DVR Versioned update folders (Mac) - Bad Idea

route66scott · October 14, 2017, 7:10pm

Is there some other way to update the DVRS version without assigning it its own versioned folder each time?

This screws up the built in firewall, and 3rd party firewalls like Little Snitch. This means that every time the server is updated, network access is denied until it can be approved, again, and again, and again, with each incremental update.

This makes running a headless media server a huge pain in the ass, as I don’t catch the issue until attempting to watch live TV, or look for a recording that failed while the firewall was awaiting permissions necessary for the server to fully reboot.

Thoughts? Comments? Solutions?

tmm1 · October 14, 2017, 7:33pm

Are you using Little Snitch? Does it have any way to whitelist the entire Channels DVR directory?

Although the versions live in separate directories, we always invoke the executable via the latest symlink. Usually this means you can whitelist latest/channels-dvr in your security software.

route66scott · October 14, 2017, 8:14pm

I use the MacOS firewall for incoming connections. I was able to add the ChannelsDVR directory to it. That seems to work.

I use Little Snitch for outgoing connections. It requires an actual executable to set up a rule, not a directory, alias, or symlink.

tmm1 · October 14, 2017, 11:12pm

Hmm. Can you try adding a manual rule to Little Snitch and select “ChannelsDVR/latest/channels-dvr” as the process?

route66scott · October 14, 2017, 11:36pm

No. The rule resolves to the actual channels-dvr file in the versioned folder when saved. It doesn’t update to the next version using the latest folder alias.

tmm1 · October 15, 2017, 1:23am

Found some more similar reports from over the years:

https://forums.obdev.at/viewtopic.php?t=9358
https://forums.obdev.at/viewtopic.php?t=8430

I guess another workaround might be to add an “Any Process” rule for the outbound connections the DVR uses.

I will look into alternative folder structures, but it’s a big change (which will affect all existing users) so I’d prefer not to change anything unless absolutely necessary.

tmm1 · April 9, 2018, 3:46pm

I have been in touch with Little Snitch about this issue and got this piece of news:

For security reasons, there’s no way to have a rule in Little Snitch that has a wildcard in its path. On the bright side, we are planning on adding a new kind of rule that is not path-based, but instead code signature based. That kind of rule will enable users to allow connections of an app as long as it is signed by a specific developer. We’re not there yet, but we are working on this.

CAWallace · February 18, 2019, 2:40am

Any news on this? I'm using the 'Any Process' workaround but lock it down would be nice.