While the download itself is served using https (from amazon), curl will contact the google url shortener using HTTP. Honestly, if I wanted to MITM one thing on any network, URL shorteners would come first.
Edit: The website switched from googles link shortener to git.io (http) and download to github downloads. git.io's https version seems to have certificate issues.
> While the download itself is served using https (from amazon), curl will contact the google url shortener using HTTP.
Whoever wrote the installation instructions here should take a page from Sublime Package Control's installation instructions:
> The download will be done over HTTP instead of HTTPS due to Python standard library limitations, however the file will be validated using SHA-256.
> WARNING: Please do not redistribute the install code via another website. [Because of the embedded SHA-256 digest, the installation code] will change with every release. Instead, please link to this page.
If you're telling people to run random commands in their terminal that lead to local code execution, then you should trust that they can read a goddamn URL.
If you don't think your user base can read URLs, then you shouldn't be telling them to launch the terminal and run your code.
You are providing an HTTP link to git.io, so it cannot be verified whether I am connecting to the real git.io. This means an attacker can fake himself being git.io very easily (a classic man-in-the-middle attack).
It doesn't matter if git.io can only shorten git urls, as git.io will never be involved in a potential attack.
Using a link shortener is okay, but use one that supports HTTPS.
The first thing that stuck out to me was the name and logo. Alcatraz sounds cool (and I like the logo), but I'm not sure if something that evokes imagery of being confined and locked up is what you want associated with an open-source package manager.
I'm pretty sure it's more a reference to the fact that XCode extension management is rather painful and feels like you're stuck using that IDE sometimes.
I don't think it has any effect on me using the tool but I would say that Alcatraz has negative connotations for me.
There are Ruby "Gems" and Cocoa "Pods", I'm trying to think of a similar name that evokes something that can be slotted in to something else... Cubby?
Cubby - any of a group of small boxlike enclosures or compartments, open at the front, in which children can keep their belongings, as at a nursery school.
I actually wrote that patch! Are you sure you are using a version of clang with support for it? As far as I know a new release hasn't been cut with the included patch. At Facebook we use clang-format with that patch and it works.
I should note that Alcatraz's clang plugin looks to have a compiled version of an old clang-format in the tree...that's likely why this doesn't work with that plugin.
What are your reasons for starting another package management system when we already have CocoaPods? What does this offer over CocoaPods beside the UI?
It's not competing with CocoaPods. Alcatraz gives you a nice UI for installing Xcode plugins, color themes, etc. to customize your editor, while CocoaPods is management of libraries for iOS and OS X development.
Think of Alcatraz as the Xcode equivalent of Will Bond's "Package Control" package for Sublime Text. Cocoapods is a dependency manager, more like PHP's composer.phar (or whatever your language of choice's current dependency-manager-of-choice happens to be).
I've been using this and it works great for the packages it has, I don't use too many but if you document your xcode methods I highly recommend VVDocumenter.
It allows you to generate a doc string for a method if you type '///'
This looks really cool, but I don't know what problem it's solving for me. Maybe I'm not an Xcode hacker/ninja/whatever, but it has constantly met my needs as-is. Sure, I've wanted to add a color scheme before, but these are a lot of hoops to jump through when Dusk is fine.
A huge congrats, I've been working with Alcatraz HEAD for a while, with helping out with the design, and occasionally wanting to make my own plugins.
I'm super excited to see it out and one-click installable again. Looking forwards to seeing what Marin/Delisa/Jurre do with the blog.
I use this regularly, it's not felt any less stable for the few plugins I use mainly; open in github, one in appcode & fuzzy string matcher. They really make Xcode easier for day to day life.
A colleague of mine wrote that Open in Github plugin when we worked together - it's incredibly useful if your code's hosted there and you do pull-request code reviews.
Xcode doesn't have a public plugin API. Every single one of these packages, including Alcatraz itself, is relying on undocumented and unsupported functionality. I would very strongly caution against installing any of it.
As a user of several of the packages available on Alcatraz, and Alcatraz itself, I strongly disagree with eridius.
If you do have issues with a particular package it is pretty simple to remove any/all of them. The only time I have had issues is when I've tried to run betas of Xvim on unreleased versions of Xcode.
Seriously, if you're interested at all in the packages made available through Alcatraz give it a shot.
No, Apple gave up and implemented a compatibility UUID system to try and reduce crashes (since any Xcode crash is going to be reported to Apple and Xcode engineers have to figure out what happened, which means Xcode engineers get bug reports triggered by unsupported third-party plugins).
The existence of the compatibility UUID does not mean that Apple has blessed plugins. They're just trying to reduce their support load, and reduce their users' crashes at the same time.
I really want to use this, but I'm having a lot of trouble with the interface. It could just be me or my environment. I don't know.
Are you planning to have a forum somewhere for feedback and support? I suppose I could open an issue on Github, but I'd really rather just ask a question. Enough people seem to be using this that I suspect the problem is on my end.
It's not an answer to you directly but more of an observation: The effect for this page is very laggy on a 1-year old MBP, and makes the text barely readable until a certain scrolling point is reached. I do not understand the purpose of using the effect here or in 9/10 cases I see it on sites. It introduces pointless visual candy with usually zero or negative practical benefit. Makes me think of the DHTML days.
As someone who spends most of their day in Xcode, Alcatraz is an invaluable tool to grooming my Xcode setup and keeping up with the latest plugins and what not.
Congrats on the launch Marin! Been following the repo for a few months now, I'm really digging the design.
I use a few of the Xcode 4 Fixins (https://github.com/davekeck/Xcode-4-Fixins), which despite their name are mostly compatible with Xcode 5. I use DisableAnimations, FindFix, InhibitTabNextPlaceholder, TabAcceptsCompletion, and UserScripts (which I wrote).
A bit of work was required when Xcode 5 came along but from minor version to minor version they haven't needed much in the way of maintenance.
I've been using XVim for over a year now and it's been reasonably stable. They have an issue with code folding but then I don't fold while the plugin is enabled.
Fwiw. Folding shouldn't (big shouldn't) crash it but navigation is not like vim is.(the cursor is hidden inside the fold while you do navigation stuff. It eventually moves out of the fold though. It's on my list of things to fix with xvim.
Apple doesn't sanction Xcode plugins and I'm pretty sure Xcode itself isn't sandboxed once you enter your developer password. I'm not sure of the details though.
As to the security review or process, perhaps badging -- that sounds like a good feature request. I'll bet there's an issue tracker... ;-)
Great work, now the next big thing is to mix this with Cocoapods to that once you select a package, it does the pod install command for you automatically and you are good to go.
Alcatraz isn't a CocoaPods wrapper, it is an installer for Xcode customizations like plugins and color schemes. You can use it to install a CocoaPods Xcode plugin to handle installing and updating pods though: https://github.com/kattrali/cocoapods-xcode-plugin
While the download itself is served using https (from amazon), curl will contact the google url shortener using HTTP. Honestly, if I wanted to MITM one thing on any network, URL shorteners would come first.
Edit: The website switched from googles link shortener to git.io (http) and download to github downloads. git.io's https version seems to have certificate issues.