One of the longstanding oddities in macOS security has been scanning of a notarized app by XProtect before it can be launched. When apps are submitted to Apple for notarization, they’re scanned for malicious content using methods at least as effective as XProtect, and should any notarized software subsequently be identified as malicious, its notarization and signature are revoked immediately. That should make it impossible for any app with a valid notarization ticket to contain malware known to Apple.

One of the improvements believed to be incorporated into macOS 26 Tahoe is that validly notarized apps are no longer scanned by XProtect. When I examined this recently, I confirmed that was correct, although in practice this did little if anything to improve the launch times of apps. This article extends those observations to include app first run, when detection of malware is most critical.

When an app is run for the first time in a recent version of macOS, there are three options:

• apps that aren’t quarantined, including those signed by Apple and almost all of those supplied through the App Store, normally don’t undergo additional checks;
• quarantined apps that have been installed correctly undergo full first run checks, that have previously included XProtect scans;
• quarantined apps being run from the immediate location they arrived in not only undergo full first run checks, but are additionally moved to be run from a random path in what’s commonly known as app translocation, or Gatekeeper Path Randomisation (GPR).

This article considers the second and third of those.

Quarantined first run, no translocation

In Sequoia 15.7 these apps undergo a “direct malware and dylib scan” using the XProtect data stored in its new location, in /var/protected/xprotect/XProtect.bundle. Because this is the first run, once Gatekeeper assessment is complete and confirms the app is safe to run, the user is presented with a dialog asking for their consent. Because of the inevitable delay in responding to that, two times can provide meaningful estimates of performance:

• the time between the log entry reporting that Gatekeeper is performing a scan (“GK performScan”), and declaring the Gatekeeper scan complete (“GK scan complete”), in this case 5.35 seconds;
• the time between the start of the XProtect scan (“Xprotect is performing a direct malware and dylib scan”) and the declaration of scan results (“GK Xprotect results”), here 5.33 seconds.

In Tahoe 26.0 no XProtect scan was attempted, as com.apple.xprotect entered in the log “Xprotect is skipping executable assessment”, and com.apple.syspolicy.exec confirmed “Skipping XProtect scan on seen software”. Despite that, the first of those times was nearly twice that required in Sequoia, at 10.29 seconds. The reason for this is unknown, but over that period the log contained about 13,000 entries reporting “SecKeyVerifySignature”.

As a result, a smaller and simpler app was used to test app translocation and its effects.

Quarantined first run, with app translocation

Instead of using Calibre as my test app here, I chose my own app Podofyllin, with its 442 KB executable and no dylibs or other complications. This was downloaded from here, unarchived automatically in the ~/Downloads folder and there run from the folder it came in, to ensure that it would be translocated.

Early in the launch sequence, com.apple.securityd writes a log entry indicating it has created the translocation directory “SecTranslocateCreateSecureDirectoryForURL”, following which diskarbitrationd replicates the app bundle to what appears as a different volume in the translocation path. Then a first run Gatekeeper assessment is performed, including an XProtect scan, checking the notarization ticket using CloudKit, a user approval dialogue, and setting up the app’s provenance tracking.

In Sequoia 15.7, the XProtect scan took 0.15 seconds, and the total period required for the Gatekeeper scan was 0.19 seconds.

In Tahoe 26.0, com.apple.syspolicy.exec logged “Skipping up front XProtect scan” and com.apple.syspolicy went straight on to perform the CloudKit lookup. This was confirmed later by com.apple.syspolicy.exec in “Skipping XProtect scan on seen software” just before reporting the Gatekeeper scan was complete. With no time required for the XProtect scan, the total used for the Gatekeeper scan was 0.16 seconds, 88% of that for Sequoia.

Stuck in translocation

Over the last couple of years it has become clear that some apps, even though they have been moved from their original download location, continue to undergo translocation whenever they’re run, and that can cause ongoing problems.

An app will be translocated if all the following apply:

1. the app has an apple.com.quarantine extended attribute attached;
2. the app must be opened by Launch Services (normally the Finder) rather than a command shell;
3. the app hasn’t been individually moved in the Finder from the folder it was unarchived or downloaded to, wherever that was.

Tests in recent macOS show that apps won’t be translocated if:

• they have no apple.com.quarantine extended attribute, or it has been removed;
• they have been moved individually in the Finder so they’re now enclosed in a different folder.

The following will normally result in the app being run in translocation:

• opening the app in the folder that it first arrived in, even if that folder has been moved elsewhere, such as into an Applications folder;
• moving the app at the same time as other apps, even if they’re all put into an Applications folder. Group or simultaneous moves in the Finder aren’t counted as a move that will stop future translocation;
• running the app again without moving it from a location from which it has already been translocated. Until the app is moved from that location, it’s likely to be repeatedly translocated every time that it’s run.

You can readily check whether an app is being run in translocation by starting the app and either:

• inspecting that app in Activity Monitor, by selecting it in the CPU view and clicking on the ⓘ tool,
• running ps xw | grep AppName in Terminal.

If the path shown for the app is something absurdly long like /private/var/folders/x4/[random chars]/T/AppTranslocation/[UUID]/d/, then it has been translocated.

If an app that appears to have been correctly installed is still being translocated, move it individually (one app at a time) from the folder it’s currently in to a different folder, run it from there, close the app, and move it back to where you want to keep it.

Conclusions

• macOS 26.0 Tahoe skips reported XProtect malware scans when a notarized app is run for the first time in quarantine, even when it has been translocated.
• Despite that, first run checks in Tahoe can still take significantly longer than in subsequent runs, although the reason for that isn’t clear from the log.
• If an app doesn’t appear to run properly, check whether it’s stuck in translocation. If so, free it as explained above.

By the early 1860s, the large and ancient Forest of Fontainebleau, to the south-east of Paris, had been attracting those of the Barbizon School, who painted realist landscapes in front of the motif. The next generation started visiting in 1865, and went on to form the French Impressionists.

In May 1865, the young Frédéric Bazille left the city of Paris for the Forest of Fontainebleau, where he painted Landscape at Chailly (1865) in company with Claude Monet, and possibly Auguste Renoir and Alfred Sisley. Although clearly influenced by the Barbizon School, his colours are much brighter, and escape the rather sombre browns and greens that dominated much of the work of that earlier art.

Sisley painted this Avenue of Chestnut Trees in La Celle-Saint-Cloud to the west of the forest in 1865, again in Barbizon style. He didn’t submit it to the Salon until 1867, when it was refused. It then remained unsold for ten years before being bought by Sisley’s patron Jean-Baptiste Faure, a celebrated opera singer.

The following year, Sisley walked through the forest with Renoir. He then stayed in the village of Marlotte, where Renoir, Monet, Bazille, Pissarro and Cézanne also visited to paint.

Sisley was more successful with Women Going to the Woods, completed in 1866. This was one of his two paintings exhibited at the Salon that year, and shows the main street in the village of Marlotte with a little rustic staffage.

Clearing in the Woods (1865) is Renoir’s first substantial (surviving) landscape painting, and shows strong influence from Corot. He adopts quite a detailed realist style in this view of a clearing in the midst of massive chestnut trees. These are believed to be near the small village of La Celle-St-Cloud, to the west of Paris not far from Bougival, rather than in the forest. It’s likely that he painted there in the company of Alfred Sisley, who made two views of the same site in very different style.

The following year Renoir painted his friend Jules Le Coeur and his Dogs in the Forest of Fontainebleau. This is unusual among his works, as it was preceded by two studies, and all three were made using the palette knife rather than brushes. This makes it most likely to have been painted before Renoir abandoned the knife and returned to the brush, by the middle of May 1866.

The following year Abbott Handerson Thayer, an American artist who trained in Paris, painted this wonderful oil sketch of Landscape at Fontainebleau Forest (c 1876). This is probably the loosest and most Impressionist painting of his career.

At some time in the late nineteenth century, the wealthy industrialist, amateur painter and patron of Impressionism, Henri Rouart painted In Fontainebleau Forest. This may have been inspired by Corot, but is a realist study in light, shade, and the texture of bark.

John Ferguson Weir was another American painter who had trained in Paris, and became the first director of the School of Fine Arts at Yale University. He visited in about 1902, when he painted Forest of Fontainebleau (c 1902), with its tiny solitary figure against the fallen trunk.

In 1867 Théodore Rousseau died in the village of Barbizon, and he was followed in 1875 by Jean-François Millet. By the twentieth century the forest had fallen out of favour with the new generation.

Among the foundations of visual design are two essential insights, into understanding human vision, and the experience gained from our long history of visual communication. Common to both is the importance of tone (brightness, lightness, etc.) and its contrasts. Not only do around one in twenty males struggle to distinguish some or most colours, but all of us rely on tone to interpret what we see in the absence of information from colours.

This has been illustrated throughout the history of visual art, where those who have excelled in visual communication have placed particular emphasis on tone. Consider Lucas Cranach the Elder (1472–1553) as an example of proven classical methods.

We know a lot about the tonal modelling that Cranach used in his Martyrdom of Saint Catherine painted in 1504-5, through the infra-red reflectogram below, which effectively looks through the paint layer at the underdrawing beneath.

Cranach’s assistants first laid a thin layer of light reddish imprimatura on the white ground of this panel. Once that had dried thoroughly, Cranach himself would have laid down the underdrawing using a pointed brush with carbon black ink. This extended to the tonal modelling shown clearly in the reflectogram.

Following that came undermodelling using grey tones of carbon black and lead white. Some of the darker garments were preceded by a local underpainting of black, a technique popular at the time for dark red fabrics in particular. Much of this seems to have been completed quickly, probably within a single day.

A common practice among masters discards colour altogether and builds the image using tone alone, known as grisaille.

Three centuries after Cranach, the great French illustrator and painter Gustave Doré (1832–1883) painted a group of three works about the Franco-Prussian War entirely in grisaille. Best known among those is The Enigma (souvenirs de 1870), from 1871.

Even a few minutes exposure to a screenful of macOS Tahoe’s windows demonstrates how its new design goes out of its way to ignore those essential insights, and present us with controls that are either bleached- or blacked-out depending on our choice of appearance mode.

In light mode, with default transparency, tool icons and text are clearly distinguished tonally, as are some controls including buttons and checkboxes. However, text entry fields are indistinguishable from the background, and there’s a general lack of demarcation, particularly between the controls and the list view below.

Oddly, dark mode outlines some controls better than light mode, but text entry fields and the list view below still lack demarcation.

One popular mitigation to this lack of tonal contrast is to resort to an Accessibility control that purports to reduce transparency rather than increasing contrast, although in fact its main advantage in Tahoe is to improve tonal contrast, at least in the toolbar.

This still has no effect on controls below the toolbar, and fails to demarcate text entry fields or the list view below.

The elephant in macOS Tahoe is its ignorance of human vision and our long experience of visual communication. It’s an elephant that comes in two appearance modes, bleached-out white or blacked-out black. It has little if any impact on the interface of Apple’s other OS 26es, but it makes macOS a pain to look at and harder to use. I feel sure that Lucas Cranach the Elder, Gustave Doré and every other self-respecting visual artist would be equally offended.

The Forest of Fontainebleau covers an area of about 250 square kilometres (almost 100 square miles) to the south-east of Paris. It’s mixed deciduous woodland, much of it ancient, with a royal castle at its centre. Around the edge of the forest are several small villages that have attracted painters since the early nineteenth century, and inspired two schools of painting: Barbizon, named after the village where most of its adherents gathered, and Impressionism. This weekend I show some of their paintings, starting today with examples from the Barbizon period up to the early 1860s.

The forest has been a favourite hunting ground for French kings, and for the Emperor Napoleon.

Among the paintings of François Flameng showing the Napoleonic period, one of the most striking is this scene of Napoleon Hunting in the Forest of Fontainebleau, where the pack is closing in on a cornered stag as the sun sets.

The royal castle, Château de Fontainebleau, was later used by Napoleon III for receptions.

Jean-Léon Gérôme articulated Napoleon III’s aspirations for empire in his elaborate formal painting of the Reception of Siamese Ambassadors by Napoleon III (1864), depicting the grand reception held at Fontainebleau on 27 June 1861. Gérôme attended in the role of semi-official court painter, made sketches of some of the key figures, and was further aided by photographs made by Nadar. He also included himself, and the older artist Ernest Meissonier (1815-1891), in the painting: I believe that they are both at the back, at the far left.

Achille Etna Michallon was one of the first great landscape artists to paint en plein air in the forest. His study of The Fallen Branch, Fontainebleau from about 1816 anticipates the Barbizon School in its motif, style and location. This large branch looks more like a dying animal.

A decade later, the British artist Richard Parkes Bonington visited briefly and both sketched and painted In the Forest at Fontainebleau (c 1825). The rocks here are particularly painterly, suggesting that this may have been started, if not completed, in front of the motif.

Towards 1830, inspired by the paintings of John Constable, several young French landscape painters started visiting the forest. The first was probably Camille Corot, who first painted there in 1822, and returned in earnest in the Spring of 1829, after his long stay in Italy to learn plein air painting technique in the Roman campagna.

In Corot’s Fontainebleau Forest (The Oak) from about 1830, the twisted limbs of the oak have taken time and care, sufficient to give texture and shadows to the trunks and branches. Where the canopy is more broken he painted the leaves in considerable detail.

Corot was joined by Théodore Rousseau, Constant Troyon, Jean-François Millet, Paul Huet, and later Charles-François Daubigny and Henri Harpignies. Although many of their paintings were made in the forest, few have been located with certainty.

When Harpignies was on the edge of the Forest of Fontainebleau, he painted largely en plein air, including this fine view of Fir Trees in Les Trembleaux, near Marlotte from 1854.

The great animalière Rosa Bonheur lived on the edge of the forest, where she painted some fine watercolours, including her Deer in the Forest of Fontainebleau (1862). By that time, the next generation was getting ready to take over from the Barbizon School.

Here are this weekend’s Mac riddles to entertain you through family time, shopping and recreation.

1: Two credentials or 762 should be superseded by passkeys.

2: Notably from Autodesk but once by Claris, it’s 3,245.

3: From the Mac II until replaced by USB, 2,779 was quite enough.

To help you cross-check your solutions, or confuse you further, there’s a common factor between them.

I’ll post my solutions first thing on Monday morning.

Please don’t post your solutions as comments here: it spoils it for others.

If there’s one topic that needs explanation currently, it’s how macOS updates XProtect’s data. Let me try.

Up to and including macOS Sonoma

Until this changed in Sequoia, updating XProtect has been straightforward: its data is stored in a bundle named XProtect.bundle, in the path /Library/Apple/System/Library/CoreServices, on the Data volume so it can readily be updated. When you or macOS downloads and installs an XProtect update, it simply replaces that bundle with the new one. This is shown in the diagram below.

The source of those updates is Apple’s Software Update Service, through the Software Update pane in System Preferences or System Settings, the softwareupdate command tool, or an app like SilentKnight. Left to its own devices, macOS normally checks for updates soon after starting up, and once every 24 hours running after that.

Early Sequoia

XProtect in macOS 15 prefers not to use the XProtect.bundle in its old location of /Library/Apple/System/Library/CoreServices, instead looking for XProtect.bundle in its new location, /var/protected/xprotect.

However, when you or your Mac use the old update system, including Software Update, softwareupdate or SilentKnight, that still installs the update in the old location, where it won’t normally be used by XProtect when making its checks. What was supposed to happen in early versions of Sequoia was that at least once a day, macOS checked whether there was a newer update in the old location. If there was, then it should have automatically prepared and moved that to the new location in /var/protected/xprotect for XProtect to use.

If you wanted that to happen immediately, then you could run the following command in Terminal:
sudo xprotect update
then enter your admin user’s password. The xprotect command tool would then complete the installation of that update from its old location into its new one.

There’s also a second way that XProtect in early Sequoia could be updated, and that’s over a connection to iCloud. If that was used, then the update was installed straight into its new location, and didn’t change the XProtect bundle in the old location at all. Although Apple had used that earlier, all XProtect updates since the release of Sequoia came using the old Software Update system, so needed to be completed using the xprotect command in Terminal.

This is shown in the diagram below. The blue boxes show the old Software Update system, and the pink boxes are the new parts that ensure the update is installed in the new location.

Later, that changed and Apple started releasing updates via iCloud. By about macOS 15.3, xprotect update was no longer able to install XProtect in the new location, and that was only possible once that update had been released to iCloud, from where xprotect update could download and install it to the new location.

Late Sequoia and Tahoe

With the release of macOS 26.0 Tahoe, this changed again. Macs running the latest versions of Sequoia and any version of Tahoe (after 26.0 release) continue to update the old location in /Library/Apple/System/Library/CoreServices as before.

Updating the new location in /var/protected/xprotect can occur by two methods. A background service XProtectUpdateService can:

• ‘activate’ an update from the old location by installing a copy to the new location;
• use CloudKit to download an update available in iCloud and install it directly to the new location.

That service is scheduled to run once every 24 hours.

The end result can appear confusing, but is summarised in the diagram below.

There are two routes for XProtect data to be updated in the new location:

• XProtect in the old location is updated by softwareupdate, then XProtectUpdateService runs later and installs a copy of that update to the new location.
• XProtectUpdateService runs and detects an update available from iCloud, so downloads and installs that in the new location. That occurs even when the old location hasn’t been updated yet, but depends on the update being offered in iCloud.

Both of those updates run silently, and the only ways to check that the new location has been updated are to:

• check the version in /var/protected/xprotect,
• run xprotect version,
• use SilentKnight or Skint.

As far as the user is concerned:

• Updating XProtect in the old location is worthwhile, as it should enable XProtectUpdateService to update the new location from that.
• Running xprotect update in Terminal is only worthwhile if the new location hasn’t yet been updated, but that update has been released via iCloud, as confirmed using xprotect check.
• Either of the new update mechanisms should be run automatically within 24 hours of an update being released.

Summary

• In macOS Sonoma and earlier, XProtect updates come via Software Update, and are simple.
• In macOS Sequoia and later, XProtect updates are more complex, but should happen as if by magic within about 24 hours of their release.

The Eurasian wolf has been subject to a general campaign of extermination across much of Europe since the Middle Ages. The last in England was killed by the end of the fifteenth century, in Scotland in 1684, Denmark in 1772, and Norway in 1973. This hasn’t deterred artists from reminding Europeans of their sinister reputation.

Early in Ovid’s Metamorphoses, he tells of Lycaon, who was transformed into a wolf by Jupiter as punishment for cheating him.

Jan Cossiers’ impressive Jupiter and Lycaon from about 1640 shows Jupiter’s eagle vomiting thunderbolts at Lycaon, who is hurrying away as he is being transformed into a wolf, becoming the prototype for the werewolf of the future (see below).

Wolves got a better press in the popular account of the origins of Romulus and Remus, founders of Rome. Numitor’s daughter, a Vestal Virgin, was discovered to be pregnant. Although that would by tradition have led to her death, Amulius’ daughter interceded, and she was merely kept in solitary confinement. She gave birth to twin boys, who were superhuman in their size and beauty. Amulius ordered one of his servants to take the twins away and drown them in the river, but they were put first into a trough that functioned as a boat. As a result they were washed ashore downstream still alive. A she-wolf then fed the babies, and a woodpecker watched over them; both were later considered to be sacred to the god Mars.

One of the frescoes in the Palazzo Magnani, probably painted by Ludovico Carracci and/or Annibale Carracci, shows the She-Wolf Suckling Romulus and Remus (1589-92). The twins are still inside the trough in which they had survived their trip down the river, and on the opposite bank a woodpecker is keeping a close watch.

Peter Paul Rubens shows Romulus and Remus being discovered by Faustulus, in his painting of 1615-16. Not only is the she-wolf taking care of the twins, but a family of woodpeckers are bringing worms and grubs to feed them, and there are empty shells and a little crab on the small beach as additional tasty tidbits.

Despite that, the wolf had a fearsome reputation in Europe, no doubt amplified by those who sought its extinction.

Pieter Brueghel the Younger’s The Good Shepherd from 1616 shows a shepherd being attacked by a wolf, as he tries to save his flock, which are running in panic into the nearby wood.

Christian associations can be more positive, particularly in the legend of Saint Francis of Assisi and the wolf of Agubbio, or Gubbio, a small mediaeval town in the Apennine Mountains in central Italy. The saint did a deal with the wolf, where the animal would stop terrorising the town, in return for its people providing it with food.

Luc-Olivier Merson’s marvellous painting of The Wolf of Agubbio from 1877 is set in the town’s central piazza, where it’s a cold winter’s day, so cold that the waters of its grand fountain are frozen as they cascade over its stonework. As the townspeople go about their business, there’s the large wolf of its title with a prominent halo, standing at the door of the butcher’s shop. Leaning out from that door, the butcher is handing a piece of meat to the wolf, as shown in the detail below.

A wolf may also appear in association with the Christian virtue of charity, as depicted by Pierre Puvis de Chavannes.

His Charity from 1887 is a personification of one of the seven Christian virtues set in timeless classical terms. She is the mother of twins, one of whom she holds by her breast. She is clasping the back of the neck of a dark wolf, lying beside her, adding an unusual touch. This had apparently become a popular motif, and only nine years previously had been painted by William-Adolphe Bouguereau in contrasting Academic style.

A wolf is one of the three fearsome animals to threaten Dante in the opening of his Divine Comedy. Camille Corot’s painting of Dante and Virgil from 1859 shows Dante as he started to walk up a hill, only to find his way blocked first by a leopard, then by a lion, and finally by a wolf.

Wolves have made their way into other legends and fables.

Jean-Baptiste Oudry’s undated The Wolf and the Lamb tells a popular story (Perry 155, La Fontaine I.10) in which a wolf tries to justify killing a lamb on the strength of its criminal record. The lamb proves each crime claimed by the wolf to have been impossible, so the wolf says that the offences must have been committed by someone else in the lamb’s family, therefore it can proceed to kill the lamb anyway.

Gustave Moreau revisited Aesop’s fables late in his career. The Wolf and the Lamb of 1889 is, I believe, a monochrome image of a painting made in full colour, whose wolf looks more threatening than Oudry’s.

Mediaeval folk mythology developed stories of humans turning into wolves, although these were temporary transformations associated with cannibalistic episodes. They became progressively refined and popularised into the Gothic ‘horror’ stories of werewolves feeding on human blood, although those didn’t reach painting until the twentieth century.

Stuart Pearson Wright’s magnificent Woman Surprised by a Werewolf (2008) was inspired by the movie An American Werewolf in London (1981), itself a further transformation of werewolf stories into comedy horror form. The artist intended “to explore that uncharted place where the mystery and sublime of the romantic landscape meets the high camp and melodrama of Hammer horror”, which has come a long way from Ovid’s original story of lycanthropy.

Finally, wolves can sometimes be depicted as hunting quarry.

Peter Paul Rubens’ Wolf and Fox Hunt from about 1616 is one of his brilliant series of hunting scenes, here featuring two large wolves.

The good news is that, since the 1950s, populations of wolves in Europe have been recovering, and with the exception of the British Isles, they’re gradually re-establishing themselves in those countries that had previously hunted them to death.

Virtual Machines running macOS on Apple silicon Macs are more versatile than the host they run on. When you want to create a new VM, or modify an existing one, there are some powerful options available.

One of the most useful is to duplicate an existing VM: as APFS will do that using clone files, and the virtual disk in a VM is stored as a sparse file, that will use much less disk space than making a completely new VM. If you’re likely to need a supply of VMs running the same version of macOS, why not create a base VM using the IPSW for that version, duplicate it, then set up each clone as you require?

For even more flexibility, you can increase the size of the VM as I have already explained. The only remaining problem is how you can migrate the contents of one VM to another. Although my previous attempts to do this had been unsuccessful, Michael was kind enough to provide the solution, and this article explains how to use Migration Assistant in two VMs running concurrently to copy the contents of one VM to another, on the same host Mac. This should also enable you to migrate between a VM and a Mac.

To perform a successful migration, Migration Assistant needs to connect to a mounted Data volume on local storage, or over a network. It can’t use a VM shared folder on the host as the source (server). If your virtualiser supports root level access to USB storage, enabling it to mount an external disk in the VM, then you should be able to migrate from a Time Machine or other backup on that disk. Migration can be performed during initial setup and customisation of macOS, or by running Migration Assistant later. In this walkthrough, I’ll use the former.

You need

To do this, the virtualiser has two fundamental requirements:

• it must be able to run two macOS VMs concurrently,
• you must be able to assign them different MAC addresses.

Apple enforces a limit of two macOS VMs running concurrently on the same Mac, a rule written into the macOS license. Although that might seem stingy, macOS isn’t like Linux and you can’t run Tahoe on a single core with a mere 3-4 GB of memory. However, if you can spare at least 3 P cores and around 12 GB of memory for each, there should be ample to perform a migration. In practice, that means the host Mac should have a total of eight or more P cores, and at least 32 GB of memory.

MAC addresses are supposed to be unique. As the connection between these two VMs is over your local network, your DHCP server must allocate them two different IP addresses, or they won’t be able to migrate. The way to ensure that works is to assign each VM its own and different MAC address.

My own free Viable satisfies both requirements. Here I’ll use that to set up a new VM as the migration client, using an existing VM as the server. For the sake of simplicity, I’ll assume the MAC address of the server is the default, and won’t change that.

Procedure

This uses two macOS VMs running at the same time:

• the destination for the migrated files is a new VM and is the migration client,
• the source of those files is an existing VM and is the migration server.

Start by installing the IPSW to create your new VM. Rather than going straight on to its first run, at this stage open the server VM with the default MAC set, log into it, and locate Migration Assistant in /Applications/Utilities ready to run.

Now change the MAC address in Viable’s window to something different. I used d6:a7:58:8e:79:d4 instead of d6:a7:58:8e:78:d4. Then open the new VM, the migration client, and take it through its configuration, opting to migrate to it from another Mac.

When you reach the screen that sets that up, open Migration Assistant on the server VM, and set it to transfer data To another Mac. Then switch back to the client VM, and you should see that server offered as the source for your migration. Select it and perform the PIN authorisation so they can connect.

On the client, select the items you want to migrate to that VM, and proceed.

After a few minutes, the migration should complete, allowing the client to finish setting up with its new user account. You can then shut down the server and reset the MAC address and other settings in Viable.

Summary

Viable’s narrative documents the sequence:

• Install the IPSW to create the new client VM.
• Start up the server VM with 3 cores and 12 GB memory, and the default MAC of d6:a7:58:8e:78:d4.
• Start up the client VM, with the same cores and memory, and a different MAC of d6:a7:58:8e:79:d4
• When the new (client) VM reaches the Transfer information to this Mac window, open Migration Assistant on the server (old) VM and set it to transfer To another Mac.
• Select the items to migrate on the new (client) Mac and proceed.

Apple’s instructions on migration are here.

During the 1890s Christian Krohg was kept busy as a journalist. He visited the Lofoten Islands in the far north of Norway in the summer of 1896, and the following year visited the Netherlands and France. The year after, 1898, saw more travel, this time to Spain and France. He returned to Oslo in the late summer, where he remained until 1901.

In the late 1890s, Krohg returned to painting maritime motifs. These included yachting, as in The Shoal of 1898, showing a small wood-hulled cruising yacht sailing past a post mounted on a submerged pinnacle. In the depths below the post there are vague forms suggesting the hidden shoal. Unusually for Krohg, there isn’t a single figure to be seen, just the marker, the boat, and a choppy sea.

Judging by the number of Krohg’s paintings featuring small yachts, he appears to have been an enthusiastic sailor, although I haven’t seen any mention of that.

In his Setting Sail (c 1900), Krohg has switched to a clinker-built fishing boat, as two of its crew haul on a line to raise one of its sails. His figures are rougher and more sketchy here, but are clearly the same weather-beaten working men that he had painted previously. His composition crops the boat, figures, and mast closely, possibly influenced by photography; he’s believed to have become an enthusiastic photographer by the end of the nineteenth century.

Reefing the Sails (1900) is a more finished work, probably painted entirely in the studio, of two crew working at a height on a square-rigged sailing ship, another step up in scale. As they balance precariously to secure the sail to the spar, the sea far below them is white with breaking waves. Once again Krohg uses a close-cropped composition that may well have been based on a photograph.

Evening Breeze (c 1900) continues his maritime theme, but seems an odd, one-off painting. A nude woman stands in front of the setting (or rising) sun, holding her long blonde tresses out at arm’s length. She appears unreal: pale, almost a vision rather than solid and substantial form. I wonder if this was Krohg’s articulation of a new artistic vision.

In 1901, Krohg and his family moved to Paris. Although this was ostensibly to continue with his writing, he was soon taking on private pupils in art, and the following year returned to more serious painting when he started teaching at the Académie Colarossi in the city.

The only painting of Krohg’s I have been able to find from this period is another unusual one-off: The Umbrella (1902), which looks from its white picket fences as if it may have been painted in Norway. It’s a view looking down, presumably from the window of a building, on a lone woman. She is walking up a rough earth track, strewn with rocks, in windy weather. The umbrella of the title has been blown out by the wind. This reminds me of some of the optical explorations in Caillebotte’s earlier paintings.

Christian’s wife Oda painted this wonderful Portrait of Christian Krohg in about 1903. Although made during their years in Paris, it shows the artist by the Grand Café on Karl Johans Gate in the centre of Oslo, as a military band marches along the tramlines.

It wasn’t until 1909 that the Krohgs moved back to Norway, where Christian was appointed the first professor and director of the State Academy of Art (Statens kunstakademi), the latter post being held until the year of his death. The following year he finally ceased work as a journalist.

Krohg then tackled a new theme over a series of paintings. The first may be this Toilet (1912), in which a woman is seen in front of a full-length mirror. Although her clothing appears light and flimsy, as if underwear, she looks to be wearing a hat, at least in her reflection, where its brim stands proud of her head. Krohg’s facture is rough, and the woman’s features are partially obscured in his marks.

The Model (c 1913) is a sketchy portrait of a nude woman, who is just turning the knob of a door to open it, perhaps at the end of a modelling session. Krohg painted others in this series.

Girl Tying her Garter (1914) might bring the series to a logical and temporal conclusion, as a model completes dressing, ready to walk out of the studio. The strange object hanging at the top left appears to be an artist’s palette, or a hat.

In his latter years, Krohg returned to his major theme of the fallen woman and prostitution. In 1917, he produced a new compositional sketch for his famous Albertine in the Police Doctor’s Waiting Room that he felt addressed his earlier painting’s theatricality.

He also painted an almost Dickensian narrative in his Seamstress’s Christmas Eve (1921). A young woman is in her garret bed-sit, where she has been toiling long hours at her sewing machine. An affluent couple, relatives or employers perhaps, have just arrived to give the young woman a Christmas tree, a large wicker basket of presents, and more. The oil lamp on the sewing table casts only a weak light, making the scene appear almost monochrome, in keeping with the young woman toiling in poverty and squalor.

Five to Twelve (c 1924) was one of Krohg’s last paintings, and appears to be a self-portrait. He’s shown with a long white beard, and almost bald, asleep in a chair underneath a pendulum clock. The face of the clock is completely blank, but the title tells us the time: it is five minutes to midnight, very late in his life.

In 1925, Krohg retired as the director of the State Academy of Art, and he died in Oslo a few months later, on 16 October. Although his paintings have been exhibited at many solo events in the Nordic countries, and alongside the works of others in many overseas exhibitions, he has still not had a one-man show outside Scandinavia, as far as I am aware.

References

Skagens Museum, Denmark
Øystein Sjåstad (2017) Christian Krohg’s Naturalism, U Washington Press. ISBN 978 0 295 74206 9.

If your Mac starts to boot but doesn’t get as far as displaying the login window, one of four things should happen:

• if it has been upgraded to macOS 26 Tahoe or later, it might restart into Recovery Assistant;
• it might restart, and repeat the same sequence again;
• it might simply freeze and go no further;
• it might shut itself down again.

The second of those is the most urgent, as it’s in a boot loop, and you need to force it to shut down by pressing and holding the Power button. Although macOS should limit the number of boot loops, don’t leave it to continue looping. If your Mac appears to have frozen, wait for up to an hour before forcing it to shut down, as it could be in the middle of checking and repairing disks, which you shouldn’t interrupt in case it proves successful.

Recovery Assistant

This is a new feature in Tahoe, and uses latest data from Apple to try to recover your Mac automatically. For it to do that it requires an internet connection, preferably over Wi-Fi.

Distinctive to its opening window is its first aid symbol ⊕. Click on the Continue button to move on, and follow its instructions. At the end of that, you should see one of three outcomes:

• no problems were found, and you can restart your Mac back into normal mode;
• problems were found and repaired successfully, so you can restart your Mac back into normal mode;
• problems were found but aren’t fully repaired.

When your Mac restarts, it may show a notification that you need to recover iCloud data. If so, open System Settings and you should see a new item in its sidebar to Recover iCloud Data.

If that doesn’t fix your Mac, you’ll almost certainly need to start up in Recovery and try to fix it there.

Boot loops and freezes

Boot loops happen when a kernel panic occurs during the boot process, before the login window is displayed. When the Mac tries to restart as a result, it hits the same kernel panic, and starts the cycle again. Boot freezes are the opposite: instead of repeatedly cycling through reboot-panic, the boot process comes to a complete halt, normally showing a stuck progress bar on the display. Thankfully neither is in the least common, and should have become even rarer with the introduction of the Signed System Volume (SSV) in Big Sur and later, and the deprecation of third-party kernel extensions.

What you do next on an Apple silicon Mac depends on whether it’s trying to load third-party kernel extensions. As Intel Macs don’t enjoy the same secure boot process, dealing with them is more difficult.

When an Apple silicon Mac is running at Full Security, the only kernel extensions that it loads are those provided in macOS, whose integrity is checked during the boot process. Any third-party kernel extensions included in the Auxiliary Kernel Collection in /Library/KernelCollections remain untouched. Likely causes of kernel panics during booting in Full Security mode include failure of validation of the on-disk root hash of the SSV, and hardware faults or errors, either internal or external.

An Apple silicon Mac running at Reduced Security can load third-party kernel extensions from the Auxiliary Kernel Collection in /Library/KernelCollections when that is explicitly enabled in Startup Security Utility. In the absence of any more probable reason for a kernel panic occurring during booting, it should be assumed that the cause is a third-party kernel extension, and that should be disabled in Recovery mode. This can only be done in paired Recovery, following a single long press of the Power button, not in fallback Recovery.

Restarting in Full Security should then complete normally, and allow the third-party kernel extension to be updated or uninstalled as needed.

Diagnostics and Recovery

In most cases, boot loops and freezes are best assessed by disconnecting all suspect peripherals, running Diagnostics and Disk Utility’s First Aid in paired Recovery mode. If that isn’t available, then Fallback Recovery can be used instead. Unfortunately, the most valuable diagnostic tool for kernel panics, the panic log, usually isn’t accessible when a panic has occurred during boot, although it may be shown when you get the Mac to start up normally again.

Before starting up in Diagnostics, disconnect all peripherals, except those that are essential such as keyboard, mouse/trackpad and any primary external display. Ensure a good Wi-Fi network connection can be made. If the problem occurred when trying to boot from an external disk, or if that Mac had previously been booting from one, it may be better to leave that connected; historically, some older combinations of firmware and macOS panic when an external boot disk has been disconnected but is still expected for the next boot.

On Apple silicon Macs, Diagnostics is unique in relying on a hidden key combination: at the initial Recovery screen, hold Command-D until the Diagnostics Loader starts. This may require download of the disk image from Apple’s servers before testing can proceed. Once loaded, there’s a hidden option for extended diagnostics that can be triggered by holding the Command-E key combination.

Disk Utility is accessed as usual from the main Recovery window.

Advanced tools

Previous tools for the management of kernel extensions included kextload, kextunload and others. In Big Sur and later, these have been replaced by a single command tool kmutil, which is inevitably complex to use. Full details are given in its man page, which is extensive and an excellent source of additional information.

There are at least four kmutil commands that could prove useful:

• kmutil trigger-panic-medic, only available in recoveryOS, clears the AKC at /Library/KernelCollections and forces it to be rebuilt, requiring each kernel extension to be re-approved before it can be loaded. This is intended to be used to recover a system following a kernel panic generated by one of the kernel extensions in the AKC.
• kmutil inspect lists all currently installed kernel extensions according to their collection.
• kmutil clear-staging clears the contents of the staging directory /Library/StagedExtensions.
• kmutil unload -p /path/kextname.kext unloads the kernel extension specified by /path/kextname.kext. This terminates and unloads it, but doesn’t remove the original kernel extension or any staged copy. Unless you also remove the kernel extension and remove it from its collection, it’s likely to load again at the next boot.

In theory, removing the original kernel extension by removing the app which contains it, or deleting it from /Library/Extensions, should trigger kernelmanagerd to remove it from the Auxiliary Kernel Collection and the staging directory /Library/StagedExtensions. However, that won’t take effect until after the next reboot. If the kernel extension isn’t then removed, it may be worth using kmutil clear-staging, and if necessary kmutil trigger-panic-medic in Recovery mode. Remember that kernel extensions may be left unused in staging, and are protected there by SIP, making manual removal tedious at best, and possibly pointless.

While system extensions shouldn’t cause kernel panics or freezes during the boot process, the command tool available to manage them is systemextensionsctl. You can use
systemextensionsctl list
to list all known system extensions and their status.

To remove an orphaned system extension, with SIP already disabled, first list those known using
systemextensionsctl list
to provide the teamID and bundleID. Then use those in the command
systemextensionsctl uninstall teamID bundleID
and don’t forget to re-enable SIP immediately afterwards.

Reinstalling macOS

Historically, reinstalling macOS has often been advocated as a means of addressing boot loops and freezes. In Macs that perform full checking of the integrity of the SSV, Intel Macs with a T2 chip and Apple silicon models, that’s generally unwarranted.

Another option worth considering might be starting up in Safe mode, as that blocks the loading of most third-party components that could cause conflicts before the login window is loaded.

Reviving firmware

One well-known if rare cause of boot looping is a problem with firmware. For Intel Macs with T2 chips and Apple silicon Macs, the preferred solution to that is to boot the Mac in DFU mode, connect another Mac running a recent version of macOS, and perform a Revive from there. This is non-destructive of the SSV and Data volume, unlike a full Restore. Apple provides detailed instructions for you to do this yourself, provided you have the necessary second Mac and cable.

The cable used mustn’t be Thunderbolt, but plain USB-C. That’s because DFU mode doesn’t support Thunderbolt or its cable. Connect that to the designated DFU port on the Mac you’re going to Revive. That can be found in Apple’s note, or in Mactracker.

Summary

• If it starts up in Recovery Assistant (Tahoe and later only), ensure an internet connection and continue with that.
• If it’s stuck in a boot loop, force shutdown with the Power button, and disconnect all non-essential peripherals.
• If it appears frozen, leave it up to an hour in case it’s repairing its disk, before forcing shutdown.
• Try starting up in Recovery.
• For Apple silicon Macs in Reduced Security, disable loading of third-party extensions and set it to Full Security in Startup Security Utility.
• Consider running hardware Diagnostics.
• On Intel Macs consider kmutil trigger-panic-medic in Recovery.
• Try Revive in DFU mode to refresh firmware.
• Good luck!

Apple has released its weekly update to XProtect, bringing it to version 5318. As usual, it doesn’t release information about what security issues this update might add or change.

This version makes several changes to the Yara definition for MACOS.COMPLIANTPIRATE.DEFU, but doesn’t add any new detection rules.

You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.

A full listing of security data file versions is given by SilentKnight and SystHist for El Capitan to Tahoe available from their product page. If your Mac hasn’t yet installed this update, you can force it using SilentKnight or at the command line.

If you want to install this as a named update in SilentKnight, its label is XProtectPlistConfigData_10_15-5318

Sequoia and Tahoe systems only

This update has now been released for Sequoia and Tahoe via iCloud. If you want to check it manually, use the Terminal command
sudo xprotect check
then enter your admin password. If that returns version 5318 but your Mac still reports an older version is installed, you should be able to force the update using
sudo xprotect update
However, if the regular update has been installed in the old location, XProtect is likely to update its new location from that. There’s nothing you can do to force that, but it may well explain why your Mac seems to have updated itself.

Updated 0450GMT 9 October 2025.

Before the Dutch Golden Age, painting scenes at night had been restricted to religious and other narrative works, and very few if any landscapes had been depicted during the hours of darkness. After all, what’s the point of a view if it’s all dark and you can’t admire it?

The Dutch Republic changed that, in part because it was in Northern Europe, where for several months each year it’s mostly dark, and these nocturnes had novelty value. Among those of the middle class who could afford to, it was fashionable to cover the walls inside your house with paintings, and nocturnes, known then as maneschijntjes (moonshines), certainly brought variety to those collections.

Aelbert Cuyp’s view of the Sea by Moonlight from about 1648 is one of the earlier maritime nocturnes, something of a sub-sub-genre that must have been sought after. Unlike many others, this appears to be faithful to the original light.

During the 1640s, Aert van der Neer, a landscape painter in Amsterdam, started experimenting with his first nocturnes, and came to specialise in them.

His River View by Moonlight from about 1650-55 shows a bustling village on a river, with several boats under way and two windmills in the distance. The moon appears to be depicted faithfully in terms of size, without the common tendency to exaggerate that as a result of the Moon Illusion. Surviving studies for some of these nocturnes demonstrate that van der Neer initially sketched a landscape in daylight, and based the detail in his finished studio painting on that.

In about 1655, he painted this finely detailed River Landscape with Moonlight, with a larger moon lighting clouds dramatically.

Some of his best nocturnes are lit by a combination of the moon and the warmer light from a fire. This undated Estuary Landscape by Moonlight uses light from both sources to great effect. Landscape details are shown largely in silhouette, and lack internal detail except in the group gathered around the fire in the foreground. Van der Neer is unusually faithful to reality in this monochrome, the result of the severely impaired colour vision we all suffer in conditions of low light, when there’s insufficient to enable colour vision using the cone cells in the human retina.

At some stage, van der Neer started painting more destructive fires, including this undated Fire in Amsterdam by Night, leading to another sub-sub-genre that was taken up by others.

In mid 1652, Jan Abrahamsz Beerstraaten seems to have witnessed the destruction by fire of part of the centre of Amsterdam, which formed the basis of his studio painting of The Old Town Hall of Amsterdam on Fire, 7 July 1652 (1652-55). Local inhabitants are walking in orderly queues to boats, in which they escape from the scene. This may have been the same fire painted by van der Neer, above.

Egbert van der Poel specialised in these brandjes,, and probably painted more than any other artist in history. He moved to Delft in 1650, and four years later was a victim of the massive explosion in a gunpowder store there on 12 October 1654. That killed one of his children, and he moved again to Rotterdam.

It has been thought that most of van der Poel’s Fire of a Church with Staffage and Cattle from 1658 is a carefully-composed composite of his experiences. A small church at the edge of a village is well ablaze, and the inhabitants are abandoning it, taking all the possessions they can, including their horses and livestock, and leaving the fire to burn itself out.

Van der Poel’s undated A Fire at Night shows a similar scene and composition, set this time on the bank of a canal.

One established exception to this is van der Poel’s Fire in De Rijp of 1654, completed in 1662. This shows a fire that worked its way through more than eight hundred buildings in the town of De Rijp during the night of 6 January 1654. This left only the northern section of the town standing and inhabitable, and resulted in more casualties than did the more famous explosion in Delft at the end of that year.

Doubt is cast on this received account of van der Poel’s work by sketches such as this, of The Fire in the Nieuwe Kerk, Amsterdam, in 1645, made in front of the motif using washes with touches of pen and brown ink. Perhaps he was the first ‘ambulance chaser’ who travelled out to sketch fires, from which he later painted his famous brandjes in the studio.

For the non-specialist like Jacob van Ruisdael, winter was an ideal opportunity to explore the effect of negative images, where objects that would normally be seen as dark on a light background were reversed to white on dark.

Van Ruisdael painted at least two such landscapes featuring trees. Both are now known by the same name, and are believed to be from the same decade. This Winter Landscape (c 1660-70), in the Mauritshuis, picks out frosted leaves in the half-light of dusk or dawn, by a hamlet at the water’s edge. In the far distance, to the left of the buildings, there is a church with a spire.

The other version of Winter Landscape (c 1660-70) is in Birmingham, Alabama. With similar sky, cloud, lighting, and composition, the water here appears to have frozen over. The frost on the trees is just as delicately handled.

If you ever encounter an error when checking an APFS volume using First Aid in Disk Utility or fsck_apfs, you won’t be informed of the path and name of the item responsible, but given its inode number, in an entry like
warning: inode (id 402194151): Resource Fork xattr is missing for compressed file

The inode number given can only be resolved to a path and file/folder name if you also have a second number giving the volume for that item. As that will be for the volume being checked at the time, you should be able to identify that immediately. The only time that you might struggle to do that is with items in a snapshot; those should, I think, be the same as the volume they are taken from. However, as snapshots are read-only, there’s probably little point in pursuing errors in them.

To resolve these in my free utility Mints, open its inode Resolver using the Window / Data… / Inode menu command. Drag and drop another file from the same volume onto that window.

The Resolver will then display that file’s volfs path, such as
/.vol/16777242/1241014

All you need do now is paste the inode number given in the warning or error message in Disk Utility or fsck_apfs, into the Inode Number box at the top of the Resolver window, and click the Resolve button. Mints then looks up information for that inode number on the same volume, using GetFileInfo, and displays it below.

One drag and drop, a paste, and a click to discover what APFS is complaining about.

Command line

You’ll sometimes see Terminal’s find command with the option -inum recommended as a way to convert from an inode number to a regular path. Although you can do that, it’s easier to use the command GetFileInfo instead. For that you’ll need the full volfs path, including the volume number.

To find the volume number, use my free utility Precize, and open another file on the same volume. The second line in its window gives the full volfs path for that file. Copy the start of that, leaving the second number, the inode, such as
/.vol/16777238/

Alternatively, you can use the stat command as given below.

In Terminal, type
GetFileInfo
with a space at the end, and paste the text you copied from Precize. Then copy and paste the inode number given in the First Aid warning, to assemble the whole command, such as
GetFileInfo /.vol/16777238/402194151

Press Return, and after a few seconds, you should see something like
file: "/Users/hoakley/Library/Mobile Documents/com~apple~CloudDocs/backup1/0MintsSpotlightTest4syzFiles/SpotTestA.rtf"
type: "\0\0\0\0"
creator: "\0\0\0\0"
attributes: avbstclinmedz
created: 05/17/2023 08:45:00
modified: 05/17/2023 08:45:00
giving the full path and filename that you want.

GetFileInfo is one of the oldest commands in macOS, and has been deprecated as long as anyone can remember. I suspect that Apple is still trying to work out what can substitute for it.

Get a volfs path for a file

Use Precize to run this the other way around: open the file and read the path in that second line. To copy the whole of it, press Command-2.

The simplest ways of obtaining inode numbers and so building volfs paths in Terminal are using the -i option to the ls command, and for individual items using stat:
ls -i lists each item in the current directory, giving its inode number first, e.g.
22084095 00swift
13679656 Microsoft User Data
22075835 Wolfram Mathematica
and so on;
stat myfile.text returns
16777220 36849933 -rw-r--r-- 1 hoakley staff […] myfile.text
where the first number is the volume number, and the second is the inode number of that item, or /.vol/16777220/36849933.

Almost all who paint in oils use conventional brushes, but there’s a significant minority who sometimes, or frequently, use different tools to apply and shape the paint layer. Of those, the most popular are palette knives, generally used to move and mix paint on the palette. Others have used the other end of the brush stick to incise, or their fingers.

Marie Bashkirtseff’s painting of a class in the Académie Julien in Paris in 1881 demonstrates how oil painting should be done by the textbook. The artist, shown in her self-portrait in the centre foreground, is using a long-bladed palette knife to prepare the paint on her palette. At her feet, on an old sheet of newspaper, are her brushes, all with handles of typical length, and the pupil behind her is using a maul stick to rest her right hand while painting with her brush.

Gustave Courbet applied his paint using a palette knife for some of his paintings. This has been identified from the facture in some of his paintings of caves that he made from about 1864, including The Grotto of Sarrazine near Nans-sous-Sainte-Anne above.

Another enthusiast for painting with a knife was Auguste Renoir.

In 1866, Renoir painted his friend Jules Le Coeur and his Dogs in the Forest of Fontainebleau. This is unusual among his works, as it was preceded by two studies, and all three were made using the palette knife rather than brushes. This makes it most likely to have been painted before Renoir abandoned the knife and returned to the brush, by the middle of May 1866.

Renoir returned to the technique in The Mosque, also known as Arab Festival, in 1881. Small strokes of bright colour and energetic work with the palette knife give it a strong feeling of movement, and it so impressed Claude Monet that he bought it from Durand-Ruel in 1900.

Anna Althea Hills’ Fall, Orange County Park (1916) is a classic and highly accomplished plein air painting that appears to have been made with extensive and deft use of the knife, particularly in the foreground.

Perhaps the most famous artist who is known to have painted with his fingers is Leonardo da Vinci.

This Annunciation, painted in oil and tempera on a poplar panel, is generally agreed to be one of the earliest of Leonardo’s own surviving paintings. When it was painted is in greater doubt, but a suggestion of around 1473-75 seems most appropriate. There are numerous pentimenti, particularly in the head of the Virgin. Its perspective projection is marked in scores in its ground and Leonardo used his spontaneous and characteristic technique of fingerpainting in some of its passages.

Finally, some painters are well-known for their use of brushes with exceptionally long handles. These enabled them to stand back, sometimes almost on the opposite side of their studio, get an overall view of their canvas, and paint from the same distance as a viewer.

Like all plein air painters, Paul César Helleu (1859–1927) shown in John Singer Sargent’s An Out-of-Doors Study from about 1889, is using brushes with handles of modest length. His canvas is fairly small, and he’s working close-in while clutching a brace of brushes in his left hand. Some designed for use when painting in front of the motif have even shorter handles, but when back in the studio Helleu would almost certainly have opted for longer.

Whistler was renowned for using brushes with handles over one metre (39 inches) long, and appears to have used them when painting Symphony in White No. 1: The White Girl in 1862 on a canvas just over two metres (78 inches) tall. He reworked it between 1867-72 to make it more ‘spiritual’ and reduce its original realism.

Early in his career, Joaquín Sorolla established his reputation of painting ‘voraciously’, often using brushes with extremely long handles and large canvases. Although Sewing the Sail from 1896 may look a spontaneous study of the effects of dappled light, Sorolla composed this carefully with the aid of at least two drawings and a sketch, and given its 2.2 metre (87 inches) height, he was almost certainly using brushes of similar length.

You’ve just run First Aid in Disk Utility, or fsck_apfs, and that reports warnings or errors. What should you do next?

Failure to unmount

By far the most frequent error encountered in Disk Utility’s checks results from its inability to unmount a volume before it can start testing. While this is reported as an error, and it prevents the checks from running, it can sometimes be solved by manually unmounting the volume in question. It normally doesn’t indicate anything sinister, and is simply frustrating.

Repeat in Recovery mode

If the warnings or errors were reported on your current boot Data volume and you ran that check in normal user mode, consider starting your Mac up in Recovery mode to repeat the check there.

Although macOS does an impressive job of performing checks on a live volume, it’s more reliable and more likely to be able to perform any repairs needed in Recovery mode, when the Data volume isn’t mounted and live. When there, if you prefer, you can still use fsck_apfs in Terminal.

The other case where checks may be best made in Recovery are those on an active Time Machine backup volume. That’s because those can be difficult to unmount before running the checks, although that is possible as long as a backup isn’t being made at the time, or Spotlight indexing taking place. The sure way to avoid those is to do so in Recovery mode.

Warnings or errors?

Any remarks about problems or irregularities encountered during checks should make explicit whether they are warnings or errors, and it’s essential to make a clear distinction between them.

Warnings are observations that could have significance, or might be perfectly normal in the circumstances. Only an APFS engineer is likely to be able to tell the difference. Among the commonest are those reporting missing xattrs for compressed files:
warning: inode (id 113812826): Resource Fork xattr is missing for compressed file
Experience is that those aren’t related to any consequent errors, and you should be able to leave those alone.

Errors are abnormalities that do have more significance, and might have the potential to cause further problems. Where possible, First Aid or fsck_apfs should attempt to repair those, most probably by performing “deferred repairs”. Those are normally minor errors that it already has plans to attend to when that volume is next mounted, the time that APFS normally performs its routine maintenance.

Snapshots

These are read-only copies of the file system metadata at a previous instant in time, and are associated with retained storage blocks. They aren’t part of the active volume, and their metadata are separate. As they’re read-only, any warnings or errors are most unlikely to be fixed, so you have a choice of leaving that snapshot to be deleted routinely by age, or deleting it early yourself.

Snapshots are made by backup utilities including Time Machine, which are required by Apple to have a mechanism that will delete them automatically after a set period. In the case of Time Machine, that’s when the snapshot is over 24 hours old. Snapshots aren’t backups, but augment regular backups, and stand in for them when backup storage isn’t available. In general, there seems little point in deleting a snapshot early just because there’s a reported warning or error for it, as that won’t affect the health of the active volume.

Identifying faulty items

Warnings and errors related to specific files or directories are normally given with an item id, which should be their inode number. To go any further, you’ll need to convert that to a path and file/directory name. You should therefore copy and paste all reports into a separate file as reference. Resolving an inode to a path and item name is detailed in this article.

In many cases involving items that can be resolved to an existing path, the faulty item is in one of the hidden folders such as .Spotlight-V100 for Spotlight indexes, or .DocumentRevisions-V100 for the document version database. In the former, rebuilding Spotlight’s indexes may resolve the problem, but you’re unlikely to be able to do anything about the latter.

If the inode resolves to a regular file, deleting that can remove the problem, but when you try restoring that file from a backup you may discover the backup has the same problem. Getting to the bottom of a recurrent file system error might require the knowledge and skills of an Apple engineer. Consider reporting this using Feedback, as it should then help iron out any remaining bugs in APFS.

You should also consider whether your Mac might be running old third-party software that is causing recurrent errors. Normally, products should work at a higher level that isolates them from the file system itself, but there are some surprising exceptions. If you can identify a cause, please inform the developers of that software so that it can be fixed.

Old versions of APFS

One potentially dangerous practice occurs when an older version of APFS changes a newer file system. APFS back in High Sierra and Mojave knew nothing of boot volume groups, firmlinks, or many of the features of more modern versions of APFS. If you really must run different versions of macOS on the same Mac, or shared external storage, avoid such version conflicts, and never run an older version of Disk Utility or fsck_apfs on a newer APFS container or volume.

When a group of devils armed with long hooks threatens Dante, Virgil hurries him along towards the next rottenpocket in Hell. They work their way around some of the damage wrought by Christ’s harrowing of Hell following his crucifixion. With those devils still hanging around, they then reach a pit of boiling tar, in which the spirits of barrators are trapped. These had traded in public office and bought influence in courts of law.

The devils pull out one of the souls for Dante and Virgil to talk to, but quickly return to hacking with their hooks.

Unlike others, he springs free and escapes their lunges as he plunges back into the pitch.

Dante and Virgil leave the devils attacking other barrators, and walk on in silence. Dante reflects on one of Aesop’s fables about the frog, the rat and the hawk. He blames himself for the tormenting of the devils behind them, but as he looks back he sees them on the wing again heading towards them. As they cross into the next rottenpocket, they realise the pack of devils can’t pursue them beyond that point.

Next are hypocrites, who are dressed up in hooded habits like monks. Although those are coloured bright gold, they’re weighted with lead, forcing the hypocrites into eternal labour against the mass of their clothes.

Dante meets two Bolognese friars, Catalano de’ Malavolti and Loderingo degli Andalò, who formed a fake religious order. They point out a figure staked out naked on the ground, who is Caiaphas, the High Priest of Jerusalem who advised scribes and pharisees that Christ’s death would be a good solution.

Virgil moves Dante on towards the damaged crossing to the next rottenpocket for thieves. After negotiating their descent, Dante sees its pit full of snakes, binding the hands of the souls there and covering their naked bodies.

A snake strikes one of the sinners at the back of the neck, causing the ghost to burst into flames then turn into ash, which falls onto the ground and reconstitutes itself.

There they talk with one of the thieves by the name of Vanni Fucci, a black Guelph from Pistoia near Florence who had stolen holy objects from a chapel and betrayed an accomplice for execution in his place. The snakes then take charge of him, winding their coils around his neck and body, and putting him into a reptile straightjacket.

Dante and Virgil move on and meet a centaur.

The artists

William Blake (1757–1827) was a British visionary painter and illustrator whose last and incomplete work was an illustrated edition of the Divine Comedy for the painter John Linnell. Most of his works shown in this series were created for that, although he did draw and paint scenes during his earlier career. I have a major series on his work here.

Gustave Doré (1832–1883) was the leading French illustrator of the nineteenth century, whose paintings are still relatively unknown. Early in his career, he produced a complete set of seventy illustrations for translations of the Inferno, first published in 1857 and still being used. These were followed in 1867 by more illustrations for Purgatorio and Paradiso. This article looks at his paintings.

John Flaxman (1755–1826) was a British sculptor and draughtsman who occasionally painted too. When he was in Rome between 1787-91, he produced drawings for book illustrations, including a set of 111 for an edition of The Divine Comedy. In 1810, he was appointed the Professor of Sculpture to the Royal Academy in London, and in 1817 made drawings to illustrate Hesiod, which were engraved by William Blake.

Joseph Anton Koch (1768-1839) was an Austrian landscape painter, who worked mainly in Neoclassical style. During his second stay in Rome, he was commissioned to paint frescos in the Villa Massimi on the walls of the Dante Room there, which remain one of the most florid visual accounts of Dante’s Inferno. He completed those between 1824-29. He also appears to have drawn a set of illustrations for Dante’s Inferno in about 1808.

Bartolomeo Pinelli (1781-1835) was a Roman illustrator and engraver who provided illustrations for a great many books, and specialised in the city of Rome. He made 145 prints to illustrate Dante’s Divine Comedy, most probably in the early nineteenth century.

Jan van der Straet, also commonly known by his Italianised name of Giovanni Stradano (1523-1605), was a painter who started his career in Bruges and Antwerp in Belgium, but moved to Florence in 1550, where he worked for the remainder of his life. Mannerist in style, he worked with printmakers in Antwerp to produce collections of prints, including an extensive set for The Divine Comedy.

References

Wikipedia
Danteworlds

Robin Kirkpatrick (trans) (2012) Dante, The Divine Comedy, Inferno, Purgatorio, Paradiso, Penguin Classics. ISBN 978 0 141 19749 4.
Richard Lansing (ed) (2000) The Dante Encyclopedia, Routledge. ISBN 978 0 415 87611 7.
Guy P Raffa (2009) The Complete Danteworlds, A Reader’s Guide to the Divine Comedy, Chicago UP. ISBN 978 0 2267 0270 4.
Prue Shaw (2014) Reading Dante, From Here to Eternity, Liveright. ISBN 978 1 63149 006 4.

I hope that you enjoyed Saturday’s Mac Riddles, episode 328. Here are my solutions to them.

1:

2:

3: James Bond, Jason Bourne, George Smiley, Modesty Blaise

The common factor

I look forward to your putting alternative cases.

For many years, I believed what the log command told me, that log entries could contain any of the 26 or more fields available, although they didn’t. It was only as I was developing utilities like LogUI that I discovered that log entries come in (at least) four types, each with its own format and set of fields. This article is a guide to those, and how they are displayed in LogUI.

Entry fields

Those available in the OSLog API are fewer in number than appear in log command output, and include some of limited interest. Those not exposed in LogUI include:

• store category, which is invariably disk storage here.
• format string, that used to format the contents of messages. This was introduced following serious security leaks in High Sierra.
• components, linking in with the format string.

LogUI displays each entry using the same order of fields and colour-coding. Although they can’t all be seen together in any single log entry, the overall sequence is:

Standard levels are given as text, and chosen from one of the following: fault, error, notice, info, debug, undefined. These are only used with Regular log entries, not other types. LogUI always includes debug level entries when they’re available.

The four types of entry are:

1. Regular
2. Activity
3. Boundary
4. Signpost.

Regular entries

These are normally by far the most common, and are seen throughout the processes and subsystems writing log entries. They normally contain up to the following fields:
datestamp, [1], activity ID, category, level, sender, process, process ID, subsystem, thread ID, message

These examples include:
datestamp, 1, activity ID, category, level, sender, process, process ID, subsystem, thread ID, message
which is fairly normal.

Activities

These mark specific activities, and vary according to the process and subsystem. Some are valuable waypoints, and all are recognisably shorter than most regular entries, containing only the following fields:
datestamp, [2], activity ID, parent activity ID, sender, process, process ID, thread ID, message

These are examples of one of the most valuable activities reported, indicating a mouse-click or tap. They’re also complete, as they consist of:
datestamp, 2, activity ID, parent activity ID, sender, process, process ID, thread ID, message

Boundaries

These are rare but instantly recognisable because of their brevity. They consist of just three fields:
datestamp,[3], message

Two of the most important are the announcement of the start of kernel boot:

and adjustment of the internal clock:

These are also easy to search for, as their message contains the distinctive === string.

Signposts

By default, LogUI extracts omit Signposts, but if you tick the Show Signposts box before loading log entries, they will also be displayed. In parts, they can outnumber regular entries, and are unlikely to provide you with meaningful information unless you know internal details of their process. Each Signpost adds three type-specific fields, shown after the process ID:
datestamp, [4], activity ID, category, sender, process, process ID, signpost ID, signpost name, signpost type, subsystem, thread ID

These examples come from the most prolific user of Signposts, SkyLight for WindowServer, and contain
datestamp, 4, activity ID, category, sender, process, process ID, signpost ID, signpost name, signpost type, subsystem, thread ID
Note there’s no message field, as their meaning is determined by the signpost fields.

Datestamps and times

The OSLog API doesn’t currently give access to Mach times, only to opaque Date variables. From those, LogUI’s datestamps give:
year–month–day hour:minute:second.microsecond+timezone

All times and time zones given are those current when LogUI obtains that extract, not when that entry was written. This can become extremely confusing when clocks change to and from {summer time, daylight time, daylight saving time, daylight savings time, DST}, and when passing through time zones, and great care is required when reading logs containing such corrections. LogUI tries to make this easier, but care is still required.

If you have used the log command, you may be aware that can return Mach times as ticks, offering precision down to the nanosecond. This currently isn’t possible when using the OSLog API, but given the relatively slow clock of Apple silicon Macs, it’s no longer as useful as it used to be with Intel’s nanosecond Mach ticks.

Censorship

By default, all data in message fields is censored to protect the privacy of the user. This replaces chunks of text with the dreaded <private>, and can render many entries devoid of any useful information. In recent versions of macOS log privacy can be removed by installing a profile. However, that doesn’t apply retrospectively, only to log entries collected after the profile has been installed.

Removing privacy also increases the size in storage of log entries, and may reveal sensitive information. As soon as you have completed acquisition of the logs you need with privacy removed, you should therefore remove the profile, to allow normal censorship to resume.

A suitably signed profile is here: enablelogprivatedata

To install the profile, unzip the archive into a convenient folder and double-click it. You’ll be informed by a notification that you need to review the profile to install it. Open System Settings and select Device Management in its View menu, or search for it. Follow the instructions given there to install and activate it.

Sadly, this doesn’t cover all censorship. Some systems require additional configuration changes, for example CFNetwork diagnostic logging. Jeff Johnson explained how to enable that, but Apple has since blocked that, and I don’t know of a practical alternative. In some cases, additional detail can be obtained by adjusting log settings.

Summary

A short practical summary of LogUI’s log entries is provided in its Help book.

In yesterday’s article I showed excerpts from two cycles of paintings of the journey of life, by Nicolas Poussin and Thomas Cole, and started the epic series of 34 images by Louis Janmot that constitute his Le Poème de l’âme (Poem of the Soul). The last painting of his depicted the child growing up in an idyllic country landscape in Spring.

The child’s family are at home during a thunderstorm, shown by flashes of lightning at the window. Grandmother reads a psalm to calm the spirit, while the mother and another young woman sit and sew. Father (a self-portrait at the age of thirty) looks on with concern. An even older woman, perhaps the great-grandmother, sits in the shadows near the window.

The couple have grown now, and find themselves walking along a path by the university. In the niches alongside the path are its professors, each offering false learning that might replace their faith. That learning is represented by the combination of papers and a lighted candle. In the niche closest to the viewer is the figure of death itself, its niche decorated with skeletons. The land is rocky and barren, with a wizened tree, where an owl is perched.

Still dressed in their gowns from their First Communion at church, the two sit together by a pond, with high mountain peaks in the distance. The boy is stroking a dove, a symbol of peace, while the girl strokes a panther, indicating tamed passions. They both hold a lily, for purity, which separates and unifies them.

In a revisit of Jacob’s Ladder, the pair fall asleep in the woods, and dream of a perpetual cycle of nine angels ascending and descending a staircase leading towards God in heaven. The angels each carry a symbol of the arts, such as a musical instrument.

The couple now face life’s challenges, symbolised by the ascent of a mountain, a task they accomplish together. So they achieve the ideals of life, both earthly and spiritual. This also indicates their exploration of space, and the world in which they live.

Later, when they have reached adulthood, she bids him farewell when she is called to ascend to heaven.

Now a man, returned to earth alone, his spirit back in heaven, he kneels before a wooden cross decorated with a garland of flowers that she left him. (It’s said this refers back to flowers she wore at their First Communion, but no such flowers appear in the paintings.) He pines for her memory, as breaks in the cloud cast bright sunlight down on patches of the earth.

Janmot’s story concludes in his series of charcoal drawings, where the man falls in love, but is abandoned. He then experiences doubt and falls into evil ways in an orgy. He suffers, and ages as a result of his sins, but his plight is taken by his mother to Jesus and the Virgin Mary in heaven for their intercession.

The intercession was successful, and a team led by an angel arrives to address the man’s plight. The woman’s corpse is despatched into the waves, perhaps in a form of burial at sea. The angel’s team consists of two other women, who sit and read from books held open by putti. At their feet are symbolic animals: a lion (strength), fox (cunning), and sheep (the sacrifice of Jesus Christ). Above them are three more putti, bearing symbolic objects including a large fish-hook, whose meaning is obscure.

The man is welcomed back at a heavenly Eucharist – the title is from the early words of the service, in Latin. Angels swing censors, there are rows of pious kings and clergy, and in the distance, descending a flight of steps, is the figure of Christ himself, bearing a lamb on his shoulders. The group at the right foreground contains the man’s soul, who looks directly at the viewer. With this, Janmot’s epic is concluded.

Just over a decade after Janmot completed that series of 34 images, Walter Crane condensed his account of the journey of life into a single painting.

Crane’s allegorical narrative of life as a bridge appears unique to him. It shows a newborn baby arriving in the hand of a winged angel in a white punt/gondola, left of centre. The baby is handed over to a mother or nurse, fed at the breast at the bottom left corner, walking up the steps, and learning at the top. Children play, then grow into young adults, and marry as they reach the top of the bridge. Throughout this runs the thread of life.

The mature adult in the middle of the bridge (by its keystone) then ages steadily, bearing the whole globe during the descent. He then gains a long white beard and walking stick during the descent into old age, finally dying, his body being placed in the black punt/gondola, where it is attended by the angel of death. Grieving relatives stand on the shore and make their farewells, one cutting the thread securing the boat to the shore with a pair of traditional scissors.

Crane explained the theme of his Bridge of Life (1884) as “fortune and fame pursued and ever eluding the grasp; til the crown perhaps is gained, but the burden of the intolerable work has to be borne.” It was first shown at the Grosvenor Gallery, then toured venues in the East End of London during a period of social and labour unrest.

My final series is the second of two Friezes of Life assembled by the Norwegian artist Edvard Munch. He seems to have started thinking about this during the 1880s, but it wasn’t until the early 1890s that it crystallised in his personal notebooks. He talked about building them into a ‘symphony’ in early 1893, and by the end of that year exhibited his first self-contained series of images in Berlin, under the title A Human Life.

During 1893 and 1894, Munch painted most of the works that were to form his first Frieze of Life, exhibited in March 1895, in Ugo Barroccio’s gallery in Berlin. His own explanation is that “the paintings are moods, impressions of the life of the soul, and together they represent one aspect of the battle, between man and woman, that is called love” (Heller, in Wood, 1992).

Munch later assembled his second and mature version, titled Frieze: Cycle of Moments from Life, and exhibited it in Berlin in 1902. It then consisted of twenty-two paintings, arranged in four sections. Here I show a small selection of some of the better-known paintings from that.

The Boston version of Summer Night’s Dream (The Voice) (1893), included in the 1895 version of the Frieze, was here titled Evening Star. It shows Munch’s lover ‘Mrs Heiberg’ at the edge of the Borre Woods, to the north of Åsgårdstrand. This features a brilliant golden-yellow pillar of reflected moonlight on the fjord, forming a distinctive ‘i‘ that appears in other paintings. This work initiates a sequence in which Munch gives his personal account of the process of falling in love.

Evening on Karl Johan shows the crowd from his painting Anxiety in an autobiographical scene. During Munch’s affair with ‘Mrs Heiberg’, he had arranged to meet her on Karl Johans Gate, the long, straight main street in the centre of Oslo. As he waited for her, his anxiety grew, exacerbated by crowds of people walking towards him.

Munch’s later depiction of this greatly foreshortens the perspective of this section of the street from the Royal Palace towards the Storting (parliament building), a distance of around 300 metres. This packs the pedestrians together and, coupled with their nightmarish faces, enhances its troubling feeling of anxiety.

A later section closes with The Scream, showing the isolated figure of Munch before the distant city of Oslo, its fjord with ships at anchor, and the surrounding hills. As the artist’s notes explain:
I was walking along a path with two friends. The sun was setting. I felt a breath of melancholy. Suddenly the sky turned blood-red. I stopped and leant against the railing, deathly tired, looking out across flaming clouds that hung like – blood and a sword over the deep blue fjord and town. My friends walked on – I stood there trembling with anxiety, and I felt a great, infinite scream pass through nature.

By the Deathbed (1895) is Munch’s painting from memory of his sister Sophie resting in her deathbed in 1877, when she was 15 and the artist wasn’t quite 14 years old. She died of tuberculosis, an unfortunately common event at the time. Munch explained that, when painting from memory like this, he depicted only what he could remember, and was careful to avoid trying to add details he no longer saw.

Sophie is seen from her head, looking along her length to her feet, her figure compressed into almost nothing by extreme foreshortening. Her deathbed resembles the next step, in which her body will be laid out in a coffin prior to burial. More than half the painting is filled by the rest of the family, father with his hands clasped in intense prayer. At the right is the mother, who had died of tuberculosis herself nearly nine years earlier.

References

Janmot’s Le Poème de l’âme: Wikipedia (in French).
Janmot’s Poem of the Soul 1
Janmot’s Poem of the Soul 2
Janmot’s Poem of the Soul 3
Janmot’s Poem of the Soul 4

Munch’s Frieze of Life
The Munch Museum, Oslo.
Wood, Mara-Helen (ed) (1992) Edvard Munch, The Frieze of Life, National Gallery Publications. ISBN 978 1 857 09015 4.

Before macOS Tahoe, the biggest sticking point in virtualising macOS on Apple silicon Macs has been their lack of support for the App Store. From the outset this has been an ironic limitation. Here’s some of Apple’s most advanced technology running on its latest hardware, and it can’t even run the apps that Apple sells, only those supplied direct by their developers.

VMs can now have iCloud and iCloud Drive support, Messages, FaceTime, FileVault, and plentiful shared folders, but the one thing they have lacked that renders them useless for many users and many purposes is that can’t sign into Apple services, particularly the App Store. Some apps, including those in Apple’s iWork suite, will run in a VM despite it being unable to sign into your account, but you can only window-shop in the App Store, and most of its apps will simply refuse to run, even free ones.

I’ve long suspected that this is an example of Apple Commercial constraining Apple Engineering. To be useful, macOS VMs would have to be exempted limits on the number of Macs authorised to access services, and that could open up the possibility of third-parties bypassing FairPlay and the digital rights controls embedded in macOS. It must be deeply frustrating to those working on virtualisation, knowing that it could be done but won’t be.

So the only substantial new feature for macOS virtualisation in Tahoe is the introduction of ASIF disk images. For the time being, I’m not sure they’re going to change much for most of us who host our VMs on local APFS storage. As they still don’t enjoy proper API support, I don’t see any compelling reason to rush into their use, unless you want to host your VMs in the cloud.

Upgrading to Tahoe has, though, drawn attention to problems lurking for those who created VMs of 50 GB or smaller, who now want to enlarge them for this purpose.

Resizing VMs

Don’t skimp when creating a new VM. Give it a useful size, as its Disk.img is stored as a sparse file, so won’t take all that disk space unless you fill it to capacity. I now make my default VMs 100 GB to ensure there’s ample free for updates and anything else that might arise.

If you do have a treasured VM that’s too small, you may well be able to increase its size, either using Disk Utility or the hdiutil resize command tool if you prefer. To do this, start by duplicating your VM in the Finder. That creates a clone, and lets you fall back to the unaltered original if the resizing goes horribly wrong.

To resize the disk image using Disk Utility, you first have to move it out from inside its VM bundle, easily done in the Finder. Then in Disk Utility’s Images menu use the Resize… command, select that Disk.img and enter its new size. Add a little, around 8%, to allow for overheads, and let Disk Utility get on with the work.

Here’s Disk Utility inside this Tahoe VM, showing its 50 GB virtual disk.

I then resized it to just over 100 GB.

Here it is afterwards, now showing a full 100 GB.

I gather from others that resizing doesn’t always work. If you can’t get it to, then the only way forward is to create a new VM with the larger capacity and copy across the contents of your old VM. One obvious way to make that simpler and more thorough would be to use Migration, either during configuration of the new VM, or shortly afterwards.

I’m very grateful to Michael for telling us of his success in migrating from a small to a larger VM in Tahoe. I’m also more than a little jealous, as I’ve so far been unable to get it to work for me.

I’m also mystified as to how two macOS VMs running concurrently on the same Mac could establish a connection to support the file transfers required in migration. Neither can expose its virtual folders as shared folders for the other, and in any case shared folders are strictly circumscribed. Sharing them over AFP runs into a quirk of their bridged networking, that both of the VMs will default to using the same network IP address. In my failed tests, the destination Migration Assistant was able to recognise the source, but failed to connect to it successfully.

For the moment macOS virtualisation hasn’t made any substantial improvements in Tahoe. It still can’t sign into Apple services, and AI remains unavailable. Let’s hope the next year brings more and better, and realises more of its potential.

Series paintings of times of the day and the seasons have been popular, but those trying to depict the whole of life are unusual and challenging. This weekend I look at some of the better attempts to tell the story of the journey of life. Because some of these series consist of more than five paintings, I here show selections of those longer accounts.

One of the earliest painted accounts of life is Nicolas Poussin’s series The Seven Sacraments. His first version of this was started in about 1636 as a commission for his patron and mentor Cassiano dal Pozzi, and was completed four years later.

The first in the series shows The Baptism of Christ, as an unusual example of a baptismal scene. The white dove of the Holy Spirit above the figure of Christ is one link across some of the others in the series.

The white dove reappears in Poussin’s genteel account of Marriage.

The series is completed by Extreme Unction, showing the sacrament being administered to a cadaveric man as his family are gathered around his deathbed.

Although several of William Hogarth’s series were biographical, such as his first two of A Harlot’s Progress (c 1731) and its compliment A Rake’s Progress (1732-5), none attempted to depict the whole journey of life from birth to death.

The next is probably Thomas Cole’s Voyage of Life, painted in 1839-42. Like Poussin before him, Cole wasn’t satisfied with painting this cycle of four phases. When he was in Rome in 1842, fearing that he wouldn’t see his series again, nor be allowed to exhibit it, he painted a second version, now in the National Gallery of Art in Washington, DC, and shown here. He had already painted a precursor cycle, The Course of Empire, in 1833-36, telling the story of an idealised civilisation, inspired by Byron’s poem Pilgrimage (1812-8).

Cole’s first series The Voyage of Life was commissioned to show a Christian allegory of the stages of life. He divided this into childhood, youth, manhood, and old age.

Childhood establishes the scene: the lush coastal undercliff, rich in flowers and the vibrant green of vegetation. A boat has emerged from a large cave in the cliff, symbolising the mother’s birth canal and the process of birth. A young baby is standing in the boat, with an angel at its tiller. A carved angelic figure forming the prow holds out an hourglass as the symbol for time.

In Youth, the young man has taken the helm of the boat, leaving the angel on the bank. The morning light is bright, and the weather fair. The young man is navigating the boat along the river, through lush waterside meadows and avenues, towards a distant vision of a celestial temple. The coastal cliffs are now in the background on the right, and in the centre distance is a rocky mountain spire.

By Manhood, the hero has noticeably matured, and his boat is on a fast-flowing river just approaching dangerous rapids passing through a rocky chasm. It is now dusk, and the angel is watching over from a break in the dark and forboding clouds. The man no longer holds the tiller, indeed the rudder is missing altogether, but both hands are clasped in prayer, as he looks anxiously up towards the heavens. In the foreground on the right are twisted trees, splintered by storms, with autumnal leaves.

Old Age shows the man in the boat far older, bald and with a grey beard. His boat is now in placid waters at the coast again, making no way. The boat itself is battered, its figurehead missing. He sits in the boat talking with the angel, who beckons him up through a parting in the black clouds, to a distant angel, far up in the heavens, rising through beams of sunshine towards brightness at the top left.

The painter who came closest to creating an epic in his works must be Louis Janmot, whose series Le Poème de l’âme (Poem of the Soul) consists of no less than 34 images, of which the first eighteen are painted in oils, and the remaining sixteen are in charcoal. Miraculously, the complete series is still together in the Musée des Beaux-Arts in Lyon, France. Although the captions don’t report it, each of the oil paintings is 130-145 cm in height, and 140-145 cm in width, although I have also seen them stated as being much larger, approximately 394 x 500 cm.

Like Blake and Dante Gabriel Rossetti, Janmot was also an accomplished poet, and his series is accompanied by an epic poem of nearly three thousand lines. He had a deep Catholic faith, and both the poem and the paintings are framed within his beliefs.

The series opens in heaven, with the mystical formation of a human soul, shown in symbolic form as a baby. This takes place under the watch of the Holy Trinity, although the three figures surrounding the newborn soul include a woman who represents love. Around this tight group are seemingly endless ranks of angels.

The newborn soul is brought down to earth by its guardian angel. This view, midway between heaven and earth, shows the succession of newborn souls being taken down to earth in the centre, and the judgement of the dead taking place at the side. The souls of the virtuous are seen being accompanied back up to heaven by their guardian angels, at the left. On the right are those destined for hell.

Below, on the right, is the figure of Prometheus bound, being attacked by an eagle. Prometheus is a strange figure from classical mythology to appear in this series, but a strong symbol of eternal suffering.

This is set by the Lake of Moras, where the mother sits with the newborn soul on her lap. Its guardian angel is kneeling in prayer for the mother and the soul of her new child. This painting combines the images of the annunciation to the Virgin Mary, and the Virgin Mary with the infant Jesus, in a unique way.

As the child grows up, Janmot represents it as a duality of boy, shown here in pink, and girl, in white symbolising purity and innocence. The pair are shown at play, picking flowers, in an idyllic country landscape during the spring.

This mystical duality continues through most of the rest of the oil paintings. At times, the pair appear to be brother and sister, or even lovers, but as we will see in tomorrow’s sequel, in the end they represent the earthly body (boy) and the spirit (girl). They are usually colour-coded, the boy wearing pink, and the girl white.

References

Poussin’s Sacraments
Cole’s Voyage of Life
Janmot’s Poem of the Soul 1
Janmot’s Poem of the Soul 2
Janmot’s Poem of the Soul 3
Janmot’s Poem of the Soul 4

Here are this weekend’s Mac riddles to entertain you through family time, shopping and recreation.

1:

2:

3: James Bond, Jason Bourne, George Smiley, Modesty Blaise.

To help you cross-check your solutions, or confuse you further, there’s a common factor between them.

I’ll post my solutions first thing on Monday morning.

Please don’t post your solutions as comments here: it spoils it for others.

Every self-respecting file system identifies files and directories using numbered data structures. In most modern file systems, those data structures are known as inodes, and their numbers are inode numbers, sometimes shortened to inodes. The term is thought to be a contraction of index node, which certainly makes sense, but is lost in the mists of time.

In any file system, for example an individual APFS volume, the inode numbers uniquely identify each inode, and each object within that file system has its own inode. Whatever else the file system might do, the inode number identifies one and only one object within it. Thus one invariant way of identifying any file is by referencing the file system containing it, and its inode number.

HFS+

The Mac’s original native file systems, ending most recently in Mac OS Extended File System, or HFS+ from its origins in the Hierarchical File System, don’t use inodes as such, and don’t strictly speaking have inode numbers. Instead, the data structures for their files and folders are kept in Catalogue Nodes, and their numbers are Catalogue Node IDs, CNIDs.

With Mac OS X came Unix APIs, and their requirement to use inodes and inode numbers. As CNIDs are unique to each file and folder within an HFS+ volume, for HFS+ they are used as inode numbers, although in some ways they differ. CNIDs are unsigned 32-bit integers, with the numbers 0-15 reserved for system use. For example, CNID 7 is normally used as the Startup file’s ID.

Although not necessarily related to CNIDs, it’s worth noting that the Mac’s original file system MFS allowed a maximum of 4,094 files, its successor HFS was limited to 65,535, and HFS+ to 4,294,967,295. Those are in effect the maximum number of inode numbers or their equivalents allowed in that file system.

APFS

Unlike HFS+, APFS was designed from the outset to support standard Posix features, so has inodes numbered using unsigned 64-bit integers.

Strictly, the APFS inode number is the object identifier in the header of the file-system key. Not all unsigned 64-bit integers can be used as inode numbers, though, as a bit mask is used, and the number includes an encoded object type. APFS also makes special allowance for volume groups consisting of firmlinked System and Data volumes, to allow for their inode numbers to remain unique across both volumes. Officially, those allow for a maximum number of inode numbers of 9,223,372,036,854,775,808, either in single APFS file systems, or shared across two in a volume group.

Every file in APFS is required to have, at an absolute minimum, an inode and its associated attributes, shown above in blue, including a set of timestamps, permissions, and other essential information about that file.

There are also three optional types of component:

• although some files may be dataless, most have data, for which they need file extents (green), records linking to the storage blocks containing that file’s data (pink);
• smaller extended attributes (yellow), named metadata objects that are stored in a single record;
• larger extended attributes (yellow), over 3,804 bytes in size, whose data is stored separately in a data stream.

Interpretation

When looking at inode numbers in volume groups, they can be used to determine which of the firmlinked file systems contains any given file. Both volumes share the same volume ID, and files in the System volume have very high inode numbers, while those in the Data volume are relatively low. I have given further details here.

Inode numbers are more generally useful in distinguishing files whose data appears identical, and the behaviour of various methods of linking files.

Copying a file within the same file system (volume) creates a new file with its own inode number, of course. However, duplicating a file within the same file system results in an APFS clone file, with a distinct inode, although it shares common data, so their inode numbers are also different.

Instead of duplicating everything, only the inode and its attributes (blue and pink) are duplicated, together with their file extent information. There’s a flag in each clone file’s attributes to indicate that cloning has taken place.

A symbolic link or symlink is merely a pointer to the linked file’s path, and doesn’t involve inode numbers at all. Because of that, changing the linked file’s name or path breaks its link. Finder aliases and their kindred bookmarks do contain inode numbers, so should be able to cope with changes to the linked file’s name or path, provided it remains in the same file system and doesn’t change inode number.

Hard links are more complex, and depend on the way in which the file system implements them, although the fundamental rule is that each object that’s hardlinked to the same file has the same inode number. According to Apple’s reference to APFS, this is how it handles hard links.

When you create a hard link to a file (blue), APFS creates two siblings (purple) with their own IDs and links, including different paths and names as appropriate. Those don’t replace the original inode, and there remains a single file object for the whole of that hardlinked file.

Inode attributes keep a count of the number of links they have to siblings in their link (or reference) count. Normally, when a file has no hard links that’s one, and there are no sibling files. When a file is to be deleted, if its link count is only 1, the file and all its associated components can be removed, subject to the requirements of any clones and applicable snapshots. If the link count is greater than 1, then only the sibling being removed is deleted.

Easy access

Inode numbers are readily accessed using command tools in Terminal. For example, ls -i lists items with their inode numbers shown. One free utility that displays full information about inode numbers and much more is Precize.

The volume ID is given as the first number in the volfs path, and the second is the inode number of that file within that. Note that the File Reference URL (FileRefURL) uses a different numbering system, and the Ref count of 1 indicates this file has no hard links.

The appearance of new objects or unexpected phenomena in the sky was an event of great significance in the past, and often considered to be a portent of the future, good or bad. This article considers the few that were recorded in paintings, and starts with the most famous of all, the star of Bethlehem that appears in many depictions of the birth of Christ.

The linked stories of the birth of Christ in a shed at Bethlehem, and the subsequent adoration of the infant by three wise men, kings or Magi “from the east”, are among the most popular and enduring among paintings in the Christian canon. The outlines given in the Gospels of Luke, chapter 2, and Matthew, chapter 2, have conventionally become elaborated.

Three wise men had seen a new star, possibly a comet or an unusually bright planet, which they believed would lead them to the birth of a great prophet. They travelled by the guidance of that star, to arrive at Bethlehem. There they found the newborn Christ with Mary his mother, paid homage to him in the shed in which the holy family was lodging, and presented their gifts of gold, frankincense, and myrrh.

Giotto’s Adoration of the Magi from about 1305 shows the star as a celestial ball of fire streaking across the sky, and the three wise men pay their respects to the newborn Christ and his mother.

Above Bosch’s view of the local Brabant countryside in his Adoration of the Magi of 1490-1500 he places a more modest and stationary star shining bright over its distant city, as shown in the detail below.

Blake’s version of the Adoration of the Kings is conventional in showing the three wise men presenting their gifts to Jesus and his parents. At the left, outside, shepherds are tending to their flocks of sheep beneath a stylised star, and at the right are the ox and ass.

There remains controversy over what celestial event might have occurred at the time.

Very few paintings show known events in the sky, and I know of only one depicting a full solar eclipse.

Although many painters, particularly the Impressionists, have shown fleeting effects of light and the occasional rainbow, Enrique Simonet took the opportunity of a solar eclipse on 30 August 1905 to paint his Eclipse (1905). This was visible across eastern and northern Spain between about 1300 and 1320 UTC, and this painting is one of its few remaining records.

Realistic paintings of comets are also rare, and unimpressive.

Generally acclaimed as William Dyce’s finest painting, Pegwell Bay, Kent – a Recollection of October 5th 1858 (c 1858) shows this bay on the Kent coast, during a family holiday visit: a coastal scene worked up into a large finished oil painting. Although not easily seen in this image, there’s a small point of light high in the middle of the sky which is Donati’s comet, not due to return until 3811. Couple that with the inclination of the sun and the state of the tide, and you should be able to place this view precisely in both time and space, and confirm that it does indeed show this bay on 5 October 1858.

A few paintings show impossible celestial events.

John Martin’s painting of The Deluge from 1834 has two points of reference: the Biblical account of the flood, and Martin’s personal belief in prior catastrophe. As the sciences became ascendant during the nineteenth century, some educated people believed that in the past there had been an alignment of the sun, earth, and moon, and the collision of a comet resulting in global flooding. This was promoted by the French natural scientist Baron Georges Cuvier, and subscribed to by Martin.

True to form, his painting is dark and apocalyptic: near the centre, tiny survivors are just about to be overwhelmed by an immense wave bearing down at them from the left and above. The misaligned sun and moon barely penetrate the dense cloud, and to the top right is a melée of rock avalanche and lightning bolt. This was awarded a gold medal at the Paris Salon of 1835.

Several of Paul Nash’s surrealist landscapes show the moon in its phases, among them Landscape of the Vernal Equinox (III) from 1944, which presents the impossible view of a full moon and the sun visible close together and just above the horizon.

Browsing through the /System/Library folder in macOS Tahoe you’ll no doubt be surprised to see a new folder, between LaunchAgents and LaunchDaemons, named LaunchAngels. This article takes a preliminary look at what’s in there, and what these new additions to Apple’s bestiary do.

Launch Agents and Launch Daemons

These have been used in macOS for a great many years, probably since the introduction of launchd in Mac OS X 10.4 Tiger in 2005. These folders contain property lists for:

• Launch Daemons are standalone background processes managed by launchd, running as root before the user logs in, and communicating indirectly with user processes, normally by XPC. They’re not allowed to connect to WindowServer.
• Launch Agents are also managed by launchd, but normally run on the user’s behalf, communicating with other processes and daemons. Although they can have GUI interfaces, they’re normally minimal.

Before you have logged in, launchd runs services and other components specified in property list files in the LaunchAgents and LaunchDaemons folders in /System/Library, and in /Library. Those in /System/Library are all part of macOS, owned by Apple, and locked away on the SSV, but those in /Library can include those installed by third party products, although these days more are being enclosed in app bundles. As they’re run before the user logs in, those work for all users, so are global services.

These property list files contain keyed settings to determine what launchd does with what. Although they can contain many other key-value pairs, two most important ones are ProgramArguments (or Program), which tells launchd what to run, and RunAtLoad, which determines whether launchd should run the service or app whenever your Mac starts up and it loads those agents and services. Other keys determine whether the agent/service should be kept running at all times; if that is set, if it crashes or is otherwise terminated, launchd will automatically start it up again. That’s important for background services that apps rely on to function.

Launch Angels

As of macOS 26.0.1 there are three Launch Angels, each with a property list in /System/Library/LaunchAngels. Those relate to three apps now in /System/Library/CoreServices,

• AccessibilityUIServer,
• GameOverlayUI,
• PosterBoard.

AccessibilityUIServer is an addition to the Accessibility process group, and is listed in the processes in Activity Monitor as Accessibility. It thus runs in the background, supporting Accessibility features in Tahoe. These might perhaps extend the Accessibility enhancements for UIKit provided in UIAccessibility to macOS.

The other two apps aren’t run at load, so must be run on demand. GameOverlayUI appears to be responsible for providing the new Game Overlay features, and I suspect that PosterBoard is responsible for Lock Screen customisation. A key set for each of these in their property list is _ExperimentalNonLaunching, suggesting that these are still in test.

Apple describes Game Overlay as allowing “players to stay in the game when it matters most. Players can easily adjust settings, connect with friends, and check out the latest In-App Events and supported Game Center features, all without leaving their game.”

RunningBoard

What’s most unusual, and may be new with Tahoe, is that all three property lists include settings for RunningBoard and its life cycle management. These are the keys

• Managed, to require life cycle management by RunningBoard, set to true for all three;
• Reported, presumably to set RunningBoard to report its use of system resources, again set to true for all three.

I’m not aware of any similar RunningBoard settings for property lists in the LaunchAgents or LaunchDaemons folders, though.

Conclusions

• Launch Angels are currently three new services for macOS 26 Tahoe, run through launchd using property lists in /System/Library/LaunchAngels.
• Those extend Accessibility, provide Game Overlay, and probably support Lock Screen customisation.
• They are unusual in having RunningBoard settings in their property lists.
• At least for the moment, Apple doesn’t intend anyone else trying to use Launch Angels of their own.
• As the LaunchAngels folder is on the SSV, it isn’t exploitable. Whether a LaunchAngels folder might work in the main Library folder is a different question, though.

In the autumn of 1888, Christian Krohg married Oda Engelhardt, his former pupil, in Oslo. Although their relationship appears to have been open and stormy at times, Krohg now had a partner and a family to paint.

In the summer of 1888, the Krohgs returned to Skagen in Denmark where he painted Oda Krohg (1888). Although not as clinical as his series of portraits of the Gaihede family there, he uses the same profile pose, with his subject looking straight ahead as if in an identity photograph. That contrasts with his informal and sketchy facture.

Krohg’s three-quarter length Portrait of the Painter Oda Krohg, née Lasson (1888) is a marked contrast. Although still quite formal in its composition, Oda is here shown in her role as a ‘princess of the Bohemians’ that sadly overshadowed her own art.

Over this period Krohg had been working on his next major painting, The Struggle for Existence, also translated as The Struggle for Survival (1889). It shows Karl Johan Street in Oslo in the depths of winter, almost deserted except for a tight-packed crowd of poor women and children queuing for free bread. This is the central street in the capital city, and three years later was to be the setting for Edvard Munch’s famous painting of Evening on Karl Johan Street.

These people are wrapped up in patched and tatty clothing, clutching baskets and other containers in which to put the food. A disembodied hand is passing a single bread roll out to them, from within the pillars at the left edge. That was yesterday’s bread; now stale, the baker is giving it away only because he cannot sell it. A policeman, wearing a heavy coat and fur hat, walks in the distance, down the middle of the icy street, detached from the scene.

On this pessimistic note, Krohg’s ‘naturalism’ or social realism came to an end.

The Krohgs spent the summer of 1889 not at Skagen, but in the coastal resort of Åsgårdstrand, about sixty miles (100 km) south of Oslo. Nearly ten years later, Edvard Munch was to buy a summer house here. The Krohgs’ son Per, their second child, was born there that summer, and was almost certainly the model for In the Bathtub (1889). This shows the ceremonial surrounding the bathing of a newborn baby, with the mother and women relatives providing endless advice and taking charge of the event.

In the autumn, the family travelled to Copenhagen, Denmark, where they lived until early summer of 1890. They made a short visit to France, where Krohg was awarded a bronze medal at the Exposition Universelle in Paris. At this time, he had been working as a journalist and teaching, particularly at the painting school run by Harriet Backer.

When he was living in Copenhagen, Krohg painted one of his few works in Impressionist style, View over Frederiksberg, Copenhagen (1890), but decided not to further pursue landscape painting.

Instead, Krohg painted some history of contemporary relevance. Returning to his seafaring theme, his next successful work was a period drama dear to the Nordic heart: Leiv Eirikson Discovering America (1893). Leif Erikson was Nordic and had probably been one of the Norse inhabitants of Iceland between about 970-1020. The son of Erik the Red, who colonised Greenland, Leif visited Norway in about 999, and according to the Icelandic Sagas went on later to discover Newfoundland in Canada. When Krohg painted this, no archaeological evidence had been discovered to support the sagas, and that didn’t follow until 1960.

Krohg’s choice of motif drew on growing contemporary desire for complete independence of Norway from Sweden, and referred to the many Norwegians who had migrated to a better life in the US.

Probably painted in the same year, Krohg’s 17th of May 1893 was an even bolder statement about Norway’s nationhood. The seventeenth of May had been increasingly celebrated as Constitution Day since the signing of the national constitution in 1814. Not only is this painting full of Norwegian people, but the Norwegian flag shown lacks the ‘herring salad’ badge marking the union of Norway with Sweden, a clear indication of his feelings about independence.

From the autumn of 1893, Krohg was away from home almost constantly. He first went to Copenhagen, then on to Berlin and Paris. He stayed in Skagen for his last summer there in 1894 before returning to Oslo.

In 1895, he painted one of his more enigmatic works, a throwback to his social narratives, and something of a ‘problem picture’: Eyewitnesses. It’s nighttime in a living room. Two fishermen stand in front of a door, still wearing their soaked and soiled oilskins, and appear to have entered the room straight after coming ashore from the sea. One stares in shock towards the viewer, the other looks down and away. Both appear full of unease, silent and immobile.

At the right, a young woman is standing, leaning forward towards the men, as if listening to them. She looks anxious, with her hands clasped in front of her chest. Behind her an oil lamp burns brightly, there are the leaves of a large potted plant, and a couple of paintings on the wall behind a large blue settee.

One possible reading is that the men have brought news of the loss at sea of the woman’s husband, an event of which they were eyewitnesses.

In the coming years Krohg was to return to the sea in his paintings.

References

Skagens Museum, Denmark
Øystein Sjåstad (2017) Christian Krohg’s Naturalism, U Washington Press. ISBN 978 0 295 74206 9.

If you bought an M1 Mac with just a 256 GB internal SSD and have kept up with macOS upgrades and updates, should you be worried that it’s running out of space by the time it makes it to Tahoe? Dare you look at Storage settings to see how much of the SSD is now swallowed up by System Data? This article explains why macOS 26 shouldn’t devour the last of your SSD, and how you can ensure that it doesn’t.

What’s on your Mac’s internal SSD?

Internal boot disk layout is most complex in Apple silicon Macs, as theirs is divided into three partitions (or APFS containers). Two are hidden and contain pre-boot and other low-level support files, and amount to around 6 GB. The Macintosh HD partition then takes the lion’s share, the whole of the remainder. Even on a 256 GB SSD, that’s about 250 GB.

Volumes within Macintosh HD include:

• System, just over 12 GB,
• VM, varies in size according to how much virtual memory is swapped out to disk,
• Preboot, just under 8 GB,
• Recovery and others not normally mounted, a total of less than 2 GB,
• Data, whose size is determined by what you store there.

The system your Mac actually boots into isn’t the System volume itself, but a snapshot made of it, occupying the same space, plus a little extra for the snapshot’s metadata including its tree of hashes to form its seal and signature. Because this is a snapshot it uses the same data stored for the System volume, and doesn’t double that up.

This should allow your Data volume a maximum of 228 GB, less any space required by the VM volume. Although installation of a macOS upgrade or update will require substantial additional space, once that’s complete the space taken by the System volume and its snapshot should fall to little more than 12 GB.

What happens when macOS is upgraded?

In traditional macOS upgrades, the Installer app was downloaded first, and itself required around 13-15 GB. That was run, and expanded its contents to be installed onto the System volume, replacing much or all of it.

Updates work more economically, as they contain only the files that have changed, so far less than the Installer app. When they’re installed, they replace only those files changed in the System volume, ready for a new snapshot to be made from that, to be used to boot that Mac. So an update-style upgrade, as you should get when going from macOS 15.7 to 26.0, should require a much smaller download, a faster install, and less space to install the new version of macOS. However, the end result should be identical, with exactly the same files installed in the System volume, and exactly the same in the snapshot used when running.

Whichever is used, the installation process is similar. First, the files to be installed are expanded, then they’re written to the mounted System volume, with some going onto the Data volume as well. Once the System volume is complete, a snapshot is made of it, and that’s sealed using a tree hierarchy of hashes, culminating at the top of the tree in the seal.

What is System Data?

Storage settings scans the contents of the boot volume group, Macintosh HD, and divides the storage used into different categories like Applications and Podcasts. It appears to total those up and account for the remainder of storage used in the category System Data. That doesn’t include the size of the System volume, or its snapshot, but can include temporary files like caches, snapshots, and anything else it can’t account for in other categories.

Taking control

If there are substantial amounts of space that aren’t accounted for on your Mac’s internal SSD, and you want to reduce that, you need to account for it before deciding what to do about it.

First check for large snapshots. I hear repeatedly of Macs that turn out to have hundreds of GB being used by snapshots unnecessarily, and the current record is over 400 GB. The easiest place to check for those is in Disk Utility. In the sidebar on the left select the Data volume, then Show APFS Snapshots in the View menu for them to be displayed at the foot of the main view.

Backup utilities including Time Machine normally make a snapshot with each backup, and retain them for 24 hours, following which they’re automatically deleted. As snapshots can’t exclude folders in the way that Time Machine can in its backups, if you’ve been working with a couple of 100 GB VMs then they will be retained in snapshots even though you probably exclude them from being backed up.

Once you’re happy that free space isn’t being retained in snapshots, use a disk mapping utility like DaisyDisk or GrandPerspective to hunt down other large files and folders that you may not need. One reader here recently discovered that their iOS and iPadOS backups had taken over more than half the space on their Mac’s SSD.

Wait a day or two after upgrading

Installing a macOS upgrade also changes files on your Data volume, and may retain temporary support files. These are normally cleaned up in the next 24 hours, and you may be able to encourage that by starting your Mac up in Safe mode, leaving it a couple of minutes, then restarting it in normal user mode.

By a couple of days after the upgrade, your Mac should have returned to normal use of storage. If it hasn’t, check snapshots and go hunt that missing space.

Apple has released its weekly update to XProtect, bringing it to version 5317. As usual, it doesn’t release information about what security issues this update might add or change.

This version adds five new detection signatures to its Yara file. These include another newcomer with four signatures, MACOS.DAILYDUMPLING, and MACOS.SOMA.SEEND to add to the large Amos/Soma family.

You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.

A full listing of security data file versions is given by SilentKnight and SystHist for El Capitan to Tahoe available from their product page. If your Mac hasn’t yet installed this update, you can force it using SilentKnight or at the command line.

If you want to install this as a named update in SilentKnight, its label is XProtectPlistConfigData_10_15-5317

I apologise for the late announcement of this update, which seems to have been released after 22:00 GMT on 30 September, but was still incomplete here through the whole of today, 1 October.

Sequoia and Tahoe systems only

This update has already been released for Sequoia and Tahoe via iCloud. If you want to check it manually, use the Terminal command
sudo xprotect check
then enter your admin password. If that returns version 5317 but your Mac still reports an older version is installed, you should be able to force the update using
sudo xprotect update

Before the Dutch Golden Age, paintings of everyday life, now widely termed genre paintings, were seldom seen. That changed in the Dutch Republic, when they became among the most popular, if not the majority. Several of the best known artists of this period specialised in them, among them Gerard ter Borch (1617–1681) who made himself something of an international career as a result.

Ter Borch was born in the city of Zwolle, well to the east of Amsterdam. As his father was also an artist with the same name, he’s sometimes distinguished as Gerard ter Borch the Younger. He had already started to travel in 1632, when he was training in Amsterdam, and for the next twenty years or so he painted in England, Germany, France, Spain and Italy.

For the thirty years between 1618-1648, central Europe had been engulfed in a bitter war between the Habsburg states, including the Holy Roman Empire and Spain, and their enemies, including the Dutch Republic. Ter Borch’s magnificent painting of The Ratification of the Treaty of Münster, 15 May 1648 (1648) recorded the moment that the Thirty Years War ended, with the ratification of this treaty between the Dutch Republic and Spain. It also marked the birth of the Dutch Republic as an independent country.

The artist even seized the opportunity to include himself among the ranks of dignitaries: he is at the far left, with long hair and looking directly at the viewer. Although this may look a large and grand work, ter Borch painted it on copper, and it is little larger than a miniature.

But most of his surviving works are portraits and interior scenes of everyday life.

The Messenger, popularly know as Unwelcome News, from 1653, develops what came to be one of his favourite themes. The young man at the left is still booted and spurred from riding to deliver a message to this couple. Slung over his shoulder is a trumpet, to announce his arrival and importance. The recipient wears a shiny breastplate and riding boots, and is taken aback at the news. His wife leans on her husband’s thigh, her face looking serious.

The scene is the front room of a house in the Golden Age. Behind them is a traditional bed (typical in living areas at the time), with some of their possessions resting on a table between the couple and their bed. Hanging up on a bedpost is the husband’s sword, and behind them is a gun and powder horn. Is the letter news of his recall to military service, perhaps? Will he soon have to ride away from his wife, leaving her to bring up their family?

At about the same time, ter Borch painted A Maid Milking a Cow in a Barn (c 1652-54), incorporating its own still life of everyday farming objects including a winnowing sieve and an axe.

Mother Combing the Hair of Her Child (c 1652-53) shows a regular domestic routine, expressed more bluntly in its alternative title of Hunting for Lice. The mother is looking intently at her young daughter’s hair for traces of lice and nits, and running a fine-tooth comb through it to remove any.

Three Figures Conversing in an Interior (c 1653-55) is another of his narrative genre works, and more popularly known as Paternal Admonition. Standing with her back to us, wearing a plush going-out dress, is the daughter. To her left is a table, on which there is a small reading stand with books, almost certainly including a Bible. Her parents are young, and they too are fashionably dressed. Her mother appears to be drinking from a glass, but her father is at the very least cautioning his daughter, if not giving her a thorough dressing-down. He wears a sword at his side. Behind them is a large bed, and to the right the family dog looks on from the gloom.

Ter Borch’s half-sister Gesina, herself a painter, appears to have been his model for Woman Writing a Letter (c 1655), which makes obvious his connection with Vermeer. Move this woman to a desk lit through windows at the left, light her surroundings, and you have a painting very similar to some of Vermeer’s. This painting shows a heavy decorated table cover pushed back to make room for the quill, inkpot, and letter. Behind the woman is her bed, surrounded by heavy drapery, and at the lower right is the brilliant red flash of the seat.

The Spinner is dated to about 1655, but may well have been the pendant to Mother Combing the Hair of Her Child (c 1652-53), and uses the same model. Here she looks intently at her work, a small dog on her lap.

Long before its value in preventing scurvy was realised in 1747, or it was carbonated even later, still cloudy lemonade had become a popular soft drink. Extensive trade links of the Dutch Republic made this drink available to the middle classes, as celebrated in ter Borch’s The Glass of Lemonade (1655-60).

A fashionably-dressed young man is helping to prepare a glass of lemonade for a young woman, who is equally open about her love of fashionable clothing. Behind her is the woman’s nurse or maid, who is having to comfort her through the excitement of the experience. They’re surrounded by a contemporary Dutch interior, with the inevitable bed lurking in the dark at the right, a small but heavily-built wooden table to the right, and a lighter-weight table at the lower left.

The Letter from about 1660-62 returns to his favourite theme of the reading and writing of letters. Two young women are working together, apparently to write a reply to the letter which is being read by the woman on the right. A boy, perhaps their younger brother, has just brought in a tray bearing an ornate pitcher of drink. In front, a small dog is curled up asleep on a stool.

Ter Borch’s backgrounds become lighter in his later work, as shown in The Music Lesson from about 1668. A teacher stands over a young woman, who is learning to play the lute. By this time, the basic lute had become extended to accommodate additional strings for a wider register. This is often referred to as a theorbo, although in modern terminology it’s probably more of an archlute, and seems to have been fashionable in the Dutch Republic at this time. Resting on the table is a cello, and asleep on a chair is a small dog. Note that the room still contains a bed in the background.

Just as mothers had to check their children for parasites in the hair, so pet owners had to remove fleas from their pets. Ter Borch’s late painting of A Boy with his Dog, also known as The Flea-Catcher (after 1666), shows this, in fairly barren surroundings.