iOS Dev Weekly - iOS Dev Weekly - Issue 668

Should we all move to CocoaPods to avoid security issues? It’s a bit more complicated than that. 🔐

iOS Dev Weekly

View on the Web    Archives

ISSUE 668  July 5th 2024




This story of a CocoaPods security problem set me wondering about the state of dependency management in Swift again this week.

First, the security issue was a serious supply chain vulnerability, with potential attackers able to claim ownership of abandoned libraries. It stemmed from the migration to the CocoaPods “trunk” system in 2014 and while this image doesn’t give a date for when the vulnerability started, I think the public API (and therefore the vulnerability) has been available for several years.

I don’t write this to criticise CocoaPods. Once reported it was handled responsibly, fixed quickly, and there was no evidence of it being exploited. But, the truth is that CocoaPods doesn’t have as many eyes on its maintenance as it used to and it’ll only lose more popularity as more people adopt SwiftPM. The maintenance team are all volunteers and do a great job of a thankless task, but SwiftPM is the future.

But is SwiftPM safe from supply chain attacks? Not in the way that 99% of people use it. There’s an obvious supply chain vulnerability which is implicit in importing a dependency directly from tags in a git repository with SwiftPM. Git tags are not immutable and can be moved at the package author’s convenience, so if you built SomeDependency v3.2.4 into your app and shipped it to the store, it’s not guaranteed to be the same code I have in my app if I also depend on SomeDependency v3.2.4. Yes, that’s not in the same ballpark of security issues as being able to take ownership of someone else’s package, but it’s still serious enough.

So what’s the solution? Do we need a whole new package manager? No, we just need to use SwiftPM package registries. Supported since Swift 5.7, SwiftPM has full support for package registries. Package registries treat versions of packages as immutable and serve zipped archives of packages rather than needing to check out a git repository. They are quicker in use and inherently more secure.

Some artefact hosting companies have even shipped registry implementations as part of their products. JFrog Artifactory announced support in 2022, AWS CodeArtifact in 2023, and just this May Cloudsmith joined in.

What doesn’t yet exist is a public open-source package registry hosting all the packages in, for example, a package index. Sven and I are very aware of that and have been considering whether it might be something we could add to the Swift Package Index. We’ve got nothing to announce today, but when everyone can use a package registry rather than git-based source code dependencies, we’ll get a step forward in dependency management for Swift, too.

Dave Verwer  Permalink


  Sponsored Link  


Worried about losing Microsoft App Center?

Bitrise has you covered! With Microsoft retiring its Visual Studio App Center, many developers are looking for robust, reliable alternatives. Bitrise's Release Management is not just a replacement, but a comprehensive upgrade for your mobile app development needs. Learn more.  Permalink




Plotting a Path to a Package Ecosystem without Data Race Errors

Here’s some more information published on the blog from Sven A. Schmidt and me about the Ready for Swift 6 project we're working on this summer at the Swift Package Index. We also just finished a test run using Xcode 16 beta 2, and the number of packages without data races continues to rise. Progress!  Permalink




Make videos with SwiftUI

What a fun idea from Jordan Howlett. Have you ever wanted to make motion graphics for video with SwiftUI? Now you can, with his new library, StreamUI. Read the forum post above for a little background, or watch the sample video to see what it can create.  Permalink


Zoom transitions

Having access to some of the fancier transitions that Apple has perfected in the operating system over the years is so great. It not only makes apps that use them smoother and easier to use, but it increases consistency with third-party apps and the platform, too. Here’s Douglas Hill teaching us about this year’s new zoom transition.  Permalink


Consolidated ViewState

I found myself nodding along as I read this little tip from Luda Fux. My first attempts with SwiftUI were full of isLoading and isPresented booleans. Is there a better approach? There is!  Permalink


Diffuse reflection UV computation tool

I’d recommend watching this WWDC session video before reading this post from Cristian Díaz that explains how to generate the “emitter and attenuation UVs” necessary to make this really impressive effect work.

I wish I had a Vision Pro so I could experience these things! Luckily, I did order one last week when they went on sale in the UK! 💸  Permalink


Is this the best VR development environment?

What an interesting screenshot from James Thomson! I can't imagine the PSVR2 or Meta Quest development environment allowing anything close to this.  Permalink


  Business and Marketing  


Our App Store screenshot nightmare is (almost) over

This is amazing news! 🎉 I had missed this announcement, so thanks to Jesse Squires for writing it up.  Permalink




Software Engineer, iOS @ amo – Amo values speed, creativity, and high performance. Focused on meaningful social apps, they prioritize creation over consumption and simple, fun experiences. The diverse, skilled team uses a modular monorepo tech stack with Rust, Bazel, and RxSwift, leveraging efficient data processing on GCP. – On-site (France)

Senior iOS Engineer @ Leica Camera AG – We are looking for an experienced iOS developer to join our team. We are working as a small, fast-moving unit within Leica, so we are looking for team members who can take charge of projects and work independently. It’s a bonus (but not required) if you are passionate about photography! – Remote (within European timezones) or on-site (Germany)

Product Engineer (iOS, Full-Stack) @ Emerge Tools – Have a huge impact working with our small, technically elite team (just 8), build tools used some of the biggest & best mobile teams in the world (DoorDash, Square, Spotify, Duolingo, Tinder, Bumble) – Remote (within US timezones)

Senior iOS Developer @ Komoot – Your work will contribute to helping millions of people enjoy lovely outdoor experiences and you can work from wherever you want, be it a beach, the mountains, your house, or anywhere else that lies in any time zone between UTC-1 and UTC+3. – Remote (within European timezones)



Are you looking for a job? Get yourself over to iOS Dev Jobs where even more opportunities await!



  And finally...  


Tell me you’re a Swift developer without telling me you’re a Swift developer. 😂


You received this email because you subscribed via the iOS Dev Weekly site.
We'll be sorry to see you go but you can unsubscribe instantly.
iOS Dev Weekly is published by Verwer Services Ltd. with a registered office at 5 Albert Road, Southsea, Hampshire, England, PO5 2SE.



©2024 iOS Dev Weekly | Privacy Policy | Mastodon | Suggest a Link
Published with Curated

Older messages

iOS Dev Weekly - Issue 667

Friday, June 28, 2024

No comment from me this week, but there are plenty of links! 🥂 View on the Web Archives ISSUE 667 June 28th 2024 Comment Time got away from me so quickly today that by the time I would normally be

iOS Dev Weekly - Issue 666

Friday, June 21, 2024

WWDC isn't completely over just yet! How about a chance to get together with your peers to watch some videos at Apple offices around the world? 🗺️ View on the Web Archives ISSUE 666 June 21st 2024

iOS Dev Weekly - Issue 665

Friday, June 14, 2024

Ready for a recap of WWDC? Before we get to that, I want to talk about some masterful marketing from Apple this year. ✨ View on the Web Archives ISSUE 665 June 14th 2024 Comment What a week! I hope you

iOS Dev Weekly - Issue 664

Friday, June 7, 2024

Don't forget about visionOS and the Vision Pro this WWDC! 🥽 View on the Web Archives ISSUE 664 June 7th 2024 Comment One thing we'll certainly hear more about on Monday is visionOS. We'll

iOS Dev Weekly - Issue 662

Monday, June 3, 2024

The new developer forum refresh must mean it's nearly time for WWDC! 🎉 View on the Web Archives ISSUE 662 May 24th 2024 Comment Did you see the developer forums refresh that launched yesterday?

You Might Also Like

Last call: AI Consultancy Project is closing at 11:59 PM PT

Friday, July 12, 2024

Also, my story: I wanted more time to date my wife ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌

iOS Dev Weekly - Issue 669

Friday, July 12, 2024

I am always going to use 🥽 to reference Vision Pro until we get a VR headset emoji! 🫨 View on the Web Archives ISSUE 669 July 12th 2024 Comment Earlier today, I stepped into my very own spatial

Defending Russia’s EU neighbors

Friday, July 12, 2024

Plus, startup valuations reach all-time high and more View this email online in your browser By Marina Temkin Friday, July 12, 2024 Image Credits: Bryce Durbin / TechCrunch Welcome to Startups Weekly —

Weekly News Roundup - Issue #475

Friday, July 12, 2024

Plus: Microsoft leaves OpenAI's board; OpenAI got hacked; the first step toward reversible cryopreservation; how good ChatGPT is at coding; China proposes guidelines for humanoid robotics; and more


Friday, July 12, 2024

Week of July 8, 2024 Showtime! Week of July 8, 2024 By MG Siegler • 12 Jul 2024 View in browser View in browser Are we sure the "AI Supercycle" for the PC market is going to be a thing? IDC

Charted | The World’s Top 100 Universities, by Country 🎓

Friday, July 12, 2024

Where are the top 100 universities in the world located? We look at the World University Rankings 2024 to find out. View Online | Subscribe takes what you love about Visual Capitalist to the next level

Daily Coding Problem: Problem #1494 [Medium]

Friday, July 12, 2024

Daily Coding Problem Good morning! Here's your coding interview problem for today. This problem was asked by Yahoo. Write an algorithm that computes the reversal of a directed graph. For example,

Comedic Consultant 💻

Friday, July 12, 2024

A former Daily Show host's questionable tech ties. Here's a version for your browser. Hunting for the end of the long tail • July 12, 2024 Comedic Consultant Trevor Noah has been on the

Axion Processors: Googles First Arm-based CPUs

Friday, July 12, 2024

Top Tech Content sent at Noon! Read this email in your browser How are you, @newsletterest1? 🪐 What's happening in tech today, July 12, 2024? The HackerNoon Newsletter brings the HackerNoon

Software for your own company

Friday, July 12, 2024

​ Building internal products If every company is truly a software company now, it stands to reason that product management will become more prevalent in organizations that develop software for their