single time a new window appeared anywhere in the OS, users would revolt. Well, guess what happens every time a new window appears on the screen in Lion? No, it's nothing as garish as a water ripple, but there is an animation. Each window starts as a tiny dot centered on the window's eventual position on the screen, then quickly animates to its full size. This animation conveys no new information. It does not tell the user where a window came from, since the animation starts at the final position of the window. Whether or not the animation actually delays the opening of the window, it certainly feels like it does, which is even more important. This type of animation can make Lion feel slower than Snow Leopard. And when an animation like this stutters or skips a few frames due to heavy disk i/o or CPU usage, it makes your whole Mac feel slower, like you're playing a 3D game with an inadequate video card. And for what? For what someone at Apple hopes will be a lasting feeling of delight? Perhaps it could be argued that the animation catches the eye more than a window that appears instantly (though that probably depends on the size of the window and what's behind it on the screen). For "unexpected" windows like error dialog boxes, that could

Mac OS X 10.7: the Ars Technica Review: Reconsidering fundamentals!

19

be a benefit. But for "expected" windows (i.e., those that appear in response to deliberate user input), the powerful, primordial pull of these moving images is an unwelcome distraction, not a benefit. It's conceivable that this animation could delight some users, but I have a hard time believing that the enjoyment will last much past the first week. (Interestingly, this animation does not play in reverse when a window is closed. This, perversely, makes window closing feel faster than window opening in Lion.) Unlike the scrolling behaviors discussed earlier, there are no user-visible preferences for these new animations, which makes it all the more important for Apple to strike a good balance. In my estimation, Lion crosses the line in a few places; the new window animation is the most egregious example. I look forward to discovering a way to disable it.

Here's to the crazy ones Bruce Tognazzini, founder of the Apple Human Interface Group and 14-year Apple veteran (1978-1992), is best known as the man behind the publication of the Apple Human Interface Guidelines. In 1992, he published a book of his own: Tog on Interface. Most of the examples in the book were taken from his work at Apple. Here's an excerpt from pages 156-157: Natural objects have different perceivable Hypercard "Home" icons characteristics, among which people can easily discriminate. Take the bristlecone pine. The oldest living thing on earth, it has been formed and shaped by the wind and scarred by thousands of years of existence. The youngest school kids look at it and know there must be a lot of wind around there. They know the pine may be even older than their father. They also know, to a certainty, that it is a tree. Kristee Kreitman Rosendahl, responsible for not only the graphic design of HyperCard, but also much of its spirit, created a collection of Home icons that shipped with the product. No one has ever shown confusion at seeing various little houses on various cards. Never once has someone turned around and said, "Gee, this little house has three windows and seems to be a Cape Cod. Will that take me to a different

Mac OS X 10.7: the Ars Technica Review: Reconsidering fundamentals!

20

Home card than that two-story bunk house back in the other section?" People are designed to handle multiplexed meanings gracefully, without conscious thought. In System 7, we multiplexed the meaning of system extensions, by developing a characteristic "generic" extension look, to which developers can add their own unique look for their specific product. As the "bandwidth" of the interface increases, these kinds of multiplexings will become more and more practical.

System 7 extension icons

This is Tog, godfather of the old-school Apple Human Interface Guidelines, stating emphatically that interface elements do not have to look exactly the same in order for their function to be discerned. In fact, in the final sentence, Tog predicts that increased computing power will lead to more diverse representations. The increased "bandwidth" of user interfaces that Tog wrote about almost 20 years ago has now come to pass, and then some. Examples of "multiplexed meanings" in Mac OS X are not hard to find. Look at the Dock, which has changed appearance several times during the history of Mac OS X while still remaining immediately identifiable. And, as discussed earlier, nearly every standard GUI control has changed its appearance in Lion. As Tog notes, people are excellent at discarding unimportant details and focusing on the most salient aspects of an item's appearance. Now, keeping all this in mind, I invite you to gaze upon this screenshot of the version of iCal that ships with Lion.

Mac OS X 10.7: the Ars Technica Review: Reconsidering fundamentals!

21

A stitch in time saves…something, presumably

When this change was first revealed in the second developer preview of Lion, there was much gnashing of teeth. But ask yourself, is the function of every control in the toolbar clear? Or rather, it is any less clear than it would be if iCal used the standard Mac OS X toolbar appearance? The immediate, visceral negative reaction to the rich Corinthian leather appearance had little to do with usability. What it came down to—what first impressions like these always seem to come down to—is whether or not you think it's ugly. People will take "really cool-looking but slightly harder to use" over "usable but ugly" any day. But there's something much more important than the change in appearance going on here. Lion's iCal doesn't look different in an arbitrary way; it's been changed with purpose. After the initial stitched-leather shock wore off, Apple watchers everywhere leapt on the new iCal's deeper sin: its skeuomorphic design. From Wikipedia (emphasis added): A skeuomorph is a derivative object that retains ornamental design cues to a structure that was necessary in the original. Skeuomorphs may be deliberately employed to make the new look comfortably old and familiar, such as copper cladding on zinc pennies or computer printed postage with circular town name and cancellation lines. An alternative definition is "an element of design Mac OS X 10.7: the Ars Technica Review: Reconsidering fundamentals!

22

or structure that serves little or no purpose in the artifact fashioned from the new material but was essential to the object made from the original material." Apple has been down this road before, most notably with the QuickTime 4.0 player application which included bright ideas like a "dial" control for adjusting the volume. Dials work great in the real, physical world, and are certainly familiar to most people. But a dial control in the context of a 2D mouse-driven GUI is incongruous and awkward at best, and completely incomprehensible at worst. The brushed metal appearance of the QuickTime player would later inspire an officially supported Mac OS X window appearance starting in version 10.2, only to be dropped completely five years later in 10.5's grand interface unification. Now, three years after that, the pendulum is swinging in other direction again—and hard. In the case of iCal, Apple has aped the appearance of an analogous physical object (a tear-off paper calendar) but retained the behavior of standard Mac OS X controls. This avoids the problems of the QuickTime 4.0 player's dial control, but it's far from a clean win. The trouble is, the new iCal looks so much like a familiar physical object that it's easy to start expecting it to behave like one as well. For example, iCal tries very hard to sell the tear-off paper calendar illusion, with the stitched binding, the tiny remains of alreadyremoved sheets, and even a page curl animation when advancing through the months. But can you grab the corner of a page with your mouse and tear it off? Nope, you have to use the arrow buttons or a keyboard command, just like in the previous version of iCal. Can you scribble in the margins? Can you cross off days with a pen? Can you briefly fold the page upward to peak at the next month? No, no, and no. At the same time, iCal is still constrained by some of the limitations of its physical counterpart. A paper calendar must choose a single way to break up the days in the year. Usually, each page contains a month, but there's no reason for a virtual calendar to be limited in the same way. When dealing with events that span months, it's much more convenient to view time as a continuous stream of weeks or days. This is especially true on large desktop monitors, were zooming the iCal window to full screen doesn't show any more days but just makes the days in the current month larger. The new version of Address Book in Lion is an even more egregious example.

Mac OS X 10.7: the Ars Technica Review: Reconsidering fundamentals!

23

These graphics are writing checks this interface can't cash

Address Book goes so far in the direction of imitating a physical analog that it starts to impair the identification of standard controls. The window widgets, for example, are so integrated into the design that they're easy to overlook. And as in iCal, the amazing detail of the appearance implies functionality that doesn't exist. Pages can't be turned by dragging, and even if they could, the number of pages on either side of the spine never changes. The window can't be closed like a book, either. That red bookmark can't be pulled up or down or removed. (Clicking it actually turns the page backwards to reveal the list of groups. Did you guess that?) The three-pane view (groups → people → detail) is gone, presumably because a book can't show three pages at once. Within each paper "page" sits, essentially, an excerpt from the user interface of the previous version of Address Book. It's a mixed metaphor that sends mixed signals. These newly redesigned Mac OS X applications are clearly inspired by their iOS counterparts, which bear similar graphical flourishes and skeuomorphic design elements. (Address Book in particular is a dead ringer for the Contacts app on the iPad.) In iOS, the inability to turn pages with the flick of a finger or yank out that tantalizing red bookmark is even more frustrating. In both environments, when the behaviors seemingly promised by the graphical design aren't delivered, all this artwork

Mac OS X 10.7: the Ars Technica Review: Reconsidering fundamentals!

24

that was so clearly labored over fades into the background. The application trains us to ignore it. What was once, at best, a momentary amusement is reduced to visual noise. In 2011, we're far past the point where computer interfaces need to reference their forbearers in the physical world in order to be understandable (though it's possible Apple thinks the familiarity of such designs is still an effective way to reduce intimidation, especially for novice users). At the same time, hardware and software have advanced to the point where there's now ample "bandwidth" (to use Tog's term) to support visual and functional nuances beyond the bare necessities. Interface designers are faced with the challenge of how best to use the glut of resources now at their disposal. As Lion's iCal and Address Book applications demonstrate, an alternate description of this situation might be "enough rope to hang yourself."

Window management Over the years, Apple has added several features that could loosely be defined as "window management aids." The first, and arguably most successful, was Exposé, introduced in Panther back in 2003. Two years later, Tiger shipped with Dashboard, which provided a dedicated screen for small "widget" windows, keeping them off the main screen. In 2007, Leopard brought official support for virtual desktops to Mac OS X under the name Spaces. Each of these features came with its own set of configurable keyboard shortcuts, hot screen corners, and (eventually) multi-touch gestures. While each was understandable and useful in isolation, it was up to each user to figure out how best to incorporate them into a workflow. In Lion, Apple has taken a stab at consolidation under the umbrella name of Mission Control. Each individual feature still exists, albeit in slightly more limited forms, but activating one thing now provides access to them all. Using any one of the supported Mission Control activation methods—a keyboard shortcut, a hot screen corner, or a four-finger upwards swipe—causes the current desktop picture to recede slightly into the center of the screen, revealing behind it our old friend the linen pattern. Overlaid on this are groups of windows, badged by the icons of the applications to which they belong. Along the top of the screen sit all open Spaces. (In Lion, each full-screen window creates a new Space, so those windows appear at the top rather than grouped with the other windows from the same application.) Dashboard is also (optionally) given its own Space.

Mac OS X 10.7: the Ars Technica Review: Reconsidering fundamentals!

25

Mission Control: Exposeé + Spaces + Dashboard

A surprising number of things can be done from this screen. As with Exposé, clicking on any window will bring it to the front. Windows can also be dragged into any of the available Spaces (excluding Dashboard and those that contain a single full-screen window). Moving the cursor (or dragging a window) to the upper-right corner of the screen causes a panel with a "+" character to appear; clicking this creates a new space. Holding down the option key makes Dashboard-style "close" widgets appear on any non-fullscreen-window Spaces (except the original Desktop Space, which can never be closed). The biggest limitation of this new arrangement is that Spaces are now confined to a one-dimensional line of virtual desktops. Four-finger swiping between spaces feels great, but there's no wrap-around when you hit the end. As big a step down as this is from the much more flexible grid arrangement of Spaces in earlier versions of Mac OS X, the new limitations are probably a good idea. The new behavior of full-screen windows and the surprisingly natural-feeling four-finger swipes used to switch between them and enter Mission Control means that many more Mac users will likely find themselves using these new features then ever used the combination of Exposé and Spaces in earlier versions of the OS. A simple line of spaces

Mac OS X 10.7: the Ars Technica Review: Reconsidering fundamentals!

26

with no wrap-around provides a safe, understandable environment for all these new Spaces users. For the experts, well, consolidation always has its price. In this case, as in many others, Apple has decided that the good of the many outweighs the good of the few.

Application management For all its warts, the radical simplification of application management brought to Mac OS X by the Dock really has benefitted the platform. As I wrote in my ten year Mac OS X retrospective, "For every user who continues to be frustrated by the Dock's limitations, there are thousands of others who are buoyed in their computing efforts by its reassuring simplicity and undemanding design." But the Dock falls short, especially for novice users, as an application launcher. Or rather, it falls short if the application to be launched isn't actually in the Dock. Most novice users I know want to have every application they are likely to use available in the Dock at all times. As these users gain experience, the Dock can become a very crowded place. But why are these increasingly Mac-savvy users stuffing their Docks to the gills rather than limiting its contents to just the applications they use most frequently? The answer lies in how applications not in the Dock are located and launched. Choices include the Finder, Spotlight, or (I suppose) a Terminal window. Moving from an alwaysvisible line of colorful icons that's front and center on the screen to any one of those alternatives represents a huge increase in conceptual and mechanical complexity. If you don't understand how typing the name of an application into a search box can be so much more difficult than clicking an icon in the Dock, I suggest that you have not spent enough time with novice users. Such users often don't even know the name of the application they want—or if they do, they don't know how to spell it. That's before considering the frequent disorientation caused by the rapid-fire search results refinement animation in the Spotlight menu, or the existence of multiple files whose contents or names contain the string being searched for. And this all assumes novices know (or remember) what Spotlight is and how to activate it in the first place. The jump in complexity from the Dock to the Finder, I think, needs less explanation. As a general rule, novice users just don't understand the file system. They don't understand the hierarchy of machines, devices, and volumes; they don't grasp the concept of the current working directory; they don't know how to identify a file or folder's position within the hierarchy. Fear of the file system practically defines novice users; it is usually the

Mac OS X 10.7: the Ars Technica Review: Reconsidering fundamentals!

27

last and biggest hurdle in the journey from timid experimentation to basic technical competence. To put it another way, your dad can't find it if it's not in the Dock. (Well, my dad can't, anyway. Sorry to all the Mac-savvy dads out there; I am one, after all.) In Lion, Apple aims to fill that gap with an application launching interface that's meant to be as easy to use as the Dock while providing access to every application on the system. It's called Launchpad, and you'll be forgiven for thinking that it looks like yet another interface element shamelessly ported from iOS.

Launchpad: iOSʼs SpringBoard on your Mac

Launchpad can be activated with a Dock icon (which, importantly, is in the Lion Dock by default), a multitouch gesture (a somewhat awkward pinch with the thumb and three fingers), or by dragging the mouse cursor to a designated corner of the screen. The grid of application icons that appears doesn't just look like iOS's SpringBoard, it also behaves like it, right down to the "folders" created by dragging icons on top of each other. Holding down the option key makes all the icons sprout close widgets as they start to wiggle. Swiping right and left on the touchpad or with a click and drag of the mouse will move from screen to screen, accompanied by a familiar iOS-like dotted page indicator.

Mac OS X 10.7: the Ars Technica Review: Reconsidering fundamentals!

28

Launchpad “folders”

Launchpad will find applications in the standard /Applications folder as well as ~/ Applications (i.e., a folder named "Applications" in your home directory), and any subfolders within them. Applications in the ~/Downloads folder or on the desktop are not detected, which may actually be a problem for Mac users who have not yet figured out how to perform drag-and-drop application installations—yet another area where the Mac App Store will help make things simpler. Speaking of which, when purchasing an application in the version of the Mac App Store that ships with Lion, the application icon leaps out of the Mac App Store window and lands in the next available position in the Launchpad grid, with an iOS-like progress bar overlaid on the new application's icon. If the Launchpad icon is in the Dock, it displays a similar progress bar and the icon bounces once when the download finishes. Both serve as examples of animation that conveys useful information. "Here's where the application you just purchased has 'landed' on your Mac," the animation says. "To find it again, click the icon that just bounced in your Dock."

Mac OS X 10.7: the Ars Technica Review: Reconsidering fundamentals!

29

Given the wealth of excellent third-party application launchers available for the Mac, I'm not sure there's any reason for an expert user to use Launchpad instead of their current favorite alternative. But unlike, say, the Dock, Launchpad is easily ignored. Turn off the gesture, deactivate the hot corner, and remove the icon from the Dock and you'll never have to see it. For everyone else, however, Launchpad will provide a huge improvement in usability. Even expert users should be excited about its arrival because it should make telephone or e-mail-based family technical support a bit easier.

Document model Lion introduces what Apple calls, with characteristic conviction, a "modernized" document model. I'm inclined to agree with this word choice. Like so many other aspects of Lion, document management is attempting to shed its legacy baggage—and there's plenty to shed. The conventions governing the interaction between users, applications, and documents have not changed much since the personal computer became popular in the early 1980s. Apple first attempted a minor revolution in this area with OpenDoc in the 1990s. Instead of launching an application in order to create a document, OpenDoc promised a world where the user would open a document and then work on it using an interchangeable set of components created by multiple vendors. In other words, OpenDoc was document-centric rather than application-centric. The changes in OpenDoc promised to radically shift the balance of power in the application software market. But powerful software companies like Microsoft and Adobe were not particularly motivated to break their popular, full-featured applications into smaller components that customers could mix and match with components from other vendors. At the time OpenDoc was released, Apple was nearing the nadir of its popularity and influence in the industry. Predictably, OpenDoc died on the vine. Fast-forward to today, where a much more powerful and confident Apple takes another crack at the same area. The most pressing problem, today's Apple has decided, is not the interaction between application code and document data, but rather the interaction between the user and the computer. Despite decades of public exposure to personal computers, human expectations and habits have stubbornly refused to align with the traditional model of creating, opening, and saving documents. The tales of woe have become clichés: • The student who writes for an hour without saving and loses everything when the application crashes. Mac OS X 10.7: the Ars Technica Review: Reconsidering fundamentals!

30

• The businessman who accidentally saves over the "good" version of a document, then takes it upon himself to independently reinvent version control—poorly—by compulsively saving each new revision of every document under slightly different names. • The Mac power user who reflexively selects the "Don't Save" button for one document after another when quitting an application with many open windows, only to accidentally lose the one document that actually had important changes. • The father who swears he saved the important document, but can't, for the life of him, remember where it is or what he called it. At this point, we can no longer call this a problem of education. We've tried education for years upon years; children have been born and grown to adulthood in the PC era. And yet even the geekiest among us have lost data, time, or both due to a "stupid" mistake related to creating, opening, and saving documents. And so Apple's decree in Lion is as it was on the original Macintosh in 1984, and as it is on iOS today: the machine must serve the human, not the other way around. To that end, Apple has added APIs in Lion that, when used properly, enable the following experience. • The user does not have to remember to save documents. All work is automatically saved. • Closing a document or quitting an application does not require the user to make decisions about unsaved changes. • The user does not have to remember to save document changes before causing the document's file to be read by another application (e.g., attaching an open document with unsaved changes to an e-mail). • Quitting an application, logging out, or restarting the computer does not mean that all open documents and windows have to be manually re-opened next time. Earlier versions of Mac OS X supported a form of automatic saving. If you had an open TextEdit document with unsaved changes, TextEdit would (eventually) save a backup copy of the file with the text " (Autosaved)" appended to the file name. If the application crashed or the Mac lost power, you could retrieve (some of) your unsaved changes by finding the autosaved file and opening it. Lion introduces a variant of this practice: autosave in place. Rather than creating a new file alongside the original, Lion continuously saves changes directly to the open document. It does this when there are large document changes, during idle times, or on

Mac OS X 10.7: the Ars Technica Review: Reconsidering fundamentals!

31

demand in response to requests from other applications for access to the document's data. For all of this to work, applications must be updated to use the new APIs. In particular, a new File Coordination framework must be used in order for an application to notify another that it wants to access a document that's currently open. The application that has the document open will then trigger an autosave to disk before allowing the requesting application to reference the document's data. Attaching a document to an email or using Quick Look in the Finder are two examples of when this might happen. At this point, a little bit of "geek panic" might be setting in. For those of us who understand the pre-Lion document model and have been using it for decades, the idea that we are no longer in control of when changes to open documents are saved to disk seems insane! What if I accidentally delete a huge swath of text from a document and then Lion decides to autosave immediately afterwards? Not every change is meant to be saved, after all. The practice of speculatively making radical changes to a document with the comfort of knowing than none of those changes are permanent until we hit ⌘S is something experienced Mac users take for granted and may be loath to give up. I confess, I omitted one item from the list of changes enabled by Lion's modern document model. Here it is: • The user does not have to manually manage multiple copies of document files in order to retrieve old versions. If you still don't get it, check out the item in the File menu formerly known as "Save." It now The artist formerly known as “Save” reads "Save a Version" instead. Every time a Lion-savvy application autosaves a document, it stores a copy of the previous version before it overwrites the file with the new data. A pop-up menu in the title bar of each document window provides access to previous versions.

Mac OS X 10.7: the Ars Technica Review: Reconsidering fundamentals!

32

A menu in the title bar provides access to previous versions of a file

Select the "Browse All Versions…" menu item to enter a Time Machine-like spacethemed screen showing all previous versions of the file. Using this interface, the document can be reverted to any earlier version, or snippets of data from earlier versions may be copied and pasted into the current version. Though the star field background and surrounding timeline interface are provided automatically, the document windows themselves are actual windows within the application. They can be scrolled and manipulated in any way allowed by the application, though the contents of previous versions may not be modified.

Document version browser…in spaaaaace!

Mac OS X 10.7: the Ars Technica Review: Reconsidering fundamentals!

33

The standard Cocoa document framework will manage many of the details for application developers, including automatically purging very old versions of files. The document versioning interface shown above is also integrated with Time Machine, showing both locally stored file versions and older versions that only exist on the Time Machine backup volume. Going forwards or backwards in the document timeline is accompanied by a neat star-field "warp" animation. Restoring the document to an earlier state actually just pushes a duplicate of that state to the front of the stack of all changes. In other words, restoring a document to its state as of an hour ago does not discard all the changes that happened during that hour. Returning to the title bar pop-up menu, the "Revert to Last Saved Version" menu item returns the document to its last explicitly saved state (i.e., what it looked like the last time the user typed ⌘S or selected the "Save a Version" menu item). "Duplicate" will create a new document containing the same data as the current document. Finally, the "Lock" item will prevent any further changes to the document until it is explicitly unlocked by the user. Documents will also automatically be locked if they're not modified for a little while. The auto-lock time is configurable in the "Options…" screen of the Time Machine preference pane (of all places), with values from one day to one year. The default is two weeks.

The auto-lock delay setting, cleverly hidden in the Time Machine preference pane

There is no graphical interface to previous versions of documents outside of an application. Previous versions can't be viewed or restored from within the Finder, for example. Forcing all version manipulation to be within the application is limiting, but it also neatly solves the problem of how to present document contents with full fidelity— beyond what Quick Look offers—when looking at past revisions. One unexpected implication of autosave is that it makes quitting applications much less painful. If you've ever had to quickly log out or shut down a Mac that has been up and working hard for weeks or months, you know how awful it is to have to wade through umpteen dialog boxes, each demanding a decision about unsaved changes before allowing you to continue.

Mac OS X 10.7: the Ars Technica Review: Reconsidering fundamentals!

34

These are not easy questions, especially for files that may have been open for a long time. Put aside deciding whether the changes are worth saving; can you even remember what the unsaved changes are? Were they intentional, or did you accidentally lean on the keyboard and delete a selected item some time last week? Now multiply this dilemma by the number of open documents with unsaved changes—and imagine you're in a hurry. It's not a pleasant experience. Autosave eliminates these hassles. Quitting an application that supports autosave happens instantly, with no additional user input required—always. Of course, by quitting an application (or quitting all applications by logging out or restarting) you're also losing all of your accumulated state: all your open documents, the size and position of their windows, scroll positions, selection state. Losing state can prove even more painful than playing "20 questions" with a swarm of "unsaved changes" dialog boxes. Assuming you can remember what documents you had open, can you find them again? Lion offers new APIs to address this problem as well. A suite of new state encoding/ decoding hooks allow Lion applications to save and restore any and all aspects of document state. Upon relaunch, an application is expected to restore all the documents open when it was last quit, with all their state preserved. So, how's that "geek panic" now? Still there, huh? Well, let me try to reassure you. As a committed user of a great Mac text editor that, years ago, implemented its own version of almost all the document management features described so far, I can tell you that you get used to it very quickly. Spoiled by it, in fact. Ruined by it, some would say. Yes, it's a very different model from the one we're all used to. But it's also a better model— not just for novices, but for geeks too. Think about it: never lose data because you forgot to save. Quit applications with impunity. Retrieve old versions of documents at any time, in whole or in part. Build up a nice arrangement of open documents and windows, knowing that your hard work will not be trashed the next time you quit the application or need to restart for an OS security update. The final piece of the puzzle is not strictly document-related, but it puts the bow on the package. When logging out or restarting, Lion presents an option (selected by default) to restore all open applications when you next log in. And relaunching a Lion-savvy application, of course, causes it to restore its open documents. Putting it all together, this means that you can log out or shut down your Mac without being asked any questions by needy applications and without losing any of your data or window state. When you next log in, the screen should look exactly the same as it did Mac OS X 10.7: the Ars Technica Review: Reconsidering fundamentals!

35

just before you logged out. (In fact, Lion appears to "cheat" and briefly presents a static image of your earlier screen while it works on relaunching your apps and restoring your open documents. Sneaky, but an effective way to make state restoration feel faster than it really is.)

Process model If you were flipping out over the document changes described in the previous section, buckle up, because the discomfort level is about to rise yet again. One of the first things experienced Mac OS X users will notice upon first using Lion is that running applications no longer have a dot below them in the Dock.

Three of these applications are running

As with nearly all potentially upsetting interface changes in Lion, there's a conciliatory preference to restore the pre-Lion behavior. Dock indicator lights preference

But in the default configuration, the one that the vast majority of users will never alter, all applications in the Dock look exactly the same in Lion, running or otherwise. Apple's message with this change is a simple one, but also one that the nerdly mind rebels against: "It doesn't matter if an application is running or not. You shouldn't care. Stop thinking about it." Geek panic! Remain calm. Let's start with the APIs. Sudden Termination, a feature that was introduced in Snow Leopard, allows applications to indicate to the system that it's safe to kill them "impolitely" (i.e., by sending them SIGKILL, causing them to terminate immediately, with no chance for potentially time-consuming clean-up operations to execute). Applications are expected to set this bit when they're sure they're not in the middle of doing something, have no open files, no unflushed buffers, and so on. This feature enables Snow Leopard to log out, shut down, and restart more quickly than earlier versions of Mac OS X. When it can, the OS simply kills processes instead of politely asking them to exit. (When Snow Leopard was released, Apple made sure its Mac OS X 10.7: the Ars Technica Review: Reconsidering fundamentals!

36

own applications and daemon processes supported Sudden Termination, even if thirdparty applications didn't.) Lion includes a new feature called Automatic Termination. Whereas Sudden Termination lets an application tell the system when it's okay to terminate it with extreme prejudice, Automatic Termination lets an application tell the system that it's okay to politely ask the program to exit. But wait, isn't it always okay for the OS to politely ask an application to exit? Isn't that what's always happened in Mac OS X on logout, shutdown, or restart? Yes, but what makes Automatic Termination different is when and why this might happen. In Lion, the OS may terminate applications that are not in use in order to reclaim resources— primarily memory, but also things like file descriptors, CPU cycles, and processes. You read that right. Lion will quit your running applications behind your back if it decides it needs the resources, and if you don't appear to be using them. The heuristic for determining whether an application is "in use" is very conservative: it must not be the active application, it must have no visible, non-minimized windows—and, of course, it must explicitly support Automatic Termination. Automatic Termination works hand-in-hand with autosave. Any application that supports Automatic Termination should also support autosave and document restore. Since only applications with no visible windows are eligible for Automatic Termination, and since by default the Dock does not indicate whether or not an application is running, the user might not even notice when an application is automatically terminated by the system. No dialog boxes will ask about unsaved changes, and when the user clicks on the application in the Dock to reactivate it, it should relaunch and appear exactly as it did before it was terminated. This is effectively a deprecation of the Quit command. It also, perhaps coincidentally, solves the age-old problem of former Windows users expecting applications to terminate when they no longer have any open windows. When Automatic Termination is enabled in an application, that's exactly what will happen—if and when the system needs to reclaim some resources, that is. As if all of this isn't enough, Lion features one final application management twist. When an application is terminated in Lion, all the usual things appear to happen. If the running application indicator is enabled, the small dot will disappear from beneath the application's Dock icon. Assuming it's not a permanent resident, the application icon will disappear from the Dock. The application will no longer appear in the command-tab application switcher, or in Mission Control. You might therefore conclude that this application's process has terminated. Mac OS X 10.7: the Ars Technica Review: Reconsidering fundamentals!

37

A quick trip to the Activity Monitor application or the "ps" command-line utility may dissuade you of that notion. Lion reserves the right to keep an application's process around just in case the user decides to relaunch it. Upon relaunch, the application appears to start up instantly—because it was never actually terminated, but was simply removed from all parts of the GUI normally occupied by running applications. That's right, gentle readers. In Lion, an ostensibly "running" application may have no associated process (because the operating system automatically terminated it in order to reclaim resources) and an application may have a process even when it doesn't appear to be running. Applications without processes. Processes without applications. Did Lion just blow your mind? The pitch The application and document model changes in Lion are a radical break with the past —the past of the desktop, that is. Everything described above has existed since day one on Apple's mobile platform. Indeed, iOS is the most compelling argument in favor of the changes in Lion. For every objection offered by a long-time personal computer aficionado, there are millions of iOS users countering the argument every day with their fingers and their wallets. These changes in Lion are meant to meant to reduce the number of things the user has to care about. And while you may think you really do need to care about when your documents are saved to disk or when the memory occupied by an application is returned to the system, you may be surprised by how little you think about these things once you become accustomed to the computer managing them for you. If you're an iOS user, think about how often you've wanted a "Save" button in an app on your iPhone or iPad, for example. So that's the pitch: Lion will bring the worry-free usability of iOS application and document management to the Mac. For the vast majority of Mac users, I think it will be an easy sale. The reality There's a common thread running through all of the application and document model features described above: they're all opt-in, and developers must add code to their applications to support them. Apple has some ability to hasten the transition to Lionsavvy applications through evangelism, positive reinforcement (the carrot), and the increasing popularity of the Mac App Store (the stick). But no matter what Apple does, the idyllic image of an iOS-like experience on your Mac will take a long time to materialize.

Mac OS X 10.7: the Ars Technica Review: Reconsidering fundamentals!

38

In the meantime, it's easy to envision a frustrating hodgepodge of old and new Mac applications running on Lion, making users second-guess their hard-won computing instincts at every turn. What I think will actually happen is that the top-tier Mac developers will quickly add support for some or all of these new features and users will start to look down on applications that still behave the "old way." I'm sure that's how Apple hopes things turn out, too.

Mac OS X 10.7: the Ars Technica Review: Reconsidering fundamentals!

39

Internals The previous release of Mac OS X focused on internal changes. My review did the same, covering compiler features, programming language extensions, new libraries, and other details that were mostly invisible to end-users. Lion is most definitely not an internals-focused release, but it's also big enough that it has its share of important changes to the core OS accompanying its more obvious uservisible changes. If this is your first time reading an Ars Technica review of Mac OS X and you've made it this far, be warned: this section will be even more esoteric than the ones you've already read. If you just want to see more screenshots of new or changed applications, feel free to skip ahead to the next section. We nerds won't think any less of you.

Security Apple's approach to security has always been a bit unorthodox. Microsoft has spent the last several years making security a top priority for Windows, and has done so in a very public way. Today, Windows 7 is considered vastly more secure than its widely exploited ancestor, Windows XP. And despite the fact that Microsoft now distributes its own virus/ malware protection software, a burgeoning market still exists for third-party antivirus software. Meanwhile, on the Mac, Apple has only very recently added some basic malware protection to Mac OS X, and it did so quietly. Updates have been similarly quiet, giving the impression that Apple will only talk about viruses and malware if asked a direct question about a specific, real piece of malicious software. This approach is typical of Apple: don't say anything until you have something meaningful to say. But it can be maddening to security experts and journalists alike. As for end-users, well, until there is a security problem that affects more than a tiny minority of Mac users, it's hard to find an example of how Apple's policies and practices have failed to protect Mac users at least as well as Microsoft protects Windows users.

Sandboxing Just because Apple is quiet, that doesn't mean it hasn't been taking real steps to improve security on the Mac. In Leopard, Apple added a basic form of sandboxing to the kernel. Many of the daemon processes that make Mac OS X work are running within sandboxes in Snow Leopard. Again, this was done with little fanfare. Running an application inside a sandbox is meant to minimize the damage that could be caused if that application is compromised by a piece of malware. A sandboxed Mac OS X 10.7: the Ars Technica Review: Internals!

40

application voluntarily surrenders the ability to do many things that a normal process run by the same user could do. For example, a normal application run by a user has the ability to delete every single file owned by that user. Obviously, a well-behaved application will not do this. But if an application becomes compromised, it may be coerced into doing something destructive. In Lion, the sandbox security model has been greatly enhanced, and Apple is finally promoting it for use by third-party applications. A sandboxed application must now include a list of "entitlements" describing exactly what resources it needs in order to do its job. Lion supports about 30 different entitlements which range from basic things like the ability to create a network connection or to listen for incoming network connections (two separate entitlements) to sophisticated tasks like capturing video or still images from a built-in camera. It might seem like any nontrivial document-based Mac application will, at the very least, need to declare an entitlement that will allow it to both read from and write to any directory owned by the current user. After all, how else would the user open and save documents? And if that's the case, wouldn't that entirely defeat the purpose of sandboxing? Apple has chosen to solve this problem by providing heightened permissions to a particular class of actions: those explicitly initiated by the user. Lion includes a trusted daemon process called Powerbox (pboxd) whose job is to present and control open/ save dialog boxes on behalf of sandboxed applications. After the user selects a file or directory into which a file should be saved, Powerbox pokes a hole in the application sandbox that allows it to perform the specific action. A similar mechanism is used to allow access to recently opened files in the "Open Recent" menu, to restore previously open documents when an application is relaunched, to handle drag and drop, and so on. The goal is to prevent applications from having to request entitlements that allow it to read and write arbitrary files. Oh, and in case it doesn't go without saying, all sandboxed applications must be signed. Here are a few examples of sandboxed processes in Lion, shown in the Activity Monitor application with the new "Sandbox" column visible:

Mac OS X 10.7: the Ars Technica Review: Internals!

41

Sandboxed processes in Lion

Earlier, the Mac App Store was suggested as a way Apple might expedite the adoption of new Lion technologies. In the case of sandboxing, that has already happened. Apple has decreed that all applications submitted to the Mac App Store must be sandboxed, starting in November.

Privilege separation One limitation of sandboxing is that entitlements apply to an entire process. A sandboxed application must therefore possess the superset of all entitlements required for each feature it provides. As we've seen, the use of the Powerbox daemon process prevents applications from requiring arbitrary access to the file system by delegating those entitlements to another, external process. This is a specific case of the general principle called privilege separation. The idea is to break up a complex application into individual processes, each of which requires only the few entitlements necessary to perform a specific subset of the application's total capabilities. For example, consider an application that needs to play video. Decoding video is a complex and performance-sensitive process which has historically led to inadequate protection against buffer overflows and other security problems. An application that needs to display video will likely do so using libraries provided by the system, which means that there's not much a third-party developer can do to patch vulnerabilities where they occur. What a developer can do instead is isolate the video decoding task in its own process with severely reduced privileges. A process that's decoding video probably doesn't need Mac OS X 10.7: the Ars Technica Review: Internals!

42

any access to the file system, the network, the built-in camera and microphone, and so on. It just needs to accept a stream of bytes from its parent process (which, in turn, probably used Powerbox to gain the ability to read those bytes from disk in the first place) and return a stream of decoded bytes. Beyond this simple connection to its parent, the decoder can be completely walled off from the rest of the system. Now, if an exploit is found in a video codec, a malicious hacker will find himself in control of a process with so few privileges that there is little harm it can do to the system or the user's data. Though this was just an example, the QuickTime Player application in Lion does, in fact, delegate video decoding to an external, sandboxed, extremely low-privileged process called VTDecoderXPCService.

QuickTime Player with its accompanying sandboxed video decoder process

Another example from Lion is the Preview application, which completely isolates the PDF parsing code (another historic source of exploits) from all access to the file system. Putting aside the security advantages of this approach for a moment, managing and communicating with external processes is kind of a pain for developers. It's certainly less convenient than the traditional approach, with all code within a single executable and no functionality more than a function call away. Once again in Lion, Apple has provided a new set of APIs to encourage the adoption of what it considers to be a best practice. The XPC Services framework is used to manage and communicate with these external processes. XPC Service executables are contained within an application's bundle. There is no installation process, and they are never copied or moved. They must also be part of the application's cryptographic signature in order to prevent tampering. The XPC Service framework will launch an appropriate external process on demand, track its activity, and decide when to terminate the process after its job is done. Communication is bidirectional and asynchronous, with FIFO message delivery, and the Mac OS X 10.7: the Ars Technica Review: Internals!

43

default XPC process environment is extremely restrictive. It does not inherit the parent process's sandbox entitlements, Keychain credentials, or any other privileges. The reward for breaking up an application into a collection of least-privileged pieces is not just increased security. It also means that a crash in one of these external processes will not take down the entire application. We've seen this kind of privilege separation used to great effect in recent years by Web browsers on several different platforms, including Safari on Mac OS X. Lion aims to extend these advantages to all applications. It also makes Safari's privilege separation even more granular. Safari in Lion is based on WebKit2, the latest and greatest iteration of the browser engine that powers Safari, Chrome, and several other desktop and mobile browsers. Safari in Snow Leopard already separated browser plug-ins such as Flash into their own processes. (Adobe should not consider this an insult; Apple does the same with its own QuickTime browser plug-in.) As if to further that point, WebKit2 separates the entire webpage rendering task into an external process. The number of excuses for the Safari application to crash is rapidly decreasing. As the WebKit2 website notes, Google's Chrome browser uses a similar approach to isolate WebKit (version 1) from the rest of the application. WebKit2 builds the separation directly into the framework itself, allowing all WebKit2 clients to take advantage of it without requiring the custom code that Google had to write for Chrome. (Check out the process architecture diagrams at the WebKit2 site for more detailed comparisons with pre-Lion WebKit on Mac OS X and Chrome's use of WebKit.)

Automatic Reference Counting Since 2005, I've been very publicly concerned about the long-term prospects of Apple's programming language and application framework, Objective-C and Cocoa, going so far as to speculate about a possible technological crisis a few years in the future. When the future arrived, I revisited the issue of Apple's language and API future in light of Apple's dramatic entrance into the mobile market and the unprecedented growth this has enabled. You can read my conclusions for yourself, but the bottom line is that I'm still concerned about the issue—and think Apple should be too. Success hides problems, and Apple has been so very successful in recent years. Enter (and exit) garbage collection Apple has done a tremendous amount of work to modernize its development platform, including completely replacing its compiler, overhauling its IDE, and adding features and new syntax to the Objective-C language itself. Mac OS X 10.7: the Ars Technica Review: Internals!

44

All of these things are great, but none address my specific concerns about memory management. Apple did eventually see fit to add garbage collection to Objective-C, but my fear that Apple wouldn't really commit to garbage collection in Objective-C turned out to be well-founded. Today, years after the introduction of this feature, very few of Apple's own applications use garbage collection. There's a good reason for this. Runtime garbage collection is simply a poor fit for Objective-C. For all its syntactic simplicity and long, distinguished history, the C programming language is actually a surprisingly complex beast, especially when it comes to memory management. In C, any correctly aligned pointer-size bit pattern in memory can potentially be used as an address; the language explicitly allows casting from void * to a typed pointer, and vice versa. Objective-C, as a superset of of C, inherits these charming properties. In exchange for this sacrifice, Objective-C code can be compiled alongside plain C code and can link to C libraries with ease. This means that the runtime garbage collector is expected to traverse memory allocated by an arbitrary conglomeration of Objective-C and plain old C code and make the correct decision—every time—about what memory may safely be collected. Apple's Objective-C garbage collection is a global switch. It can't be enabled just for the clean, object-oriented Objective-C code that application developers write; it applies to the entire process, including all the frameworks that the application links to. It seems sensible for garbage collection to take a hands-off approach to any memory allocated outside Objective-C's gated object-oriented community. Unfortunately, memory allocated "the old-fashioned way" in plain C code routinely makes its way into the world of Objective-C, and vice versa. In theory, all such code could be annotated in such a way that it works correctly with garbage collection. In practice, Mac OS X contains way too much code—much of it not written by Apple—to be able to properly vet every line of it to ensure that a runtime garbage collector has enough information to make the right decisions in every case. And, in fact, despite Apple's bold claims of readiness, there have been and continue to be cases where even code within Apple's own frameworks can confuse the Objective-C garbage collector. These kinds of bugs are particularly insidious because they may only manifest themselves when the collector runs within a certain window of time. The garbage collection compatibility outlook for third-party libraries is even more grim. Long story short: garbage collection for Objective-C is out. (It's still supported in Lion, but I wouldn't count on Apple putting a tremendous amount of effort into it going forward. And don't be surprised if it goes the way of Rosetta in a few years.) In its place, Apple has created something called Automatic Reference Counting, or ARC for short. But to

Mac OS X 10.7: the Ars Technica Review: Internals!

45

understand ARC, you should first understand how memory management in Cocoa has traditionally worked. Cocoa memory management Cocoa uses a memory management technique called reference counting. Each object has a reference count associated with it. When some part of an application takes ownership of an object, it increments the object's reference count by sending it a retain message. When it's done with the object, it decrements the reference count by sending a release message to the object. When an object's reference count is zero, it is deallocated. This allows a single object to be used by several different parts of the application, each of which is responsible for bookending its use of the object with retain and release messages. If retain is sent to an object more times than release, then its reference count will never reach zero and its memory will never be freed. This is called a memory leak. If release is sent more times than retain, then a release message sent after the object's reference count has reached zero will find itself looking at the region of memory formerly occupied by the object, which may now contain anything at all. A crash usually ensues. Finally, there's the autorelease message which means "release, but later." When an object is sent an autorelease message, it's added to the current "autorelease pool." When that pool is drained, all objects in it are sent one release message for each time they were added to the pool. (An object may be added to the same autorelease pool multiple times.) Cocoa applications have an autorelease pool that's drained at the end of each event loop, but new pools can be created locally by the programmer. Simple, right? Just make sure your retain and release/autorelease messages are balanced and you're golden. But as straightforward as it is conceptually, it's actually surprisingly easy get wrong. Experienced Cocoa programmers will tell you that retain/ release memory management eventually becomes second-nature—and it does—but programmers are only human. Accurately tracking the lifecycle of all objects in a large application starts to push the limits of human mental capacity. To help, Apple provides sophisticated developer tools for tracking memory allocations and hunting down leaks. But education and tools only go so far. Cocoa experts may not see retain/release memory management as a problem, but Apple is looking towards the future, towards new developers. Other mobile and desktop platforms don't require this sort of manual memory management in their top-level application frameworks. Based on Apple's past efforts with garbage collection, it seems clear that Apple believes it would be better for

Mac OS X 10.7: the Ars Technica Review: Internals!

46

the platform if developers didn't have to manually manage memory. Now, finally, Apple believes it has found a solution that it can really get behind. Enter ARC To understand how ARC works, start by picturing a traditional Objective-C source code file written by an expert Cocoa programmer. The retain, release, and autorelease messages are sent in all the right places and are in perfect balance. Now imagine editing that source code file, removing every instance of the retain, release, and autorelease messages, and changing a single build setting in Xcode that instructs the compiler to put all the appropriate memory management calls back into your program when the source code is compiled. That's ARC. It's just what the name says: traditional Cocoa reference counting, done automatically.

Xcode's ARC setting (highlight added)

Before explaining how ARC does this, it's important to understand what ARC does not do. First, ARC does not impose a new runtime memory model. Code compiled under ARC uses the same memory model as plain C or non-ARC Objective-C code, and can be linked to all the same libraries. Second, ARC provides automatic memory management for Objective-C objects only (though note that blocks also happen to be Objective-C objects under the covers). Memory allocated in any other way is not touched and must still be managed manually. (The same goes for other resources like file handles and sockets.) Finally, ARC is not garbage collection. There is no process that scans the memory image of a running application looking for memory to deallocate. Everything ARC does happens at compile time. What ARC does at compile time is not magic. There is no deep artificial intelligence at work here. ARC doesn't even use LLVM's sophisticated static analyzer to figure out where to put the retains and releases. The static analyzer takes a long time to run— too long to be a mandatory part of the build process; it can also produce false positives. That's fine for a tool meant to detect possible bugs, but reliable memory management requires certainty. What allows ARC to work is the same thing that enables people to (eventually) become expert Cocoa programmers: conventions. Cocoa has rules about the transfer of Mac OS X 10.7: the Ars Technica Review: Internals!

47

ownership that takes place during common operations like getting or setting an object attribute, initializing an object, or making a mutable copy. Furthermore, the methods that implement these operations follow a set of naming conventions. ARC knows all these rules and uses them to decide when to retain and when to release. In fact, ARC follows the rules in a more pedantic manner than any human ever would, bracketing every operation that could possibly be influenced by object ownership with the appropriate retain and release messages. This can produce a huge number of memory management operations. Luckily, Apple has an excellent optimizing compiler called Clang (since rechristened by Apple's marketing geniuses as the Apple LLVM Compiler 3.0). Clang sweeps through this sea of mechanically generated code, detecting and eliminating redundancies until what remains looks a lot like what human would have written. Conventions were made to be broken, of course. But what ARC lacks in semantic sophistication it makes up for in predictability and speed, speed, speed. In cases where the human really does know best, ARC can be told exactly what to do thanks to a comprehensive set of new attributes and macros that allow the developer to annotate variables, data structures, methods, and parameters with explicit instructions for ARC. But the idea behind ARC is that these exceptions should be rare. To ensure that ARC can do what it's designed to do in a correct manner, a few additional language restrictions have been added. Most of them are esoteric, existing on the boundaries between Objective-C and plain C code (e.g., C structs and unions are not allowed to contain references to Objective-C objects). Compatibility with existing C code is one of Objective-C's greatest strengths. But since ARC is a per-compilation-unit feature and ARC and non-ARC code can be mixed freely, these new language restrictions make ARC more reliable without compromising interoperability. ARC versus garbage collection Apple's Objective-C garbage collection came with some drawbacks. As alluded to earlier, the programmer has little control over when the garbage collector will run, making object reclamation non-deterministic. A garbage-collected application with a memory management bug may crash or not depending on when the collector actually runs. Since garbage collection only runs periodically, the "garbage" (memory) may start to pile up in between runs. This can increase the so-called "high water mark" of an application. Finally, the garbage collection process itself can interfere with the execution of the application. Even on a multicore CPU where the collector can run on a separate thread, it must still interact with the running application's memory image, sometimes (briefly) blocking its Mac OS X 10.7: the Ars Technica Review: Internals!

48

progress while it cleans up the garbage. On relatively weak, often single-threaded mobile CPUs, this interference can manifest itself as stutters or glitches in the user interface. ARC offers a very different value proposition. To start, it suffers from none of the disadvantages of Objective-C's runtime garbage collection. ARC is deterministic; all the memory management code is baked into the executable and does not change at runtime. Memory management is integrated directly into the program flow, rather than being done in batches periodically. This prevents execution stalls, and it can also reduce the high water mark. Most forms of automatic memory management incur some kind of performance hit. Not ARC. Since it's the compiler, not the programmer, inserting the memory management code, the generated retain and release code does not have to look exactly like a normal compiled Objective-C message send. The compiler has a much more intimate relationship with the Objective-C runtime, and can therefore optimize those operations in ways that a programmer cannot (well, should not, anyway). The end result is that the retain and release code generated by ARC is 2.5 times faster than the manual equivalent. Autorelease pools are 6 times faster. And just to show that there are no hard feelings, Apple has made normal Objective-C message sending 33 percent faster across the board, in both ARC and non-ARC code. Finally, unlike garbage collection, ARC is a per-compilation-unit setting. Using ARC in your application does not mean that every library you link to will also run under ARC. This means that you don't have to worry about whether or not every single one of Apple's libraries works correctly under ARC. Only Apple has to worry about that, and it can decide on a case-by-case basis which should be compiled with ARC and which should not. ARC and non-ARC code can be mixed freely. Objective-C garbage collection does, however, have one leg up on ARC. The garbage collector can detect and correctly reclaim object graphs with cycles in them. Under reference counting, if object A has a reference to object B, and object B has a reference to object A, then both A and B have a reference count of at least one. Even if no other object in the entire application has a reference to A or B, they will not be deallocated when running under ARC because they both, eternally, have nonzero reference counts. ARC requires the programmer to explicitly handle these situations, either manually breaking the cycles by removing one or more references or by using another ObjectiveC feature called "zeroing weak references." (A weak reference is a reference that doesn't contribute to an object's reference count.) For example, in a typical parent/child relationship, the parent might have a reference to the child and the child would have a

Mac OS X 10.7: the Ars Technica Review: Internals!

49

weak reference back to the parent. When the application no longer references the parent or child, the child will have a reference count of 1 (the parent still references it) but the parent will have a reference count of 0 and will therefore be deallocated. That then leaves the child with a reference count of 0, and it will be deallocated. Et voilà, no memory leak. The "zeroing" part means that weak references will bet set to nil when the object they reference is deallocated. (Under ARC, all object pointers are initially set to zero.) Under normal circumstances, an object shouldn't be deallocated if there are still outstanding references to it. But since weak references don't contribute to an object's reference count, an object can be deallocated when there are outstanding weak references to it. When this happens, the automatic zeroing of the outstanding weak references prevents them from becoming dangling pointers. (In Objective-C, sending a message to nil is a no-op.) ARC versus the world Now we come to the 65,536 byte question. Does ARC put Apple back on an even footing with its competitors when it comes to programming language abstraction? The answer, I'm afraid, is no. ARC takes care of almost all the mundane Objective-C memory management tasks, but everything outside of Objective-C remains as it was. Furthermore, ARC does very little to address the other pillar of modern, high-level programming: memory safety. For all its auto-zeroing pointers and automatic object deallocation, ARC-enabled Objective-C is still a superset of C, and developers remain just a single bad pointer dereference away from scribbling all over their application's memory space. This is a far cry from the garbage collected, cycle-detecting, memory-safe, and sometimes even dynamically typed languages available on other platforms, both mobile and desktop. This brings us back to my six-year-old set of premises: that programming language abstraction increases over time; that Apple's competitors use languages that have a higher level of attraction than Objective-C; and that Apple has yet to explain how or when it's going to close the gap. ARC may not achieve parity with the likes of Java, C#, and JavaScript, but it does, finally, provide some insight into how Apple plans to keep its development platform technologically competitive. The first thing ARC reveals is that Apple does agree that there's a gap to be closed. It chose to attack the lowest-hanging fruit first, the one thing about Apple's development environment most likely to stand out as primitive and backwards to programmers coming from other platforms or even fresh out of school: manual memory management. But while doing so, Apple was not willing to sacrifice any of Objective-C's historic Mac OS X 10.7: the Ars Technica Review: Internals!

50

strengths. Objective-C with ARC retains its compatibility with existing code and libraries and remains lean, mean, and as fast as ever—faster, in some cases. Right now, Apple seems committed to these two platform pillars: compatibility and performance. Compatibility is essential to protect Apple's considerable investment in its APIs and developer tools. (Apple even went so far as to enable ARC to work on Snow Leopard, albeit without the zeroing weak references feature.) Performance remains a competitive advantage for Apple's mobile devices, not just in terms of interface responsiveness and stutter-free animations, but also in power usage. Those runtime garbage collectors and virtual machines on other platforms can thrash caches and keep more mobile CPUs cores working longer and harder. Apple may have danced with runtime garbage collection, but it's going home with compile-time automation. There is no clearer indicator of Apple's commitment than the fact that ARC is now the default for all new projects created in Xcode; garbage collection never was. The most intriguing aspect of ARC is what it might portend for Apple's future. ARC shows that Apple is willing to add restrictions to the language in exchange for developer convenience and safety. It also implies that Apple believes that compile-time automation and optimization is, if not preferable to, then at least as good as the runtime solutions available elsewhere, especially on mobile platforms. One thing that Apple does not apparently envision in its platforms' future is a traditional virtual machine, for all the reasons previously stated: performance, compatibility, and power usage. Runtime garbage collection is similarly off the table for now. (It's not that Apple believes that garbage collection necessarily precludes great performance; it's just a poor fit for Objective-C and Cocoa.) What Apple has instead is a cutting-edge traditional compiler built on a framework that supports many of the same concepts (e.g., bytecode, JIT), but at a lower level. Putting it all together, it's not hard to imagine a future in which Apple's developers write code in a memory-managed, memory-safe language that incorporates only the highestlevel aspects of Objective-C, but remains binary compatible with Objective-C libraries and code. This approach has been described as "Objective-C without the C," and that's not far off. We could arrive at this destination through a series of incremental changes— ARC being the latest—which slowly add optional (but recommended) features and restrictions to Objective-C, only the last of which would be touted as introducing a "new language."

Mac OS X 10.7: the Ars Technica Review: Internals!

51

Apple has invested a lot of time and manpower in getting off of gcc and onto a faster, more capable compiler. Now that the transition is over, Apple's attention can turn towards adding innovative features. The next few years of WWDC could be interesting.

The state of the file system The file system implementation is not something most Mac users think about—nor should they. But like any other part of an operating system, there's some expectation that it will improve over time. And like any piece of technology, there comes a point where incremental improvements are no longer sufficient and a fresh start is required. Mac OS X itself was one such fresh start, albeit one derived from an existing product that was only slightly newer than the one it was replacing. But Mac OS X's file system, HFS+, was carried over from classic Mac OS directly into Mac OS X. It didn't get a fresh start when the rest of the OS did. Hopes were high for a new file system back in 2006 when Apple publicly declared its interest in a port of Sun's innovative ZFS file system. The next year, Sun's CEO announced that ZFS would be part of Mac OS X 10.5 Leopard—obviously without consulting Apple first. It didn't happen; Leopard shipped with HFS+. Two years after that, in 2009, Apple itself listed ZFS as a feature of Snow Leopard Server, only to later remove all references to ZFS from its Snow Leopard webpages. A few months later, Apple shut down its opensource project to port ZFS to Mac OS X. In the meantime, HFS+ has certainly been incrementally improved. Apple has added support for metadata journaling, case sensitivity, access control lists, and arbitrarily extensible metadata. None of these additions changed the basic design of the file system, however. HFS+ is thirteen years old, and is itself an extension of the HFS file system which is more than twenty-five years old. The state of the art in file system design has advanced a lot since 1985. But again, most people don't spend much time thinking about the file system. They think about files and folders, sure, but not the software that manages how the individual bytes are arranged on the storage device. My longstanding preoccupation with the nitty-gritty of file storage has often been met with indifference or even derision. "Who cares about a new file system?" ask the scoffers. "HFS+ works fine. It stores and retrieves my files just fine. What's the problem?" In response to this sentiment, I'd like to offer some concrete reasons why HFS+ is long overdue for replacement. I believe that Apple understands these problems better than anyone, but that a series of unfortunate events has resulted in its next-generation Mac OS X 10.7: the Ars Technica Review: Internals!

52

operating system being hamstrung with a previous-generation file system for the past decade. Before discussing whether or not Lion makes any progress in this area, let's take a hard look at our old friend, HFS+. What's wrong with HFS+ Software is written with certain target hardware in mind. When HFS was created, the top-of-the-line Macintosh came with an 800K floppy drive, the "high-end" storage offered by Apple was a 20MB hard drive the size of a lunchbox, and the CPU was from the Motorola 68000 family. Thirteen years later, HFS+ replaced HFS, the floppy disks were 1.44MB, and Apple's hard drives topped out around 6GB. Keep this context in mind as we consider the following details of HFS+'s implementation. When searching for unused nodes in a b-tree file, Apple's HFS+ implementation processes the data 16 bits at a time. Why? Presumably because Motorola's 68000 processor natively supports 16-bit operations. Modern Mac CPUs have registers that are up to 128 bits wide. All HFS+ file system metadata read from the disk must be byte swapped because it's stored in big-endian form. The Intel CPUs that Macs use today are little-endian; Motorola 68K and PowerPC processors are big-endian. (The performance cost of this is negligible; it's mostly just silly.) The time resolution for HFS+ file dates is only one second. That may have been sufficient a few decades ago when computers and disks were slower, but today, many thousands of file system operations (and many billions of CPU cycles) can be executed in a second. Modern file systems have up to nanosecond precision on their file dates. File system metadata structures in HFS+ have global locks. Only one process can update the file system at a time. This is an embarrassment in an age of preemptive multitasking and 16-core CPUs. Modern file systems like ZFS allow multiple simultaneous updates, even to files that are in the same directory. The total number of blocks in an HFS+ volume is stored in a 32-bit value. With 4KB blocks, this allows for a maximum disk size of 17TB. That may sound huge to you now, but consider that it's only a sixfold increase over what we have today, and today's largest hard drives are, in turn, a sixfold increase over what we had in 2005. (Apple can, of course, increase the block size from 4KB to, say, 8KB, but you can only play that game so long.) HFS+ lacks sparse file support, which allows space to be allocated only as needed in large files. Think about an application that creates a 1GB database file, then writes a few bytes at the start as a header and a few bytes at the end as a footer. On HFS+,

Mac OS X 10.7: the Ars Technica Review: Internals!

53

slightly less than a gigabyte of zeros would have to be written to disk to make that happen. On a modern file system with sparse file support, only a few bytes would be written to disk. Concurrency, metadata written in the correct byte order, sub-second date precision, support for massive volume sizes, and sparse file support are all common features of Unix file systems. Mac OS X, of course, is built on a Unix foundation. When HFS+ was ported from classic Mac OS to Mac OS X, it needed to be extended to support some minimum set of features that are expected from Unix file systems. Some of those features were an easy fit, but others were very difficult to add to the file system without breaking backwards compatibility. One particularly scary example is the implementation of hard links on HFS+. To keep track of hard links, HFS+ creates a separate file for each hard link inside a hidden directory at the root level of the volume. Hidden directories are kind of creepy to begin with, but the real scare comes when you remember that Time Machine is implemented using hard links to avoid unnecessary data duplication. Listing the contents of this hidden directory (named "HFS+ Private Data", but with a bunch of non-printing characters preceding the "H") on my Time Machine backup volume reveals that it contains 573,127 files. B-trees or no b-trees, over half a million files in a single directory makes me nervous. That feeling is compounded by the most glaring omission in HFS+—and, to be fair, many other file systems as well. HFS+ does not concern itself with data integrity. The underlying hardware is trusted implicitly. If a few bits or bytes get flipped one way or the other by the hardware, HFS+ won't notice. This applies to both metadata and the file data itself. Data corruption in file system metadata structures can render a directory or an entire disk unreadable. (For a double-whammy, think about corruption that affects the "HFS+ Private Data" directory where every single hard link file on a Time Machine volume is stored.) Corruption in file data is arguably worse because it's much more likely to go undetected. Over time, it can propagate into all your backups. When it's finally discovered, perhaps years later when looking at old baby pictures, it's too late to do anything about it. But how often does data corruption actually occur? These answer seems to be "more often than you'd think." Here's an excerpt from a 2010 academic paper on data integrity: In a recent study of 1.53 million disk drives over 41 months, Bairavasundaram et al. show that more than 400,000 blocks had checksum mismatches, 8 percent of which were discovered during RAID reconstruction, creating the possibility of real data loss. Mac OS X 10.7: the Ars Technica Review: Internals!

54

They also found that nearline disks develop checksum mismatches an order of magnitude more often than enterprise class disk drives. Read the whole paper (PDF) for more detail and references. (Here's another example [PDF] from CERN, and the data integrity section of the ZFS Wikipedia entry contains more information and links.) Most of these studies concern themselves with enterprise-scale deployments, but personal storage use today is where enterprise storage was only a few years ago (in terms of capacity, if not throughput). And keep in mind that all of these issues only get worse as the data volume goes up—which it inevitably does, year after year. It's rapidly becoming inexcusable for the storage systems we entrust with some of our most precious possessions—something we're actively encouraged to do by Apple itself —to take such a cavalier approach to data integrity. The worst part is that there's little a user can do to make up for this technological gap; backups only serve to silently spread data corruption. I'll stop here, but do note that I haven't even gotten to many of the other headliner features of modern file systems: constant-time snapshots, transactional updates, data deduplication, and on and on. HFS+ has served Apple well, and probably for far longer than its designers ever imagined it would. But like all the other Apple-related products and technologies that fit this description (e.g., classic Mac OS, Carbon, PowerPC), there comes a time when things once treasured must pass from this world. File system changes in Lion Finally, we come to the heart of the matter. In Lion, what does Apple say to the god of file system death? "Not today." That's right, the default and only file system on which you can install Lion is our old friend, HFS+. As noted earlier, I'm sure Apple is acutely aware of HFS+'s shortcomings and would count its inability to field a successor among its (rare) recent failings as steward of the platform. But it looks like it will take a while longer for Apple's file system roadmap to get back on track after the ZFS near-miss. Nevertheless, there are some file system changes in Lion—some significant ones, in fact. The biggest is the introduction of Apple's first real crack at creating a logical volume manager: Core Storage. In earlier versions of Mac OS X (or classic Mac OS, for that matter), a single physical disk could contain one or more volumes. That is, connecting the disk to a Mac would cause one or more new hard drive icons to appear in the Finder. By far, the most common case is to have just one volume on each physical hard drive. But Mac users Mac OS X 10.7: the Ars Technica Review: Internals!

55

with more complex needs (e.g., people who have to install many different versions of the operating system for testing or review purposes) take full advantage of the ability to carve up a single physical disk into multiple independent volumes. The role of HFS+ in this mix is revealed by Apple's nomenclature. HFS+ is a "volume format." It stands to reason that there must then be something above HFS+ responsible for managing the multiple volumes that may exist on a single disk, in the same way that HFS+ manages the multiple files and folders that exist within a single volume. And so there is. Apple supports several varieties of what it calls "partition maps." ("Partitions" are the regions of a single disk carved out for volumes, one volume per partition. Apple's currently favored partition map is the GUID flavor.) Logical volume management is a broad term that usually means allowing more flexible relationships between disks and volumes than traditionally provided by partition maps. In the case of Apple's Core Storage, the key new feature is the ability for a single volume to span multiple physical disks. Somewhat obscuring this is a raft of new terminology to describe the new layers of the storage stack. At the very top level is the Logical Volume Group, which may contain one or more Physical Volumes. A Physical Volume provides storage; it may be a single physical disk, a disk image file, or even a RAID device. A Logical Volume Group exports zero or more Logical Volume Families. A Logical Volume Family contains one or more Logical Volumes, each of which presents a blank canvas onto which—finally!—a volume format like HFS+ may reside. Got all that? Don't worry if you haven't. The only thing you need to understand for now is that Core Storage provides a much richer set of abstractions above the volume format. The next question is obvious: what does Lion do with Core Storage? If you're entertaining visions of ZFS-style pooled storage, let me nip that in the bud. There is no friendly GUI for creating disk-spanning volumes, and the command-line tools provided are rudimentary and, in my brief testing, don't seem to support all of the features ostensibly enabled by Core Storage. Core Storage's purpose in Lion is discreetly hidden in the Logical Volume Family tier of the layer cake. Logical Volume Families don't just export Logical Volumes, they also contain properties that apply to them. One such set of properties in Lion enables full disk encryption. Though Apple is using the name FileVault to brand this feature, it has absolutely nothing to do with the feature of the same name from earlier versions of Mac OS X. The earlier incarnation of FileVault encrypted an individual user's home directory by storing it in an encrypted disk image file. This presented all sorts of complications to common Mac OS X 10.7: the Ars Technica Review: Internals!

56

operations, and FileVault earned a horrible reputation for poor compatibility with existing software (including Apple's own, like Time Machine). Lion's FileVault doesn't just encrypt users' home directories, and it doesn't use encrypted disk image files. Instead, it's Apple's implementation of whole disk encryption. This means that every byte of data that makes up the volume is encrypted. Furthermore, this encryption is completely transparent to all software (including the implementation of HFS+ itself) because it takes place at a layer above the volume format—a layer that application software does not see at all. Having used a third-party whole-disk encryption product for years, I can tell you that this approach works amazingly well. It really is completely transparent, and the only compatibility issues I've had involved operating system upgrades. (When moving from Leopard to Snow Leopard, a new version of the disk encryption software was required. Presumably, this will not be a problem now that the feature is built into the OS.) Enabling whole-disk encryption is easy in Lion. The FileVault tab in the Security & Privacy preference pane carefully guides a user through the process, presenting clear explanations along with an extremely generous dose of caution.

FileVault whole-disk encryption

Each user who will be able to decrypt the drive must enter their password to do so. Next, an auto-generated "recovery key" is presented, along with a suggestion to "make a copy and store it in a safe place." This is a last resort in case a user forgets his or her account password. More dire warnings about data loss accompany this information.

Mac OS X 10.7: the Ars Technica Review: Internals!

57

FileVault recovery key: your last best hope

Will people really write down that long recovery key and store it in a safe place? Apple has its doubts, it seems, because the next screen asks if you'd like Apple to store the recovery key for you. There is no default choice for this question, which is exactly right, as far as I'm concerned. Most users probably should allow Apple to store their recovery key, but making that the default might be seen as an overreach by geeks and security nerds. If you choose to trust Apple, you must enter answers to three personal questions of your choice. The dialog claims that no one, not even Apple itself, can access your recovery password without the answers to these questions. We've heard claims like this before, but I'm inclined to believe that Apple has learned from the mistakes of others.

Mac OS X 10.7: the Ars Technica Review: Internals!

58

Recovery key escrow: help Apple help you

Finally, Apple insists that a recovery partition be present on the disk that's about to be encrypted. If it isn't, and if one can't be created (e.g., because it uses the wrong kind of partition map, or because doing so would shift a Boot Camp partition to the fourth position, making it unbootable), encryption won't be allowed to proceed. (It's kind of annoying that this check is only made at the very end of the process.) Assuming a recovery partition exists or can be created, a restart is required to enable encryption. Upon reboot, a screen that looks a lot like the Lion login screen (but only containing the users who are allowed to decrypt the volume) appears instantly. Select a user and enter the correct login password and the real boot process begins. Even if auto-login is disabled, you will boot directly into the account whose password was just entered. Revisiting the FileVault preference pane shows an estimate of the time remaining before the encryption process is complete. Encryption happens transparently in the background, which is a good thing because it takes a long time. While it's running, you

Mac OS X 10.7: the Ars Technica Review: Internals!

59

can use applications, logout, reboot, and generally use your Mac as you normally would without perturbing the encryption process. If any users on the system are unable to decrypt the disk, they can be allowed to do so by having them enter their login password.

Enable more users to access the encrypted disk

The output of the diskutil list command now looks a bit strange (compare to earlier): /dev/disk1 #: TYPE NAME 0: GUID_partition_scheme 1: EFI 2: Apple_CoreStorage 3: Apple_Boot Recovery HD 4: Apple_HFS Timex /dev/disk2 #: TYPE NAME 0: Apple_HFS Lion Ex

SIZE *250.1 209.7 124.5 654.6 124.6

GB MB GB MB GB

IDENTIFIER disk1 disk1s1 disk1s2 disk1s3 disk1s4

SIZE *124.2 GB

IDENTIFIER disk2

What once appeared to the OS as a single disk device now registers as two. One contains the two non-encrypted volumes (Recovery HD and Timex) plus the new Core Storage volume, and the other contains the mounted incarnation of the newly encrypted (well, encrypting, in this case) volume. Using the special Core Storage variant of the list command (diskutil cs list) reveals more detail, most of which should now make sense after the earlier terminology review. CoreStorage logical volume groups (1 found) | +-- Logical Volume Group 19566D89-E29A-4C6C-88FA-6B845EF1DEBB ========================================================= Name: Lion Ex Sequence: 1 Free Space: 0 B (0 B) | +-< Physical Volume 1A645A01-E149-48B4-8C79-5FD3E20384F1 | ---------------------------------------------------| Index: 0

Mac OS X 10.7: the Ars Technica Review: Internals!

60

| | | | +->

Disk: Status: Size:

disk1s2 Online 124509331456 B (124.5 GB)

Logical Volume Family 58B532AA-B265-4AC7-B53B-12BB039D97B2 ---------------------------------------------------------Sequence: 9 Encryption Status: Unlocked Encryption Type: AES-XTS Encryption Context: Present Conversion Status: Converting Has Encrypted Extents: Yes Conversion Direction: forward | +-> Logical Volume 8A7ACC28-321B-4653-8E85-94CAF047D1DE --------------------------------------------------Disk: disk2 Status: Online Sequence: 4 Size (Total): 124190560256 B (124.2 GB) Size (Converted): 2539913216 B (2.5 GB) Revertible: Yes (unlock and decryption required) LV Name: Lion Ex Volume Name: Lion Ex Content Hint: Apple_HFS

Lion doesn't make encrypting disks other than the boot disk particularly easy. The Disk Utility application can remove encryption from a volume, change a volume's encryption password, or reformat a volume with encryption enabled (deleting all the data currently on the volume in the process), but there is no option to transparently encrypt a volume without erasing it. Command-line tools to the rescue: diskutil will happily attempt to encrypt any volume you point it at, without erasing it first. Actually, the process is to convert it to a Core Storage volume which may optionally include encryption. Let's encrypt the Timex volume, shown as disk1s4 in the earlier diskutil list output. % diskutil cs convert disk1s4 -passphrase mysecret Started CoreStorage operation on disk1s4 Timex Resizing disk to fit Core Storage headers Creating Core Storage Logical Volume Group Attempting to unmount disk1s4 Switching disk1s4 to Core Storage Waiting for Logical Volume to appear Mounting Logical Volume Core Storage LVG UUID: B02B86AC-C487-43B3-8C2E-7918CE80ECDF Core Storage PV UUID: 76336EBE-A3B5-4E1E-98B4-8A6873746D86 Core Storage LV UUID: E1F2E293-9952-425E-A597-0954BA734102 Core Storage disk: disk3 Finished CoreStorage operation on disk1s4 Timex Encryption in progress; use `diskutil coreStorage list` for status

Mac OS X 10.7: the Ars Technica Review: Internals!

61

As the command output indicates, the volume is shrunk slightly to accommodate the Core Storage headers, then the layer cake of logical volume management components is created, at the very bottom of which is the new logical volume. No restart is required to begin the process, which happens transparently in the background just like the one initiated from the GUI. The diskutil cs list command now shows a pair of Logical Volume Groups, each of which is declared to be in the process of encryption. The exact amount of data encrypted and remaining to be encrypted on each volume is also listed. CoreStorage logical volume groups (2 found) | +-- Logical Volume Group 19566D89-E29A-4C6C-88FA-6B845EF1DEBB | ========================================================= | Name: Lion Ex | Sequence: 1 | Free Space: 0 B (0 B) | | | +-< Physical Volume 1A645A01-E149-48B4-8C79-5FD3E20384F1 | | ---------------------------------------------------| | Index: 0 | | Disk: disk1s2 | | Status: Online | | Size: 124509331456 B (124.5 GB) | | | +-> Logical Volume Family 58B532AA-B265-4AC7-B53B-12BB039D97B2 | ---------------------------------------------------------| Sequence: 9 | Encryption Status: Unlocked | Encryption Type: AES-XTS | Encryption Context: Present | Conversion Status: Converting | Has Encrypted Extents: Yes | Conversion Direction: forward | | | +-> Logical Volume 8A7ACC28-321B-4653-8E85-94CAF047D1DE | --------------------------------------------------| Disk: disk2 | Status: Online | Sequence: 4 | Size (Total): 124190560256 B (124.2 GB) | Size (Converted): 16999776256 B (17.0 GB) | Revertible: Yes (unlock and decryption required) | LV Name: Lion Ex | Volume Name: Lion Ex | Content Hint: Apple_HFS | +-- Logical Volume Group B02B86AC-C487-43B3-8C2E-7918CE80ECDF ========================================================= Name: Timex Sequence: 1 Free Space: 0 B (0 B) | +-< Physical Volume 76336EBE-A3B5-4E1E-98B4-8A6873746D86 | ----------------------------------------------------

Mac OS X 10.7: the Ars Technica Review: Internals!

62

| | | | | +->

Index: Disk: Status: Size:

0 disk1s4 Online 124551483392 B (124.6 GB)

Logical Volume Family F02B9A32-10DE-4BDF-9697-00CE1B6F1133 ---------------------------------------------------------Sequence: 6 Encryption Status: Unlocked Encryption Type: AES-XTS Encryption Context: Present Conversion Status: Converting Has Encrypted Extents: Yes Conversion Direction: forward | +-> Logical Volume E1F2E293-9952-425E-A597-0954BA734102 --------------------------------------------------Disk: disk3 Status: Online Sequence: 4 Size (Total): 124232712192 B (124.2 GB) Size (Converted): 94633984 B (94.6 MB) Revertible: Yes (unlock and decryption required) LV Name: Timex Volume Name: Timex Content Hint: Apple_HFS

At any point, the encryption process can be reversed (using Disk Utility, the FileVault tab of the Security & Privacy preference pane, or the diskutil command-line program). The decryption process also happens in the background. Changing the encryption password for a disk does not require a lengthy decryption and re-encryption process. I assume FileVault in Lion works like other whole disk encryption solutions in that what the password actually unlocks is the real encryption key for the volume. Changing the encryption key only requires decrypting and re-encrypting the real encryption key, which is tiny. The encryption features that Apple has chosen to provide access to in the GUI reveal a lot about the intention of this feature. First, it's meant to be completely transparent. The only change as far as the user is concerned is that the login screen appears to have moved to the very beginning of the startup process. There is no separate password to remember; the user's login password decrypts the disk. The same goes for every other user with an account on the system. Login passwords are only tied to a boot disk, however. Using login passwords to encrypt disks that may move from one Mac to another could lead to confusion. This partly explains why there's no GUI option for encrypting non-boot disks. The other part of that decision is likely that FileVault is focused on mobile users. None of Apple's laptops have Mac OS X 10.7: the Ars Technica Review: Internals!

63

more than one internal drive, and partitioning is rare and probably only done by users who also know enough to look up the command-line utility to enable disk encryption on their non-boot volumes. Transparent encryption and decryption, perfect software compatibility, a friendly GUI with ample safety nets for non-geek users—what's not to love? Ah, I'm sure you're wondering about performance. All forms of whole disk encryption benefit from the current imbalance between CPU power and disk speed. In almost all circumstances, the CPU in your Mac spends most of its time twiddling its thumbs with nothing to do. This is especially true for operations that involve a lot of disk access. Whole disk encryption takes advantage of this nearly omnipresent CPU cycle glut to sneak in the tiny chunks of work it requires to encrypt and decrypt data from the disk. Apple also leverages the special-purpose AES instructions and hardware on Intel's newest CPUs, further reducing the CPU overhead. The end result is that regular users will be hard-pressed to notice any reduction in performance with encryption enabled. Based on my experience with the feature in prerelease versions of Lion, I would strongly consider enabling it on any Mac laptop I plan to travel with. File system future Disk encryption that actually works, plus some basic logical volume management features—that's all well and good. But where does this leave us on the file system front? Perhaps things are not as bad as they seem. The following is all speculation, but given Apple's information vacuum on all things file-system-related, it's all I've got for now. Core Storage is probably the most significant file system change in the history of Mac OS X. Let's think about what it does. Core Storage is responsible for managing the chunks of data that make up the individual logical volumes on a disk. To do so, presumably it has a set of metadata structures for tracking allocated and free space and for remembering which chunks belong to which volumes. Now imagine that those chunks begin to shrink until they are the size of, say, individual files. And instead of volumes, imagine those file-sized chunks belonging to directories. Okay, it's a stretch, but again, it's all we have to go on. Assuming Apple is happy with the way Core Storage turned out, it has effectively fielded its first brand-new code that performs some of the same basic functions as a file system. Were Apple so inclined, it seems technically plausible, at least, that it could extend this work into a new in-house file system project. With ZFS out of the picture, Brtfs presumably eliminated due to its licensing, and future development of ReiserFS uncertain, its hard to see where Apple will get the modern file system that it so desperately needs other than by creating one itself. Mac OS X 10.7: the Ars Technica Review: Internals!

64

This is something I've been anticipating for years. I would have certainly welcomed ZFS with open arms, but I was equally confident that Apple could create its own file system suited to its particular needs. That confidence remains, but the ZFS distraction may have added years to the timetable. In the meantime, a few brave souls are still determined to bring ZFS to Mac OS X. I wish them luck, but I would much prefer a solution supported by the operating system vendor. Apple, the gauntlet has been thrown down; it's time to deliver.

Document revisions Lion's modernized document model leans heavily on the ability to manage multiple versions of a single document. Viewed solely through the user interface, it appears to be magic. Unlike earlier incarnations of autosave, you won't see auto-generated files appearing and disappearing alongside the original document. But the data obviously has to be stored somewhere, so where is it? Despite all its flaws, the Mac OS X file system does have several features that might be useful for saving multiple versions of files. Version number metadata could be stored in an extended attribute; the file data itself could conceivably be stored in named forks; the existing invisibility metadata could be used to hide the multiple versions. Although Apple has gotten religion regarding file system metadata in recent years, leaning heavily on extended attributes in the implementation of Time Machine, downloaded file quarantines, and access control lists, metadata holdovers from classic Mac OS are still out of favor. If Spotlight's implementation has taught us anything, it's that today's Apple prefers to keep things simple when it comes to the file system. Given all of this, I wasn't surprised to find a /.DocumentRevisions-V100 directory lurking at the root level of my boot drive, right alongside the /.Spotlight-V100 directory. Inside, you'll find an SQLite database file (/.DocumentRevisions-V100/dbV1/db.sqlite) containing tables for tracking files, the individual versions of those files (which Apple calls "generations"), and the storage location of the data. Here's the schema, for the curious. CREATE TABLE files ( file_row_id INTEGER PRIMARY KEY ASC, file_name TEXT, file_parent_id INTEGER, file_path TEXT, file_inode INTEGER, file_last_seen INTEGER NOT NULL DEFAULT 0, file_status INTEGER NOT NULL DEFAULT 1, file_storage_id INTEGER NOT NULL );

Mac OS X 10.7: the Ars Technica Review: Internals!

65

CREATE TABLE generations ( generation_id INTEGER PRIMARY KEY ASC, generation_storage_id INTEGER NOT NULL, generation_name TEXT NOT NULL, generation_client_id TEXT NOT NULL, generation_path TEXT UNIQUE, generation_options INTEGER NOT NULL DEFAULT generation_status INTEGER NOT NULL DEFAULT generation_add_time INTEGER NOT NULL DEFAULT generation_size INTEGER NOT NULL DEFAULT );

1, 1, 0, 0

CREATE TABLE storage ( storage_id INTEGER PRIMARY KEY ASC AUTOINCREMENT, storage_options INTEGER NOT NULL DEFAULT 1, storage_status INTEGER NOT NULL DEFAULT 1 );

Unlike Time Machine, Apple's file version storage system is not limited to saving a complete copy of each new revision of a file. A second SQLite database (/.DocumentRevisions-V100/.cs/ChunkStoreDatabase) tracks the individual chunks that differ from one revision of a file to another. (Examining its schema is left as an exercise for the reader. Just remember to copy the database file to a new location and run the sqlite3 program on the copy instead of the actual database, which will likely be locked anyway.) Intelligently splitting files into chunks such that only a few chunks change from one revision to another is actually quite a difficult problem. Consider a 10MB file, initially split into ten 1MB chunks. Now imagine that the next revision of the file simply adds two bytes to the very beginning of the file. Were the new revision to be naïvely split into ten equal-sized chunks, every chunk would be different from all previously created chunks, defeating the entire purpose of splitting files into chunks rather than saving complete copies every time. One technique Apple uses to deal with this problem is called Rabin fingerprinting. Chunks of the file are selected based on their content, rather than strictly based on their offset within the file. (The title of the research paper that introduced this technique, A Low-bandwidth Network File System, suggests that it might also be useful for, say, a network-based file storage system. Hmmm.) This algorithm is not blindly applied to every file, however. The chunk storage engine knows about the internal structure of many common file formats (e.g., JPEG images, MPEG4 video, PDFs) and can intelligently chunk them based on this knowledge, separating headers and footers, finding the borders between internal elements, and so on. Unlike Spotlight, there doesn't appear to be a plug-in system for adding explicit

Mac OS X 10.7: the Ars Technica Review: Internals!

66

support for new file types. Custom file types saved by third-party applications appear to be left to the whims of Rabin fingerprinting. Very small files (under, say, 32KB) appear not to be chunked at all. Chunking is not guaranteed to happen immediately when a file is saved; it may happen at a later time. Very large files are generally split into larger pieces, preventing a situation where a 2GB file produces thousands of chunks. This whole show is run by a new, private GenerationalStorage.framework which includes a daemon named revisiond. (There's an interesting opportunity here for a third-party developer to create an "unauthorized" application for browsing the contents of the generation store, perhaps even hacking in a new context menu item in the Finder for listing previous revisions of a selected file. An application like this probably won't be allowed into the Mac App Store, and it's likely to break in the next OS revision, but it may still find enough customers to be worthwhile.) Apple's generational storage system is an interesting mix of tried-and-true technologies (SQLite, daemons, plain files and directories) with just enough cleverness to avoid being an undue burden to the system in operation. And remember, every single file created on the system is not automatically versioned in Lion. Generational storage is a feature that developers must explicitly use. I sure hope a lot of them do so.

Resolution independence Resolution independence has been "coming soon to Mac OS X" since 2005. The dream of drawing the same interface elements at the same visible size but with more pixels was so close in 2007 that we could taste it. Then Snow Leopard arrived and the Mac's interface scalability features actually regressed. Depressing. Meanwhile, Mac OS X's sibling operating system waltzed right into a high-resolution UI on its very first try. iOS's secret? Don't try to support arbitrary scale factors, just support one: double resolution. A 50x50-pixel square on a non-retina iPhone screen is exactly the same size as a 100x100-pixel square on a retina display. Graphics that have not been updated for the higher resolution are simply drawn with four-pixel squares in place of each low-resolution pixel. All dimensions are nice, even, integer multiples of each other. This is a perfect fit for physical screens which, of course, have an integer number of pixels. Fractional measurements necessarily require ugly compromises. Lion has taken the hint from its younger brother. Arbitrary scalability is gone. In its place is a single check box to enable "HiDPI" display modes. (This option is still hidden away in the Quartz Debug application, so it's clearly not an end-user feature. But unlike all previous incarnations of resolution independence, this one actually works.)

Mac OS X 10.7: the Ars Technica Review: Internals!

67

HiDPI display modes on a 15-inch MacBook Pro (native resolution: 1440x900)

After enabling HiDPI, new display modes will become available. In the screenshot above, the 720x450 mode is half native screen dimensions, and the 640x400 mode is half the (non-native) 1280x800 setting. After selecting a HiDPI mode, everything is drawn with twice as many pixels as its non-HiDPI equivalent. Here's a screenshot featuring TextEdit, our usual interface scalability workhorse.

TextEdit running in Lionʼs "HiDPI" mode

It looks pretty good, right? The only flaws are the bitmap graphics that haven't been updated for HiDPI (look closely at the black triangles in the ruler). Unfortunately, there are a lot of these throughout the operating system and its bundled applications. But unlike in all years past, the framework is finally there for third-party developers and

Mac OS X 10.7: the Ars Technica Review: Internals!

68

Apple itself to finally get their applications ready for a world in which 300-dpi desktop and laptop displays are more than just expensive curiosities. Unlike iOS, Mac OS X has to contend with a much wider variety of display sizes. Thus far, there has been no Mac equivalent of the iPhone 4, arriving with a double-density display and quickly selling so many units that it represents a significant portion of the installed base. Still, the ease with which iOS developers adapted to the retina display gives me confidence that this pixel-doubling approach can work on the Mac as well. We just have to wait a bit longer. By now, we should be used to it.

Mac OS X 10.7: the Ars Technica Review: Internals!

69

Applications Thanks to the comprehensively revised user interface, most applications that ship with Lion look new, but a few of them have particularly significant changes. I'm not going to cover all of them (you'll find more extensive screenshot galleries elsewhere on the Web, I'm sure), but here are some highlights.

The Finder The Finder's transition from Carbon to Cocoa in Snow Leopard is starting to pay off in Lion. Several new APIs added to Cocoa in Lion have been adopted by the Finder. In days past, when the Finder was still a Carbon application, it rarely got the latest and greatest features at the same time as other bundled applications. No more. Cocoa in Lion gives developers more control over the image displayed when an item is dragged from one place to another. The Lion Finder uses this control to transform multiitem selections from the usual ghostly image of the source into a compressed, realigned, list-view representation. This transformation happens a moment or two after the drag begins. While this is a fine demonstration of a new API, the experience is a bit off-putting. Imagine taking a dish out of the dishwasher and then having it start flopping around like like a fish in your hand. This is a rare case of Apple losing sight of what's important in real-time interaction design. Stability and responsiveness lead to comfort. A transformative animation (instability) that happens after a short delay (the appearance of unresponsiveness) does not make for good experience. I wonder how many novice users will instinctively release the mouse button and inadvertently terminate the drag operation the first time this animation is triggered. The Finder also proudly demonstrates Lion's new capsule-style search tokens. Free text can be entered into the search field as usual, but a pop-up menu provides options to limit the scope of the search terms typed so far. The only two options available are "Filename" and "Everything," but the interface is fun and easy to use, and the potential is there for much more sophistication. (For more complex searches, the full-fledged Spotlight search with nested boolean logic remains in Lion.)

Search tokens

By default, at the top of the Lion Finder's sidebar is the new "All My Files" item. It's a canned search that finds all documents in the user's home directory and displays the Mac OS X 10.7: the Ars Technica Review: Applications!

70

results in a flat list. The sidebar item representing the computer as a whole, showing all attached drives and connected servers, is still available, but is not in the sidebar by default. The same goes for the home directory item. The other predefined saved searches (e.g., Today, Yesterday, All Images, etc.) are no longer available, though they can be recreated manually.

All My Files combined with a secondary filter, arranged by kind

The addition and prominence of "All My Files" is yet another vote of no-confidence in the user's ability to understand and navigate the file system. If you've ever seen a Mac user try to navigate from the top level of his hard drive down to his Documents folder, you can begin to understand the challenge Apple is up against here. The "All My Files" item is just what the doctor ordered. In the increasingly rare cases when novices use the Finder directly, rather than managing their data from within an application like iTunes or iPhoto, all they want to know is, "Where are all my files?" Asked and answered. Expert users with thousands upon thousands of files will likely find the "All My Files" feature less useful. But if you stop thinking of it as a "location" and start thinking of it as a saved search to which you can apply additional filters with the toolbar's search field, it starts to get more interesting. The only remaining barrier is performance, which does suffer as the number of files increases.

Mac OS X 10.7: the Ars Technica Review: Applications!

71

All of the existing Finder view styles (icon, list, column, and cover flow) support a new "Arrange By" option which sorts items into groups. Each group has a header which "sticks" to the top of the window as the view is scrolled, until the last item belonging to that group scrolls off the top of the list. The columns in the group headers are frustratingly un-configurable and can't be individually resized. But those quibbles aside, the feature does add an interesting new dimension to file browsing. A new sort order has also been added to all views: Date Added. This is an ideal order for the Downloads folder. Sorting by creation or modification date was always problematic for files that preserved their timestamps through the download process (e.g., zip-compressed Mac applications). This would cause "new" downloads to appear in unexpected positions in the list. I'm tempted to declare Date Added sorting as best new feature in the Finder, but I'm afraid that might seem like damning with faint praise. Aesthetically speaking, the Finder, like the rest of Lion, has been visited by the color vampire. The Finder sidebar doesn't even honor custom folder icons, showing them as generic gray folders instead. That seems a little tyrannical, even for Apple.

The only good folder is a gray folder

Mac OS X 10.7: the Ars Technica Review: Applications!

72

This paternalism extends to other aspects of the Finder, as well. Items can no longer be dragged out of the sidebar; a context menu must be used instead. Presumably, this is to prevent accidental deletion during fumbled drag operations. In the same vein, Library folders are now invisible in the Finder, removing the temptation for novice users to go mucking around in directories they don't understand. The "Go to Folder…" menu command still exists, so customer support has some way, at least, to get users there without resorting to a shell prompt. But existing support documents that include instructions and screenshots that expect the Library folder to be visible will have to be revised for Lion. The Finder's destructive mix of browser and spatial behaviors remains in Lion. The tradition of subtly changing the rules that govern when, where, and how view state changes are applied and honored also View options continues. Just in case anyone thought they had finally figured out how the Snow Leopard Finder decides what view to show when displaying the contents of a folder in a particular window, Lion changes the rules again. The controls at the top of the view options palette now include a mysterious subcheckbox labelled "Browse in view," where view is the window's current view style. This appears to govern the view used when opening sub-folders from a window where the toolbar is visible, but a little experimentation will reveal that the setting is overridden by any "Always open in view" setting of a sub-folder. The end result is the same as it has ever been: an inscrutable system that users quickly give up any hope of understanding, resigning themselves to manually correcting view styles as needed during every interaction with the Finder.

Mail Apple's venerable Mail application gets a significant facelift in Lion. Once derided as one of the ugliest bundled applications, it's now been transformed into the classiest. (It doesn't hurt that the competition has stumbled a bit.) The screenshot below is dominated by the glossy Apple promotional e-mail for Lion in the right-hand pane, but look past it at the surrounding interface.

Mac OS X 10.7: the Ars Technica Review: Applications!

73

Mail in Lion: a class act

Or rather, look at how much of the surrounding interface isn't there. With the exception of the toolbar, this window is completely about the content. There are no external borders, only the barest hint of internal borders, and, as befitting a true Lion application, no visible scrollbars. The toolbar and quick-access button bar follow the monochromatic Lion style while still looking crisp. The cheeky red flag icon is also a nice touch. After years of unsupported hacks to add a three-pane wide-screen view to Mail, Apple has finally taken the hint and made it official. There's also, naturally, a full-screen mode.

Mac OS X 10.7: the Ars Technica Review: Applications!

74

At last, widescreen three-pane Mail for all

Like the Finder, Mail's search field supports Apple's snazzy new search tokens. These provide the fastest way to do medium-complexity searches that I've ever seen in any email application. It's too bad the search field is so narrow and doesn't expand to fill all available space in the toolbar, however. The main viewing pane shows entire threads by default, with each message appearing as a separate virtual piece of paper. Mail aggressively collapses quoted text within messages, displaying an adorable accordion effect upon expansion.

Mac OS X 10.7: the Ars Technica Review: Applications!

75

Mail plays an accordion animation when expanding quoted text

Keyboard support is excellent, allowing one-handed navigation for most common tasks. Expanding a thread and selecting a single message causes it to fill the right-hand pane, leaving behind the conceit that each message is actually a little piece of paper. Mail has become more capable, as well. Simple rich text editing capabilities have finally been added. Mail is also even better about automatically setting up accounts for common services. The account setup screens just ask for a name, e-mail address, and password, and will usually do everything else for you, including (optionally) correctly configuring and integrating calendar and chat services that might be associated with the e-mail account (e.g., Google Calendar and Talk).

Mac OS X 10.7: the Ars Technica Review: Applications!

76

Rich text editing: let your font flag fly

If, like me, you never seriously considered using any of the previous incarnations of Apple's Mail application, the version in Lion is definitely worth taking for a test drive— even if only as a chance to experience an application that so thoroughly embraces the technology and aesthetic of the new operating system.

Safari Besides adding support for another crop of new Web technologies (MathML, WOFF, CSS3 enhancements), the biggest change in Safari is its aforementioned use of the new WebKit2 rendering engine, which moves webpage rendering into a separate, lowprivilege process. (Previous versions of Safari already isolated plug-ins in separate processes.) This change is invisible to the user, but it should provide an additional layer of protection against browser-based exploits. Safari's downloads window has been subsumed into the toolbar and is now displayed as an iPad-style popover. (This is a standard control available to all Cocoa applications in Lion.) When starting a download, an icon leaps from the point of the click into the downloads toolbar icon, which then displays a tiny progress bar. It's cute, informative for novices, and keeps the downloads window out of the way.

Mac OS X 10.7: the Ars Technica Review: Applications!

77

Safari downloads in a popover

A small eyeglasses icon in the bookmarks bar triggers Apple's new Reading List feature, which saves the currently displayed webpage for later reading. This list of webpages is (or rather, will be) synchronized with Safari in iOS 5. Saved pages appear in the sidebar, accompanied by unattractively scaled favicons.

Mac OS X 10.7: the Ars Technica Review: Applications!

78

Safari's Reading List: save webpages to read later. (High-resolution favicons recommended.)

Reading List follows in the somewhat dubious footsteps of other Apple products that have clearly been "inspired," let's say, by popular third-party services. As was the case when Safari added rudimentary support for RSS, Reading List is unlikely to dislodge users who are already comfortable with their existing read-it-later service. But most people have never even heard of such a thing. Reading List's prominent placement in Safari will certainly spread awareness. This could translate into more customers for competing services, even as Reading List takes the lion's share (sorry) of users. One last note on applications. The Finder, Mail, Safari, TextEdit, and even Terminal all support full-screen mode and restore all their windows when relaunched. Apple is definitely trying to lead by example.

Mac OS X 10.7: the Ars Technica Review: Applications!

79

Grab bag As this review winds down, let's relax with a little dip into the old grab bag, a grand tradition where the smaller features get their chance to shine. As in years past, Apple has its own, much snazzier and more complete incarnation. Check it out if you want a broader overview of Lion's new features. These are just the ones that piqued my interest.

System Preferences System Preferences have been shuffled, consolidated, and renamed in every major releases of Mac OS X. Lion doesn't disappoint. The preference formerly known as Appearance is now called General, and it includes a checkbox to globally disable application state restoration. The Exposé & Spaces preference is now called Mission Control. Security becomes Security & Privacy. Accounts is now Users & Groups—a welcome change because, in my experience, most people don't know what an "account" is. Universal Access moves to the top row. And on and on. Dance, icons, dance!

Your favorite system preferences: where are they today?

Mac OS X 10.7: the Ars Technica Review: Grab Bag!

80

Individual preference icons can be manually hidden by the user thanks to the new "Customize…" menu item. (They will remain accessible from the View menu and via search.)

Hide the preferences you're not interested in

Click and hold on the "Show All" button to quickly jump from one preference to another via a drop-down menu. The View menu provided the same functionality in Snow Leopard, but the "Show All" button is closer to where the cursor is likely to be.

Mac OS X 10.7: the Ars Technica Review: Grab Bag!

81

Take a direct flight to your next preference pane

Perhaps surprisingly, the MobileMe preference remains. It's joined by the new, awkwardly named Mail, Contacts & Calendars preference which manages, well, mail, contacts, and calendar accounts for a variety of online services.

Mac OS X 10.7: the Ars Technica Review: Grab Bag!

82

Centralized online service account management

This includes the ever-popular "Other" service, which leads to a set of more generic configuration screens for other protocols and applications.

Mac OS X 10.7: the Ars Technica Review: Grab Bag!

83

Manual configuration and more esoteric account types

The trackpad preference pane allows some, but not all of the new gestures in Lion to be configured in limited ways. For example, the Mission Control gesture must always be an upward swipe, but it can use three or four fingers. All of the gestures can be disabled.

Mac OS X 10.7: the Ars Technica Review: Grab Bag!

84

Limited choices for gesture configurations

Finally, in case you needed any more evidence of Apple's newfound aversion to color in the Mac OS X interface, take a look at the new time zone selection screen.

Mac OS X 10.7: the Ars Technica Review: Grab Bag!

85

Your world, all silvery in the moonshine

Auto-correction Lion adds optional auto-correction to the standard Mac OS X text control. It looks and works just like the iOS incarnation from which it's so clearly derived. Like the existing spelling and grammar checking options, auto-correction can be enabled on a perdocument basis.

Mac OS X 10.7: the Ars Technica Review: Grab Bag!

86

I eagerly await the Compose Text Automatically option

System-wide auto-correction: try to resist the urge to tap the screen

Mobile Time Machine Time Machine isn't much help when you're on the road with your laptop. None of Apple's portable Macs include more than one internal drive, and making a Time Machine back up to another partition of the same drive kind of defeats the purpose. Lion includes a new, mostly invisible feature whereby Time Machine backups continue even when the backup volume is not mounted. This feature is only active for laptops (which is a shame), and it runs whether Time Machine is enabled or not. The implementation is strange. The mtmfs (Mobile Time Machine file system) daemon runs an NFS server on localhost which is then mounted at /Volumes/MobileBackups. In it, you'll find the usual Backups.backupdb directory structure that Time Machine creates for its backups. The actual copies of new and changed files—and only those files—are stored in /.MobileBackups by the mtmd daemon. When the Time Machine volume is mounted again, local backups are consolidated and copied onto it.

Mac OS X 10.7: the Ars Technica Review: Grab Bag!

87

This system provides some basic data protection for users on the go, beyond what's offered by applications that support Lion's autosave APIs. Mobile Time Machine, like regular Time Machine, tracks all file changes, not just those made by certain applications. There is some obvious overlap between Mobile Time Machine and the generational store used to support document versioning in Lion. Having two entirely separate storage locations and techniques for backup copies of files is suboptimal; perhaps the backends for these two features will merge in the future.

Lock screen Lion's new lock screen has been restyled to match the login screen, with options to unlock or switch users, and it comes with the same subset of menu bar status icons visible in the top-right corner.

Lion's new lock screen

The old lock screen didn't allow account switching. If you didn't know the current user's password, you were stuck. This was especially annoying on a shared Mac.

Mac OS X 10.7: the Ars Technica Review: Grab Bag!

88

Emoji Lion adds Emoji support to Mac OS X. So that happened.

FACE WITH NO GOOD GESTURE (U+1F645); MOON VIEWING CEREMONY (U+1F39); PILE OF POO (U+1F4A9)

Terminal The Terminal application gets a few more graphical frills, sporting a new parameter for window blur, with separate settings for active and inactive windows. The bundled Silver Aerogel theme demonstrates the effect.

Mac OS X 10.7: the Ars Technica Review: Grab Bag!

89

"I want to know what's behind my terminal window, but I don't want to know every detail."

Terminal also—finally—supports 256 text colors with its new xterm-256color terminal type. Users of terminal-based text editors will surely approve.

About This Mac The System Profiler application has been renamed System Information and now includes a comprehensive, easy to understand overview of the entire system. The copious links to support documents, relevant preferences, and channels for feedback are fantastic. This will be the new go-to location for anyone trying to remotely diagnose a Mac problem. As before, it's most easily accessed by going to the Apple menu and selecting About This Mac, then clicking the "More Info…" button. Don't worry, geeks, the old System Profiler interface with its much more detailed technical information is still accessible via the "System Report…" button. But it's likely that you'll rarely need the extra detail. Take a look at what the new screens offer.

Mac OS X 10.7: the Ars Technica Review: Grab Bag!

90

Tech specs never looked so good

Mac OS X 10.7: the Ars Technica Review: Grab Bag!

91

Did you know that your display has a manual?

Mac OS X 10.7: the Ars Technica Review: Grab Bag!

92

There sure seems to be a lot of "other"

Mac OS X 10.7: the Ars Technica Review: Grab Bag!

93

Unfilled RAM slots are sinful. I am ashamed.

Mac OS X 10.7: the Ars Technica Review: Grab Bag!

94

Five ways to get support An excellent executive summary of warranty information and service options

Mac OS X 10.7: the Ars Technica Review: Grab Bag!

95

Recommendations Even at Ars Technica, a certain percentage of readers just want to know the bottom line about a new operating system. Is this a good release? Is it worth the price and the hassle of installing it? Excluding the first few dog-slow, feature-poor releases of Mac OS X, the answer to all those questions has always been a resounding "yes." Lion continues this tradition, more than earning its $29 price with a raft of new technologies and a substantially revised interface and suite of bundled applications. The standard caveats apply about software and hardware compatibility. Don't just run out and upgrade your system as soon as you finish this review. Lion's digital distribution makes hasty upgrades even more likely. Patience! Take a few days—weeks, even—to research all of your favorite applications and make sure they all run fine on Lion. If you're still using some PowerPC applications, don't upgrade until you have replaced them with Intel-native alternatives. And before you upgrade, backup, backup, backup.

Mac OS X 10.7: the Ars Technica Review: Recommendations!

96

All that you can't leave behind Though the Lion name suggests the end of something, the content of the operating system itself clearly marks the start of a new journey. Seemingly emboldened by the success of iOS, Apple has taken a hatchet to decades of conventional wisdom about desktop operating systems. The same thing happened ten years ago in an even more dramatic fashion when Apple replaced classic Mac OS with Mac OS X. The new operating system changed the rules on the desktop, wedding composited graphics, smooth animation, and photorealistic artwork to a solid Unix foundation. Apple tried to leave all vestiges of its old operating system behind—the platinum appearance, the Apple menu, even the desktop itself—but eventually bowed to some demands of long-time Mac users. Lion's changes will no doubt meet with similar resistance from experienced Mac users, but I suspect Apple will remain unmoved this time around. In the same way that Mac OS X so clearly showed the rest of the industry what user interfaces would look like in the years to come, Apple's own iOS has now done the same for its decade-old desktop operating system. iOS was less shocking to users because it appeared to come from nothing, and the mobile operating system conventions it defied were ones that nobody liked anyway. The same is not true on the desktop, where users cling like victims of Stockholm syndrome to mechanics that have hurt them time and again. It may be many years before even half of the applications on a typical Mac behave according to the design principles introduced in Lion. The transition period could be ugly, especially compared to the effortless uniformity of iOS. In the meantime, let Apple's younger platform serve as a lighthouse in the storm. The Mac will always be more capable than its mobile brethren, but that doesn't mean that simple tasks must also be harder on the Mac. Imagine being able to stick a computer neophyte in front of an iMac with the same confidence that you might hand that neophyte an iPad today. The technical details of Apple's operating system that were once so important that they practically defined its existence (e.g., memory protection, preemptive multitasking) are now taken for granted. Mainstream reviews of software and hardware alike spend far less time pondering technical specifications and implementation details than they did only a few years ago. This phenomenon extends even to the geekiest among us, those who didn't just skip to the conclusion of this review but actually read the entire thing. Fellow geeks, ask yourselves, do you know the clock speed of the CPU in the device you're reading this

Mac OS X 10.7: the Ars Technica Review: Conclusion!

97

on? Do you know how much RAM it has? What about the memory bus speed and width? Now consider what your answers might have been ten years ago. Over the past decade, better technology has simply reduced the number of things that we need to care about. Lion is better technology. It marks the point where Mac OS X releases stop being defined by what's been added. From now on, Mac OS X should be judged by what's been removed.

Mac OS X 10.7: the Ars Technica Review: Conclusion!

98

Credits Cover design by Aurich Lawson (http://aurichlawson.com), PDF, ePub, MOBI authoring by Clint Ecker (http://clintecker.com)

Copyright Information Copyright Condé Nast. The following disclaimer applies to the information, trademarks, and logos contained in this document. Neither the author nor Condé Nast Digital make any representations with respect to the contents hereof. Materials available in this document are provided "as is" with no warranty, express or implied, and all such warranties are hereby disclaimed. Condé Nast Digital assumes no liability for any loss, damage or expense from errors or omissions in the materials available in this document, whether arising in contract, tort or otherwise. The material provided here is designed for educational use only. The material in this document is copyrighted by Condé Nast Digital, and may not be reprinted or electronically reproduced unless prior written consent is obtained from Condé Nast Digital. Links can be made to any of these materials from a WWW page, however, please link to the original document. Copying and/or serving from your local site is only allowed with permission. As per copyright regulations, "fair use" of selected portions of the material for educational purposes is permitted by individuals and organizations provided that proper attribution accompanies such utilization. Commercial reproduction or multiple distribution by any traditional or electronic based reproduction/publication method is prohibited. Any mention of commercial products or services within this document does not constitute an endorsement. "Ars Technica" is trademark of Condé Nast Digital. All other trademarks and logos are property of their respective owners.

Mac OS X 10.7: the Ars Technica Review: Credits & Copyright Information!

99