«
»

Mail.app and Leopard’s ban on Input Managers

InputmanagersAccording to a rumour on the well-respected Ars Technica web site, Mac 10.5 Leopard will not only be later than expected, but it will not provide support for Input Managers.

Input Manager plugins will no longer be allowed, the article claims. It cites “sources” who say that “Apple isn’t really broken up about it since InputManagers were often used for nefarious purposes anyway.”

I’ve had a number of emails from Hawk Wings readers who are worried about the future of one or another of the many, many plugins available for Mail.app.

The good news is that the vast majority of plugins are not constructed as Input Managers and so will not be affected.

The notification utility iAlert will be though, as well as a number of excellent plugins for other apps, like the Inquisitor search plugin for Safari.

The Input Manager that allows TextMate to be used as an external editor for Mail and many other apps (a “nefarious purpose” if ever there was one!) will also sadly disappear, although I very much hope that Allan Odgaard will reinvent it in another format.

UPDATE: Jon Hicks has written more on the impact of this change on Safari and its various plugins.

[Thanks to Geoff, Dan, David et al.]mail.app, apple mail, input managers, leopard, plugins, textmate, osx, apple

Similar Posts:

Tags: , , , , , , ,

This entry was posted on Sunday, 25th March, 2007 at 12:15 am and is filed under Apple Mail. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

18 Responses to “Mail.app and Leopard’s ban on Input Managers”

  1. Helge says:
    March 25th, 2007 at 1:12 am

    What will be with Spell Catcher?

  2. Anthony Baker says:
    March 25th, 2007 at 1:23 am

    Frankly, while this might not affect Mail quite as much, it is going to be a blow to Safari. The lack of InputManagers will turn programs like David Watanabe’s Inquisitor to dust. And, methinks this isn’t a rumor at all. I know some folks who are using Leopard builds and they’ve confirmed it in what they’ve seen so far.

    While I love Safari, if it offers no extendability or customization (in the little way it has to date), I’m bailing for Firefox altogether.

    And who EVER heard of nefarious InputManager-using apps out there? This is the first that I’ve ever seen mentioned of it.

    Jon Hicks has written about this from the PimpMySafari point of view over on his blog at http://www.hicksdesign.co.uk/journal

  3. Dalmet says:
    March 25th, 2007 at 1:58 am

    This would definetly be something that keeps me from upgrading to Leopard.

  4. Anthony Baker says:
    March 25th, 2007 at 2:03 am

    Methinks we should look at making this a bigger stink than it has been. Anyone know if a story on this has been Dugg yet?

  5. Dalmet says:
    March 25th, 2007 at 2:10 am

    I’ve done some searching at Digg and couldn’t find anything. Let’s go diggin’.

  6. mgorbach says:
    March 25th, 2007 at 2:24 am

    Input managers are not a good thing. We should not allow random code on the system to be loaded into EVERY running app. This is simply not a good idea because it can cause random, unexpected interactions between my app and an inputmanager hack someone, somewhere wrote. Interactions that I can not predict. There is a better way to deal with this expandability problem. Hopefully, Apple will find it. I would be happy if Safari included a plugin-system like mail.app does, allowing it to load bundles without the use of inputmanager plugins.

  7. Tim Gaden says:
    March 25th, 2007 at 2:29 am

    Anthony, thanks for the Hicks link. I hadn’t seen that.

  8. Dalmet says:
    March 25th, 2007 at 2:40 am

    mgorbach, I totally agree with your point of view. But I think Apple should have provided developers with a plug-in API a while ago and give them a chance to update their little useful helpers. I believe many people are using stuff like Inquisitor and they would be very upset if these utilities are suddenly gone. It makes Leopard not look like an upgrade.

  9. DBL says:
    March 25th, 2007 at 7:42 am

    I looked around and I find I recognise the name of these programs that use InputManager — they represent all the kind of software that I never install on my system. Because they have universal effect. Anytime a program that purports to enhance one particular app asks to be installed in a central location that could affect everything, I *always* opt out. Even sometimes when it’s really pained me. No enhancement is worth that. Now, with Leopard, I guess everyone will be forced to have as trouble and conflict free a computing experience as I have had on OS X. It really makes no difference to a person like me, but maybe you folks will see such increased productivity from reduced system complexity that you will have a lot more time to complain to Apple about it! (That is an often overlooked productivity advantage, for every feature set you add no matter how useful you are giving up something so don’t forget to weigh that, too.)

  10. DocB says:
    March 25th, 2007 at 12:28 pm

    I remember the bad old days of OS9 extensions and extension managers and Conflict Catcher. The less global futzing with the system the better. I will not cry for Input Managers.

  11. Jonathan says:
    March 26th, 2007 at 2:02 am

    One programme you all seem to be forgetting about, which is the one that most (in)famously exploited the security hole in OS X that is the InputManager system, is the Oompa Loompa/Leap.A malware. It wasn’t the most successful malware, but it did highlight that Input Managers are potentially a very bad security issue… has anything been done to close that particular security hole? Nope. Still exists and will do until they get rid of the way Input Managers are handled by the system or the feature itself.

  12. mgorbach says:
    March 26th, 2007 at 2:18 am

    Good point Jonathan.
    Was not everyone complaining that Apple is not taking a pro-active stance towards security and is waiting until something terrible happens before “taking security seriously”? Well, I think this shows apple IS taking security seriously. It is great that they are sealing off a potential vulnerability BEFORE it is exploited on a large scale. They realize that as macos popularity increases, it will become more of a target and problems will be revealed.

  13. Rosyna says:
    March 26th, 2007 at 12:36 pm

    Jonathan, you forget the fact that you had to run a malicious program to get that thing installed. So it didn’t matter what it installed or didn’t, it already had access to your machine and you already lost.

    It did not show that InputManagers were an inherent security flaw. It just showed that you shouldn’t open applications you don’t trust on the internet.

  14. Evan Gross says:
    March 26th, 2007 at 5:39 pm

    Helge:

    Spell Catcher is an Input *Method*, not an InputManager. Rest assured that Input Methods are NOT going away, in fact quite the opposite is true (about all I can say – NDA and all…)!

  15. Jonathan says:
    March 26th, 2007 at 6:50 pm

    @Rosyna.

    You are making an assumption – I didn’t forget anything. Regardless of whether or not you have to run an application to get an infection (isn’t that the case for all malware?), it exploited a flaw in the way the Input Manager system is set up to enable it to affect the whole system and (try and) spread, and all without the need for a password to be inputted. If that isn’t a security flaw, then what is it? A feature? To prevent the potential for it to be exploited, either Apple needed to alter the way items are installed into the Input Manager system, or they needed to alter the system itself (for something with the potential to affect all the apps on your computer, inputting a password and user name should be the bare minimum). Either way, it is something that has been long overdue.

  16. Rosyna says:
    March 26th, 2007 at 8:54 pm

    The proper fix for what happened would actually to take a Widgets and/or Windows approach. Sandbox applications that come off the internet when they are run. Then when they quit, tell the user all the resources/files they created and if they’d like to integrate them into the real filesystem.

    “If that isn’t a security flaw, then what is it?”

    It’s not a security flaw at all. It’s a classic case of the user being the weakest link and everyone seems to want to do everything but blame the user for this.

  17. chuy says:
    March 27th, 2007 at 12:13 am

    There is a new way to do this things, look at the WWDC sessions
    ——————
    Writing an Input Method Using the Input Method Kit Mac OS X Essentials Hands-on
    Learn to quickly and easily support international users with Unicode input methods on Leopard with the Input Method Kit framework. This hands-on session guides you through the complete development of a fully functional input method

  18. Bob says:
    March 28th, 2007 at 12:56 am

    I thought that the stink over the “alleged” delay for Leopard was due to compatibilty issues between Boot Camp and Vista integration. Um…guess that really WAS a rumor…why delay Leoplard when Boot Camp can be updated later?

Leave a Reply