Apple Privacy Manifest - Realm 10.49.2 - ISSUE: NSPrivacyAccessedAPICategoryDiskSpace

[salvatoreboemia]

How frequently does the bug occur?

Always

Description

Hi,

we still receiving emails from Apple about the Privacy Manifest

Realm: 10.49.2

The privacy manifest is still empty

and now we have also this issue in the packages with this warning

Do you have some news about these issues?

Thanks

Stacktrace & log output

No response

Can you reproduce the bug?

Always

Reproduction Steps

No response

Version

10.49.2

What Atlas Services are you using?

Local Database only

Are you using encryption?

No

Platform OS and version(s)

iOS all version

Build environment

Xcode version: 15.3

[sync-by-unito]

➤ PM Bot commented:

Jira ticket: RCOCOA-2339

[tgoyne]

What point in the submission process triggers the validation failure emails? Do I need to actually submit the app for review?

[tgoyne]

When I build an app using Realm Swift v10.49.2 using SPM I get the following files in the app directory:

Each of the bundles contains the expected PrivacyInfo.xcprivacy with the expected contents. I've submitted this app to the app store (with it currently in the Ready for Review step) and also TestFlight and after several hours I have not received any emails.

[salvatoreboemia]

News on this issue?

I added in my own privacy manifest your disk api reason. And just after adding it I am not receiving emails from Apple. the realm swift folder always has an empty manifest. and also problems with the. erodo and realm database. as per the attached screens

[nirinchev]

So several things here (some of which are reiterating what @tgoyne asked):

1. The RealmSwift privacy manifest should look like this: https://github.com/realm/realm-swift/blob/master/RealmSwift/PrivacyInfo.xcprivacy because it is a wrapper on top of the Core database, which is the framework that actually accesses the disk API.
2. The RealmDatabase bundle should have a privacy manifest that looks like this: https://github.com/realm/realm-core/blob/master/src/spm/PrivacyInfo.xcprivacy - i.e. listing the API usage reasons. Can you confirm that this is the case for the bundles in your app directory?
3. At which point of the submission process do you get the emails? As @tgoyne said, he's tried submitting an app to the app store and didn't get an email with any warnings. Do you have to actually submit it for review to get the automated email?

[knowledgeisporridge]

I'm not the original poster, but I can echo the issue.

@nirinchev

1. Yes, the PrivacyInfo.xcprivacy in the RealmSwift bundle of the built app matches the one linked (i.e. essentially empty)
2. Yes, the PrivacyInfo.xcprivacy in the RealmDatabase bundle of the build app matches the one you linked
3. The "Upload issues" email is delivered when the binary is sent for review (AppStore or Beta Review).

Built with Xcode 15.3

[tgoyne]

I think inheriting privacy manifests from SPM packages just plain doesn't work when the package is built as a static library and once again two teams at Apple have failed to talk to each other. AFAICT the app store scans bundles contained in dynamic frameworks for privacy manifests, but only checks the top-level PrivacyInfo.xcprivacy file for the app itself and does not check the app's bundles. I had hoped that the problem was just that we were using .copy() instead of .process() for the xcprivacy file, but changing that had no effect.

Might need to file a DTS because things seem pretty straightforwardly broken on Apple's end and their sample code doesn't actually work.

[tgoyne]

swiftlang/swift-package-manager#7317 and firebase/firebase-ios-sdk#12557 also report that privacy manifests in static frameworks just plain don't work at the moment. If this isn't fixed by May 1 we can work around it by forcing RealmSwift to be built as a dynamic framework, but that'll increase app binary sizes and startup times.

[tgoyne]

#8561 makes it so that you can build RealmSwift as a dynamic framework when installing via SPM by selecting "Embed & Sign" in the Frameworks, Libraries, and Embedded Content section, and afaict this results in app store connect actually using our privacy manifest. Alternatively, if you wish to continue statically linking RealmSwift you can manually add our privacy manifest declarations to your app's privacy manifest. There doesn't appear to be any other options with SPM.