I tried [Dropbox]. The promise of working cross device file sync sounded really intriguing, but the final straw was [Elements]. Elements is a great app. I purchased, downloaded, and launched it. I signed up for Dropbox right there, then downloaded Dropbox onto both my laptop and my desktop.

Installation was drag-and-drop. From what I’ve heard, the sync works wonderfully. However, when I first launched the app on my laptop, it asked for my administrative user name and associated password. That’s a bit odd for any app, especially one which does not modify the system in any way, so I investigated a little. Dropbox installs three pieces into one’s system when it first runs.

The first one is the app itself, but when launched it marks two files within the app bundle as set-user-id-root (suid). This is extremely strange and extremely dangerous, from both a stability and a security perspective.

The second is a Contextual Menu Item, which is a plugin which adds an item to the right-click menu. However, in addition to the extra feature added to the context menu, this plugin also injects an additional “plugin” when it loads. This is extremely strange and extremely dangerous, from both a stability and a security perspective. (This plugin was for finder.)

Third, it installs a file named “.dropbox” (w/o quotes) in one’s home folder. The placement of this file is strange (the appropriate places would be ~/Library/Application Support/Dropbox and ~/Library/Caches/Drbox), but not at all dangerous.

Some of these mistakes come from Dropbox’s recent addition of Mac support. That is, they just don’t know any better. On windows, significant stability damage through the use of novel and unexpected code injection is the norm. A carefully designed “plugin” would put no more strain on the system than what comes on the system from the original manufacturer. (I’m not saying that windows is more stable with “plugins,” but that nobody would notice the instability introduced by these “plugins.”) On Linux, suid binaries are entirely normal. In fact, significant parts of the user land live entirely in root space, e.g. the X window system itself. There, the security implications are dealt with through over engineering and careful disclosure, while the stability implications are expected to be dealt with by the system administrator (read: end user).

On Mac, however, stability and security are two of the platform’s primary draws. Those two reasons are exactly why I, myself, use a Mac. Furthermore, as a software developer, I can clearly see solutions to the problems that Dropbox appears to have been attempting to solve. For example, the contextual menu could be provided by a “service”, thereby bypassing the need for that plugin. The code-injected Finder “plugin” could be scrapped entirely and replaced with careful use of custom folder icons, supported by the very same folder-change-monitoring system used to watch for actual content changes. Actual content changes could be provided by the system that Apple built into the platform for that very purpose: FSEvents. This is part of the system that Spotlight and Time Machine use.

I uninstalled Dropbox shortly after my investigation. Perhaps I’ll try it again once they’ve had a change to fix up their Mac support.