iOS Dev Weekly - iOS Dev Weekly - Issue 668

Should we all move to CocoaPods to avoid security issues? It’s a bit more complicated than that. 🔐
 

iOS Dev Weekly

 
View on the Web    Archives

ISSUE 668  July 5th 2024

 
Comment

  Comment  

 

This story of a CocoaPods security problem set me wondering about the state of dependency management in Swift again this week.

First, the security issue was a serious supply chain vulnerability, with potential attackers able to claim ownership of abandoned libraries. It stemmed from the migration to the CocoaPods “trunk” system in 2014 and while this image doesn’t give a date for when the vulnerability started, I think the public API (and therefore the vulnerability) has been available for several years.

I don’t write this to criticise CocoaPods. Once reported it was handled responsibly, fixed quickly, and there was no evidence of it being exploited. But, the truth is that CocoaPods doesn’t have as many eyes on its maintenance as it used to and it’ll only lose more popularity as more people adopt SwiftPM. The maintenance team are all volunteers and do a great job of a thankless task, but SwiftPM is the future.

But is SwiftPM safe from supply chain attacks? Not in the way that 99% of people use it. There’s an obvious supply chain vulnerability which is implicit in importing a dependency directly from tags in a git repository with SwiftPM. Git tags are not immutable and can be moved at the package author’s convenience, so if you built SomeDependency v3.2.4 into your app and shipped it to the store, it’s not guaranteed to be the same code I have in my app if I also depend on SomeDependency v3.2.4. Yes, that’s not in the same ballpark of security issues as being able to take ownership of someone else’s package, but it’s still serious enough.

So what’s the solution? Do we need a whole new package manager? No, we just need to use SwiftPM package registries. Supported since Swift 5.7, SwiftPM has full support for package registries. Package registries treat versions of packages as immutable and serve zipped archives of packages rather than needing to check out a git repository. They are quicker in use and inherently more secure.

Some artefact hosting companies have even shipped registry implementations as part of their products. JFrog Artifactory announced support in 2022, AWS CodeArtifact in 2023, and just this May Cloudsmith joined in.

What doesn’t yet exist is a public open-source package registry hosting all the packages in, for example, a package index. Sven and I are very aware of that and have been considering whether it might be something we could add to the Swift Package Index. We’ve got nothing to announce today, but when everyone can use a package registry rather than git-based source code dependencies, we’ll get a step forward in dependency management for Swift, too.

Dave Verwer  Permalink

 
 

  Sponsored Link  

 

Worried about losing Microsoft App Center?

Bitrise has you covered! With Microsoft retiring its Visual Studio App Center, many developers are looking for robust, reliable alternatives. Bitrise's Release Management is not just a replacement, but a comprehensive upgrade for your mobile app development needs. Learn more.

bitrise.io  Permalink

 
 
 

  News  

 

Plotting a Path to a Package Ecosystem without Data Race Errors

Here’s some more information published on the Swift.org blog from Sven A. Schmidt and me about the Ready for Swift 6 project we're working on this summer at the Swift Package Index. We also just finished a test run using Xcode 16 beta 2, and the number of packages without data races continues to rise. Progress!

swift.org  Permalink

 
 

  Code  

 

Make videos with SwiftUI

What a fun idea from Jordan Howlett. Have you ever wanted to make motion graphics for video with SwiftUI? Now you can, with his new library, StreamUI. Read the forum post above for a little background, or watch the sample video to see what it can create.

swift.org  Permalink

 

Zoom transitions

Having access to some of the fancier transitions that Apple has perfected in the operating system over the years is so great. It not only makes apps that use them smoother and easier to use, but it increases consistency with third-party apps and the platform, too. Here’s Douglas Hill teaching us about this year’s new zoom transition.

douglashill.co  Permalink

 

Consolidated ViewState

I found myself nodding along as I read this little tip from Luda Fux. My first attempts with SwiftUI were full of isLoading and isPresented booleans. Is there a better approach? There is!

ludafux.com  Permalink

 

Diffuse reflection UV computation tool

I’d recommend watching this WWDC session video before reading this post from Cristian Díaz that explains how to generate the “emitter and attenuation UVs” necessary to make this really impressive effect work.

I wish I had a Vision Pro so I could experience these things! Luckily, I did order one last week when they went on sale in the UK! 💸

elkraneo.com  Permalink

 

Is this the best VR development environment?

What an interesting screenshot from James Thomson! I can't imagine the PSVR2 or Meta Quest development environment allowing anything close to this.

mastodon.social  Permalink

 
 

  Business and Marketing  

 

Our App Store screenshot nightmare is (almost) over

This is amazing news! 🎉 I had missed this announcement, so thanks to Jesse Squires for writing it up.

jessesquires.com  Permalink

 
 

  Jobs  

 

Software Engineer, iOS @ amo – Amo values speed, creativity, and high performance. Focused on meaningful social apps, they prioritize creation over consumption and simple, fun experiences. The diverse, skilled team uses a modular monorepo tech stack with Rust, Bazel, and RxSwift, leveraging efficient data processing on GCP. – On-site (France)

Senior iOS Engineer @ Leica Camera AG – We are looking for an experienced iOS developer to join our team. We are working as a small, fast-moving unit within Leica, so we are looking for team members who can take charge of projects and work independently. It’s a bonus (but not required) if you are passionate about photography! – Remote (within European timezones) or on-site (Germany)

Product Engineer (iOS, Full-Stack) @ Emerge Tools – Have a huge impact working with our small, technically elite team (just 8), build tools used some of the biggest & best mobile teams in the world (DoorDash, Square, Spotify, Duolingo, Tinder, Bumble) – Remote (within US timezones)

Senior iOS Developer @ Komoot – Your work will contribute to helping millions of people enjoy lovely outdoor experiences and you can work from wherever you want, be it a beach, the mountains, your house, or anywhere else that lies in any time zone between UTC-1 and UTC+3. – Remote (within European timezones)

 Permalink

 

Are you looking for a job? Get yourself over to iOS Dev Jobs where even more opportunities await!

 Permalink

 
 

  And finally...  

 

Tell me you’re a Swift developer without telling me you’re a Swift developer. 😂

 Permalink

 
You received this email because you subscribed via the iOS Dev Weekly site.
We'll be sorry to see you go but you can unsubscribe instantly.
 
iOS Dev Weekly is published by Verwer Services Ltd. with a registered office at 5 Albert Road, Southsea, Hampshire, England, PO5 2SE.
 
 

 
 

RSS

 
©2024 iOS Dev Weekly | Privacy Policy | Mastodon | Suggest a Link
 
Published with Curated

Older messages

iOS Dev Weekly - Issue 667

Friday, June 28, 2024

No comment from me this week, but there are plenty of links! 🥂 View on the Web Archives ISSUE 667 June 28th 2024 Comment Time got away from me so quickly today that by the time I would normally be

iOS Dev Weekly - Issue 666

Friday, June 21, 2024

WWDC isn't completely over just yet! How about a chance to get together with your peers to watch some videos at Apple offices around the world? 🗺️ View on the Web Archives ISSUE 666 June 21st 2024

iOS Dev Weekly - Issue 665

Friday, June 14, 2024

Ready for a recap of WWDC? Before we get to that, I want to talk about some masterful marketing from Apple this year. ✨ View on the Web Archives ISSUE 665 June 14th 2024 Comment What a week! I hope you

iOS Dev Weekly - Issue 664

Friday, June 7, 2024

Don't forget about visionOS and the Vision Pro this WWDC! 🥽 View on the Web Archives ISSUE 664 June 7th 2024 Comment One thing we'll certainly hear more about on Monday is visionOS. We'll

iOS Dev Weekly - Issue 662

Monday, June 3, 2024

The new developer forum refresh must mean it's nearly time for WWDC! 🎉 View on the Web Archives ISSUE 662 May 24th 2024 Comment Did you see the developer forums refresh that launched yesterday?

You Might Also Like

Laravel VS Code Extension, Laravel 11.36, Wirechat, and more! - №544

Sunday, December 22, 2024

Your Laravel week in review ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏

Kotlin Weekly #438

Sunday, December 22, 2024

ISSUE #438 22nd of December 2024 Announcements klibs.io JetBrains has introduced the alpha version of klibs.io – a web service that speeds up and simplifies discovering KMP libraries that best meet

Weekend Reading — Happy "That's a January Problem" week

Saturday, December 21, 2024

Can Christmas season start a little earlier this year Tech Stuff Ramsey Nasser fuck it happened i am in a situation where i do actually need to reverse a linked list Atuin I just learned about Atuin

Daily Coding Problem: Problem #1644 [Easy]

Saturday, December 21, 2024

Daily Coding Problem Good morning! Here's your coding interview problem for today. This problem was asked by IBM. Given an integer, find the next permutation of it in absolute order. For example,

🐧 Whatever Happened to Unix Workstations? — My Incredibly Cheap Alternative to a Soundbar

Saturday, December 21, 2024

Also: Here's Why More Games Need Expanded Difficulty Settings How-To Geek Logo December 21, 2024 Did You Know Lake Wendouree, an artificially created and maintained shallow urban lake in Australia,

Supercharge Your Knowledge Capture Workflow with the Obsidian Web Clipper

Saturday, December 21, 2024

Stop juggling multiple tools and supercharge your knowledge capture workflow with Obsidian's powerful Web Clipper browser extension Sébastien Dubois DeveloPassion's Newsletter Supercharge Your

Charted | The World's Most Valuable Automakers 🚙

Saturday, December 21, 2024

Tesla shares reached a record high, setting a new valuation milestone. This graphic highlights the world's most valuable automakers by market cap. View Online | Subscribe | Download Our App

Next Holiday Season, Ignore Everyone Except One Customer

Saturday, December 21, 2024

Top Tech Content sent at Noon! Boost Your Article on HackerNoon for $159.99! Read this email in your browser How are you, @newsletterest1? 🪐 What's happening in tech today, December 21, 2024? The

🐍 New Python tutorials on Real Python

Saturday, December 21, 2024

Hey there, There's always something going on over at Real Python as far as Python tutorials go. Here's what you may have missed this past week: 🎓 Master Python's Core Principles (New Live

Post from Syncfusion Blogs on 12/21/2024

Saturday, December 21, 2024

New blogs from Syncfusion ASP.NET MVC Suite Update: Aligning with .NET Changes By Rajendran R Discover key updates in our ASP.NET MVC suite, aligning with Microsoft's latest .NET changes for