New Misnamed Login Item in 4.0.1 on macOS

[Bryan Jones]

Hi all,

After updating to Tunnelblick 4.0.1 (build 5971) on macOS Sonoma 14.4, there is a new login item under the name of "Jonathan Bullard", as shown in the screenshot.

This needs to be addressed. macOS throws up a very scary notification that reads: "Software by Jonathan Bullard has been allowed to run in the background." Users do not associate Jonathan Bullard with Tunnelblick and that notification immediately causes them to think their Macs have been compromised in some way.

The login item **MUST** be under Tunnelblick's name. Anything else is going to alarm users and is, frankly, borderline-deceptive. 

[Tunnelblick developer]

Duplicate, see Mac System Allow in Background Item Text.

[Inkeri]

Hi, I just immediately turned the toggle off because "Jonathan Bullard" seemed so obviously suspicious. Now I can no longer find the menu where I could turn it back on. I won't be the only one.

[Tunnelblick developer]

The list is on System Settings >> General >> Login Items. (Or you can search System Preferences for login.)

We've figured out how to fix the problem and hope to have a fix available  within the next week or two.

The fix isn't perfect because macOS allows the user to disable the login item, which can cause problems. Users can also disable Tunnelblick's launch daemon, which causes even worse problems because Tunnelblick can't function without it. Warning the user about problems when the user has disabled the agent or daemon is on our list, too, but we have a long list!

Apple really screwed us on this one:

• In Sonoma they put up a notification when the login item is first installed. We re-install the login item in Tunnelblick 4.0 because it has changed slightly, so macOS warns about the installation (even though it is simply replacing one file with another and both are from a signed and notarized application).
  
• The notification and System Preferences don't mention the program (Tunnelblick) the login item is from, but instead show the name of the person that digitally signed the login item – Jonathan Bullard. (The notification and System Preferences item for the launch daemon show "Tunnelblick", so at least they have that right!)

[Bryan Jones]

Why can Tunnelblick not function without these login times? If I don’t want Tunnelblick to launch when my Mac boots, but instead simply double-click it in /Applications, it ought to work just fine.

What is the purpose of the “Jonathan Bullard” second login item?

Login Items are always optional and if the app can’t function without them, a new approach is needed.

On Mar 16, 2024, at 08:53, Tunnelblick developer <jkbu...@gmail.com> wrote:

The list is on System Settings >> General >> Login Items. (Or you can search System Preferences for login.)

--
You received this message because you are subscribed to a topic in the Google Groups "tunnelblick-discuss" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/tunnelblick-discuss/VT6kU9C3cT8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to tunnelblick-dis...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/tunnelblick-discuss/ce2f3f46-d1f1-4ca7-8747-7b12c2bc6282n%40googlegroups.com.

[Tunnelblick developer]

bdkj...@gmail.com wrote:

          If I don’t want Tunnelblick to launch when my Mac boots, 

          but instead simply double-click it in /Applications, it ought 

          to work just fine.

Tunnelblick is not what launches when your Mac boots (or you log in). A small part of Tunnelblick runs briefly when you log in, not the full Tunnelblick application. The Tunnelblick application is launched only in certain circumstances. (See Tunnelblick Launches at Startup (Login) for more information about the circumstances.)

 

Tunnelblick does what most users want:

• If Tunnelblick is running when you log out, restart, or shut down, it is launched when you log back in.
• If Tunnelblick is not running when you log out, restart, or shut down, the small program launches Tunnelblick when you log back in only if it is needed immediately. For example, if Tunnelblick has disabled all network services (Tunnelblick must be running so you can use it to re-enable them, or if your computer is connecting to or is connected to a VPN (Tunnelblick must be running so you'll see the VPN's status in the status/menu bar).

Tunnelblick needs two different "helper" programs that run independently of the Tunnelblick application. Neither program should be disabled if you want Tunnelblick to function properly:

1. A program which runs on demand. It runs as root to perform operations which require higher privileges than a standard user has, for example, starting OpenVPN as root or changing network settings. This program runs (briefly) only when sent messages from the Tunnelblick application. It performs the operation specified by the message and quits after waiting for up to 30 seconds for more messages. This program is named "tunnelblickd", and macOS identifies it as "Tunnelblick"
2. A program which runs each time the user logs in. It runs as the user and launches Tunnelblick if it is needed, then it quits, as described above. The program is named "Tunnelblick-LaunchAtLogin" but macOS mis-identifies it as "Jonathan Bullard", apparently because that's the name of the developer who digitally signed the program.

Although both programs have been included in Tunnelblick for many years, neither program used to be described by Apple as a "login item", neither program was visible or could be disabled in System Settings, and macOS did not notify the user when either program was installed. That changed in macOS Sonoma: they are now shown in System Settings as Login Items and can be disabled by the user, and the user is notified each time they are installed. Again, neither program should be disabled if you want Tunnelblick to function properly.

[Bryan Jones]

Nah, both items have appeared in the Login Items list for at least the last three major versions of macOS. The only thing new in Sonoma is that “launchatlogin” is now named “Jonathan Bullard”. I’m sure there’s an edge case where disabling these breaks things, but I don’t leave Tunnelblick connected all the time (too many “click all the bicycles” prompts when Google sees a VPN IP address), so I can confirm that disabling these items doesn’t break anything if Tunnelblick is disconnected when the Mac is shut down or rebooted. 

On Mar 16, 2024, at 12:41, Tunnelblick developer <jkbu...@gmail.com> wrote:



To view this discussion on the web visit https://groups.google.com/d/msgid/tunnelblick-discuss/d91f129c-c399-4dce-871d-082fc9e56057n%40googlegroups.com.

[Tunnelblick developer]

I wrote "Neither program should be disabled if you want Tunnelblick to function properly" because:

Disabling the first program will mean you can't connect your VPN.

Disabling the second program doesn't break anything for you, for the way you currently use Tunnelblick. But it does break things for people who use the "kill switch" or have VPNs that connect when the computer starts up.

Disabling these items has negligible benefits:

• The first program is not run just because it is enabled; enabling it takes up a few hundred bytes of data in the macOS kernel so macOS can know when to run it.
  
• The second program, which runs once when a user logs in, takes a negligible amount of CPU, memory, or disk access.
  

Note: the second program was renamed to "Tunnelblick-LaunchAtLogin" in Tunnelblick 4 to clarify it was part of Tunnelblick.

The main problem, as you say, and which I've described earlier, is that macOS Somoma identifies the second program as "Jonathan Bullard". We consider that a bug; Apple considers it a feature. (Also, Apple should provide an "info" link to show what program will be run, as it does for the first program.) 

The good news is that we have figured out a way to get around the bug/feature by using a different macOS mechanism to install the second program, and expect to update Tunnelblick to use that new mechanism within the next week or two.

[Bryan Jones]

What is the new mechanism? I don’t consider the Login Items feature a bug or an inconvenience. It’s macOS being transparent with the user about what’s running on their Mac. It’s a GOOD thing. The attitude here seems to be that transparency is all a damned inconvenience and Tunnelblick needs to find a way to do stuff that the user can’t see or control. That’s a mistake. The correct approach is to inform the user about WHY these items are needed and be forthcoming about their presence. 

On Mar 16, 2024, at 13:11, Tunnelblick developer <jkbu...@gmail.com> wrote:



To view this discussion on the web visit https://groups.google.com/d/msgid/tunnelblick-discuss/d2f6f528-b03e-487f-baad-72ce71ad775an%40googlegroups.com.

[Tunnelblick developer]

I think the "damned inconvenience", to both the Tunnelblick developers and to Tunnelblick users, is that macOS Sonoma identifies the second program as "Jonathan Bullard". If it identified it by the name of the program it is part of ("Tunnelblick"), the way it identifies the first program, that would avoid much confusion and be better.

Should Tunnelblick contain stuff that the user can't see or control? Well, in one sense the user can't see much of the way that any a program accomplishes what it does, the user just sees the results. They click "Connect" and the VPN is connected, or they click "Print" and their document is printed. In another sense, users can see the way Tunnelblick accomplishes what it does: they can read the source code on GitHub. (Reading the source code is actually the only way anyone can see what a program does, but that's not practical for most people and most programs. But at least it's possible to do that with Tunnelblick and other Free Software. You can't read the source code of Microsoft Office or much of macOS or other closed-source software.)

We do "inform the user about WHY these items are needed" and we are "forthcoming about their presence". For example, we first published Why and How Tunnelblick does not Use Login Items more than six years ago, and have responded to several inquires about them many times over the years in this discussion group and on GitHub.

We could do more: we could, as part of the installation process, tell the user about the programs and the consequences of disabling them. That would make the installation process longer and more cumbersome, but it's worth considering. You could ask for that as an enhancement, or contribute changes to Tunnelblick's source code to implement that, on GitHub.

Should users be able to disable functions that are necessary for a program to work properly? Perhaps, but in my opinion it would be better if the user was given the choice to (a) enable the function, or (b) uninstall the program. Allowing them to disable the function leads to frustration and confusion about why the program doesn't work.

[Bryan Jones]

I don’t think “enable or uninstall” is the right approach. For people who work like me, where I enable my VPN only when necessary (public WiFi, torrents, etc.) that would unnecessarily kill Tunnelblick for me. Is it possible that you personally have Tunnelblick running all the time and are assuming that’s the way it “should” be done? Or that all/most users want to work that way?

On Mar 16, 2024, at 14:16, Tunnelblick developer <jkbu...@gmail.com> wrote:

I think the "damned inconvenience", to both the Tunnelblick developers and to Tunnelblick users, is that macOS Sonoma identifies the second program as "Jonathan Bullard". If it identified it by the name of the program it is part of ("Tunnelblick"), the way it identifies the first program, that would avoid much confusion and be better.

To view this discussion on the web visit https://groups.google.com/d/msgid/tunnelblick-discuss/08ae08bc-fa26-43f4-a240-a76c5dac99fan%40googlegroups.com.

[Tunnelblick developer]

Yes, most users leave Tunnelblick running and visible in the status/menu bar all the time. That way they can connect a VPN with a couple one or two clicks.

When Tunnelblick is running with no VPN active, it takes up little CPU time, memory, or disk use. On my M1 Max MacBook Pro, Tunnelblick 4.0.1 used about 0.1 CPU seconds (I think that's 0.1 seconds of a single core, but I'm not sure) over several hours (plus 0.4 CPU seconds loading it), uses about 15 MB memory and wrote 45 KB and read 43 MB. The disk activity all took place on launch; there shouldn't be any disk activity when its idle.

[Bryan Jones]

That’s the way I use it as well—idle in the menubar until I activate a connection. But if I disable the login items and manually launch Tunnelblick after my Mac boots, it still works just fine. 

On Mar 16, 2024, at 15:13, Tunnelblick developer <jkbu...@gmail.com> wrote:

Yes, most users leave Tunnelblick running and visible in the status/menu bar all the time. That way they can connect a VPN with a couple one or two clicks.

To view this discussion on the web visit https://groups.google.com/d/msgid/tunnelblick-discuss/60a5bea1-3573-4368-ad79-901be21037f3n%40googlegroups.com.

[Tunnelblick developer]

If you disable the "affects all users" item and then manually launch Tunnelblick, Tunnelblick won't "work fine". It will complain when it launches (if you have any VPN configurations) because won't be able to read the sanitized configuration files. Because of that, Tunnelblick will think the configuration files have been modified and ask you if you want to secure them; if you do, it will ask for an administrator's authorization to do so.

If you disable the other item, everything will be always fine unless you have enabled the "kill switch" and it activates, or you have a configuration that connects when the computer starts, or a different user on your computer has connected a VPN.

Even if none of those are possible for you, why do you want to disable it? Disabling it saves negligible amounts of CPU, memory, or disk activity when you log in. (For example, it takes 0.03 CPU seconds to run on my M1 Max MacBook Pro.) Disabling it takes your time, and it takes up more CPU, memory, and disk resources than the program would use in dozens and dozens of logins!

[Bryan Jones]

You’re thinking about this backwards. You can spout off technical details until you’re blue in the face, but the simple reality is this: users are suspicious of background processes and login items. Especially the sort of person who’s going to install Tunnelblick: tech-savvy, smart people who know their way around a computer but aren’t necessarily programmers. The attitude on display (“This is all Apple’s fault; things were better when the unwashed masses couldn’t see what we were doing! Just trust us.”) is also backwards. A possible path forward:

1) Engineer Tunnelblick so that it does not *require* Login Items to perform its basic function.

2) *ASK* the user if they want to enable Login Items when the app is first installed. Prompt for permission and be upfront about why you want it. Do not simply throw these things on people’s Macs without warning—the user will see a notification from macOS and immediately suspect the worst. The world is full of shitty apps that metastasize all over the system (hello, Adobe) and users are wary.

3) If the user declines the login items, disable the functionality that depends on those login items (kill switch, etc.)

Most of all, drop the attitude that you know better, users are just dumb, and they need to let you do whatever you want. Tunnelblick can be a better citizen of macOS if it’s upfront and explains things proactively. Not in some documentation page buried on a website nobody reads, but rather in the moment, when these Login Items are configured. Think of this from the users’ perspective, not from the developer’s. 

-Bryan

 

 

To view this discussion on the web visit https://groups.google.com/d/msgid/tunnelblick-discuss/6601b636-8832-4c60-bae4-7b6f46f44d62n%40googlegroups.com.

[Tunnelblick developer]

Someone who trusts Tunnelblick enough to let it run programs as root, but doesn't trust it enough to run a program in the background as a user is, in my opinion, straining at a gnat and swallowing a camel. That's why I was "spouting technical details": I assumed that someone  who is objecting to a background program is concerned about the resources it would use. I didn't realize that you are objecting to the very existence of the background programs – I read your original post as complaining (rightfully) that the name "Jonathan Bullard" is deceptive. It is deceptive! But it's not Tunnelblick that shows the misleading name; it's macOS. macOS used to show the name of the program, now it shows the name of the person who digitally signed the program. That's why I "blame Apple". The Tunnelblick developers are, of course, at fault for not adjusting more quickly to Apple's change, but we all are volunteers, have limited time to work on Tunnelblick, and we each have our own priorities.

Nobody complained about the existence of the "Tunnelblick" login item, nor did anyone complain when the other one was named Tunnelblick-LaunchAtLogin; you're the first one (as far as I can remember) that is saying that Tunnelblick should have no background items. (People complained when it was named "LaunchAtLogin", but only because they didn't know where it was from; we fixed that by renaming it to Tunnelblick-LaunchAtLogin.)

1) Engineer Tunnelblick so that it does not *require* Login Items to perform its basic function.

The Tunnelblick developers don't believe that is possible (assuming the basic function is to connect and disconnect a VPN securely). If you have a way to do it, let us know!

2) *ASK* the user if they want to enable Login Items when the app is first installed.

3) If the user declines the login items, disable the functionality that depends on those login items (kill switch, etc.)

We could do that but it makes everything more complicated, for the program and the users. Why don't you ask for that as an enhancement, or better yet, propose changes to Tunnelblick's source code to implement that, on GitHub? See what other people think about it.

I'm much more inclined to tell the users installing Tunnelblick about the existence of the background items, why they are necessary for the full functioning of Tunnelblick, and then let them install Tunnelblick (or not), and let them live with their decision to disable the login items if they do so. That's on my list, but there are other things on my list that I consider a higher priority.

[Bryan Jones]

I’m not upset that this is an issue—volunteer software is a thing we’re all lucky to have! What I’m saying is that Apple has evolved their security/privacy stance to a different model: explicitly ask the user for permission and tell them what’s going on. That’s definitely annoying from the perspective of a good developer. And it’s even annoying as a user frequently: there are now prompts for EVERYTHING (“Safari wants to paste from Messages.”) and in my opinion, someone needs to rein in the security team at Apple because they’re a little TOO paranoid and they’re clobbering the user experience. But, the general evolution to “ask for permission and inform” is a good direction.

Tunnelblick does not currently explain what these items are or why they are added. It should. That’s my contention.

On Mar 16, 2024, at 19:02, Tunnelblick developer <jkbu...@gmail.com> wrote:



To view this discussion on the web visit https://groups.google.com/d/msgid/tunnelblick-discuss/7649f7d8-019d-4139-b287-64198e46e9e6n%40googlegroups.com.

[Tunnelblick developer]

Fair enough.

[Tunnelblick developer]

We are testing an updated version of Tunnelblick that fixes this problem; to get a copy of it to help with testing it, please email devel...@tunnelblick.net.