Any support/plan of Privacy Manifest?

[Angus-chang]

Following the same topic in RxSwift offical slack. According to the definition of "third-party SDKs" that as mentioned in the WWDC23, new documents: Privacy manifest files | Apple Developer Documentation and the new announcement from Apple. It seems like RxSwift/RxCocoa/RxRelay require a privacy manifest and signature as well.

I was wondering if the Privacy Manifest update will be introduce in following updates, and, whether it is possible for us to know the schedule so that we can plan and manage our app releases more effectively.. Deeply appreciated.

Platform/Environment

• iOS
• macOS
• tvOS
• watchOS
• playgrounds

Installation method:

• CocoaPods
• Carthage
• Git submodules

Level of RxSwift knowledge:
(this is so we can understand your level of knowledge
and formulate the response in an appropriate manner)

• just starting
• I have a small code base
• I have a significant code base

[wlxo0401]

+1

[ZYHshao]

+1

[tommyming]

Agree that this needs to be added, there are still a lot of apps using RxSwift I think.

[freak4pc]

Definitely something we'll add by the deadline. There's almost a year by then. Thanks!

[danielt1263]

If one of you who has already looked into this could add it, that would be fantastic. If you have any questions about the library itself. Reach out to me on Slack.

[freak4pc]

Yeah, actually if anyone wants to open a relevant PR that would help immensely 🙏 thanks!

Here's an example, even though RxSwift doesn't track anything or does any API calls on its own, so there's really no privacy content to describe: https://github.com/BranchMetrics/ios-branch-sdk-spm/blob/main/BranchSDK/PrivacyInfo.xcprivacy

[wlxo0401]

@freak4pc

I simply looked it up, and it seems like 'mach_absolute_time' is used, did I make a mistake?

[freak4pc]

@freak4pc

I simply looked it up, and it seems like 'mach_absolute_time' is used, did I make a mistake?

Might be missing something but what's the privacy concern with mach time ?

[wlxo0401]

Apple Doc

I was just looking up the API list in the Apple document in the RxSwift project.

The way I did it is as follows.

1. Clone the RxSwift project to my computer
2. I opened the project using Xcode.
3. Through the entire search, the API was searched one by one.
   (If the above method is wrong, please let me know.)

I checked and found that 'mach_absolute_time' exists in the 'Tests' folder, isn't this a problem??

[danielt1263]

Not a problem. It just needs a reason for being there.

The RxSwift tests harness uses mach_absolute_time() in order to test performance only; it is not used in the production code and is not sent off device.

[wlxo0401]

@danielt1263

Here's an example, even though RxSwift doesn't track anything or does any API calls on its own, so there's really no privacy content to describe:

Oh, I'm afraid I didn't say it correctly. It's my mistake to say "problem."
(I am not good at English.)

I mean... @freak4pc said 'so there's really no privacy content to description', shouldn't we write down the description in PrivacyInfo if RxSwift use 'mach_absolute_time'??

[danielt1263]

Yes, the description needs to be added to the privacy info. I provided you the description above.

[tommyming]

if mach_absolute_time() is the only API that is used in the project, mentioned by @wlxo0401, I think we just need to declare the use of the API and its purpose in the privacy file, as mentioned by Apple. then it should work?

For reference, this is a PR of Kingfisher, adding privacy manifest to the project:
onevcat/Kingfisher#2156

I can try to work on this on the 1st week of 2024, if anyone is free to work it out these days, feel free to create a PR.

[wlxo0401]

@tommyming

Apple specifically mentioned RxSwift, but within the RxSwift ecosystem, there are various related libraries like RxCocoa, RxRelay, RxBlocking, RxTest, and RxSwift-Dynamic, among others.
(And we can only choose what we want.)

The question is whether you should include PrivacyInfo documentation for each of these libraries separately or if a single PrivacyInfo entry is sufficient.

(Use Chat GPT for translation)

[tommyming]

@tommyming

Apple specifically mentioned RxSwift, but within the RxSwift ecosystem, there are various related libraries like RxCocoa, RxRelay, RxBlocking, RxTest, and RxSwift-Dynamic, among others. (And we can only choose what we want.)

The question is whether you should include PrivacyInfo documentation for each of these libraries separately or if a single PrivacyInfo entry is sufficient.

(Use Chat GPT for translation)

According to the Apple's Article:
RxCocoa, RxRelay, RxSwift is on the list.

If that's the case, I think adding privacy files to these 3 libraries should do the job?

[wlxo0401]

@tommyming

Thank you so much for your quick response.

I have another question about Privacy Manifest, not Rx content...

1. If Apple does not mention the library, but there is something to record in 'PrivacyInfo'
2. If Apple mentions it but there is nothing to record in 'PrivacyInfo'
3. If Apple doesn't mention it and doesn't have anything to write in "PrivacyInfo"

What happens to each of the above situations?

As far as I know, Privacy Manifest is compulsory for third-party libraries, but when I look at other library communities, I'm confused because some places can't even be mentioned.

[tommyming]

As far as I know, Privacy Manifest is compulsory for third-party libraries, but when I look at other library communities, I'm confused because some places can't even be mentioned.

May I know the reference from Apple that Privacy Manifest is compulsory for 3rd party libraries?
If that's the case, then many old libraries in cocoapods may require updates, which may cause a massacre of the whole community.

According to my understanding, only the SDKs mentioned by Apple on the list are compulsory to add privacy manifests. Or else you cannot perform App Submissions.

[wlxo0401]

@tommyming

Apple Doc

From Fall 2023 you’ll receive an email from Apple if you upload an app to App Store Connect that uses required reason API without describing the reason in its privacy manifest file. From Spring 2024, apps that don’t describe their use of required reason API in their privacy manifest file won’t be accepted by App Store Connect.

It is part of the contents of the above document.

The contents that can be included in 'PrivacyInfo' are as follows.
[NSPrivacyTracking, NSPrivacyTrackingDomain, NSPrivacyCollectedDataType, NSPrivacyAccessAPType]

However, in the case of 'NSPrivacyAccessAPType', the document had the above contents.

I understood that, 'All third party libraries should add Privacy Manifest if they have a 'Describing use of required reason API'.

Did I get it too differently?

[tommyming]

All third-party libraries should add a Privacy Manifest if they have a 'Describing use of required reason API'

Agree on this.

But I think Apple understands that a massacre will be summoned if they enforce all 3rd party libraries need to add Privacy Manifest lol. So that's why they provided a list of must-provide SDKs.

A bit off-topic. I will try to add a privacy manifest to the 3 repositories mentioned by Apple next week.

Please feel free to provide info related to this issue, thanks.

[tommyming]

Seems @wlxo0401 has created a PR (as mentioned above), please feel free to take a look.

[lambda123254]

According to my understanding, only the SDKs mentioned by Apple on the list are compulsory to add privacy manifests. Or else you cannot perform App Submissions.

Actually, all libraries or SDK which use this functions Apple Doc have to add Privacy Manifest, Apple just mentioned few of them which are common libraries, so all SDK developers should review their own SDK whether they are mentioned by Apple or not. CMIIW

[tommyming]

According to my understanding, only the SDKs mentioned by Apple on the list are compulsory to add privacy manifests. Or else you cannot perform App Submissions.

Actually, all libraries or SDK which use this functions Apple Doc have to add Privacy Manifest, Apple just mentioned a few of them which are common libraries, so all SDK developers should review their own SDK whether they are mentioned by Apple or not. CMIIW

Agree on this.

But then Apple announced a list(on early December 2023) of libraries/SDK that need to add privacyInfo, or else the app cannot submitted to app store. That's why I used the word compulsory in the statement.

Clarify one thing is, I agree that eventually all 3rd party SDK may need to add the file. I just worried about the long-term ongoing progress of the review process.

Thanks for the info @lambda123254! Much appreciated.

[wlxo0401]

I discovered a new while testing.

Until now, most of the libraries that have added PrivacyInfo have not been marked in PrivacyReport.

However, when an item is added to the 'Privacy Nutrition Label Types', the library name is displayed in the PrivacyReport.

Many libraries have updated PrivacyInfo without adding anything from 'Privacy Nutrition Label Types'.

Does anyone know about this? Is 'Privacy Nutrition Label Types' a must-have item?

Or is it not necessary to display it in the privacy report?

Please feel free to leave opinion.

(I used a translator.)

[tommyming]

I guess this is something from HealthKit, where this type of info should treated properly?

[wlxo0401]

I guess this is something from HealthKit, where this type of info should treated properly?

I didn't use HealthKit.

The comment I posted seems to have a translation error, so I corrected it again.😭

[tommyming]

I discovered a new while testing.

Until now, most of the libraries that have added PrivacyInfo have not been marked in PrivacyReport.

However, when an item is added to the 'Privacy Nutrition Label Types', the library name is displayed in the PrivacyReport.

Many libraries have updated PrivacyInfo without adding anything from 'Privacy Nutrition Label Types'.

Does anyone know about this? Is 'Privacy Nutrition Label Types' a must-have item?

Or is it not necessary to display it in the privacy report?

Please feel free to leave opinion.

(I used a translator.)

May I know wdym by PrivacyReport? Thanks.

[wlxo0401]

May I know wdym by PrivacyReport? Thanks.

The 'PrivacyReport' I'm talking about can be downloaded as a PDF if you archive the app.

https://developer.apple.com/videos/play/wwdc2023/10060/
Please refer to 3:20.

1. Open your project in Xcode.

2. Choose Product > Archive. Xcode creates the archive and reveals it in the organizer.

3. Control-click the archive in the organizer and choose Generate Privacy Report.

[kapitoshka438]

@freak4pc @danielt1263
The official document clearly states that you are required to add privacy manifest, since you are on the list. And all other SDKs that are not on the list add the manifest only if they have something to add.

If this is not enough for you to make right decision, just show care about all these thousands of developers who use your SDK. Huge amount of apps that use RxSwift faced this challenge of figuring out how to deal with this new Apple requirement. I have 5 apps in the App Store. Each of them uses dozens of SPM dependencies. Each of them receive warnings from Apple about missing API declarations. Instead of looking for a needle in a haystack I would prefer that every SDK developer tell me whether they use these APIs or not.

[freak4pc]

@freak4pc @danielt1263 The official document clearly states that you are required to add privacy manifest, since you are on the list. And all other SDKs that are not on the list add the manifest only if they have something to add.

If this is not enough for you to make right decision, just show care about all these thousands of developers who use your SDK. Huge amount of apps that use RxSwift faced this challenge of figuring out how to deal with this new Apple requirement. I have 5 apps in the App Store. Each of them uses dozens of SPM dependencies. Each of them receive warnings from Apple about missing API declarations. Instead of looking for a needle in a haystack I would prefer that every SDK developer tell me whether they use these APIs or not.

Wow, you are amazingly rude. We've been maintaining this project for years and putting our heart into it, using ridiculous claims like "showing care for developers" is amazingly detached from reality. I don't know who you are, I've never seen you contribute a single line of code to this project aside for coming here with demands without reading any part of this discussion.

If the decision we took (after consulting the documentation and available online resources) does not suit you, feel free to fork the repo, add an empty manifest and link your apps towards your fork. The project is open and you're free to do so.

For now, the yellow block you screenshotted links to the same section I mentioned earlier that shows this manifest requirement in our case is only required for entirely new apps that add RxSwift or updates of apps that add RxSwift (but didn't have it before).

We've also linked to the DTS answer that mentions there is no need to add an empty manifest if you have nothing to declare.

Beyond that, I really have nothing else to add to this discussion anymore.

We might make a change if Apple answers our DTS but we have not heard back from them so far, we might also make a change at our own discretion (mainly to stop this ridiculous discussion). There is currently no reasoning / guidance of doing what you suggested, the fact you have 5 apps to deal with is not a reason for me to change my answer. I'm maintaining plenty of apps that use RxSwift heavily and am taking the same decision into my projects as well :)

Also, as I've noted, our own app has RxSwift in the App Store with no privacy warnings.

[kapitoshka438]

This is how I understand the DTS reply:

if frameworkNeedsPrivacyManifest() {
  addPrivacyManifest()
} else {
  doNothing()
}

func frameworkNeedsPrivacyManifest() -> Bool {
  return frameworkIsOnTheList || frameworkUsesRequiredReasonsAPIs
}

Maybe you're right, maybe I am. But we both see what we want to see.

Wow, you are amazingly rude

This is the way.

[freak4pc]

You are misinterpreting the text and not referring at all to the huge document with specifications they sent, but I have wasted enough energies on this discussion with you at this point :)

As I mentioned, there is absolutely no problem or difficulty with forking the repo and add or remove whatever portions of code you want to it if you're interpreting the situation any differently. We'll be monitoring what happens to releases in May and if there is any issues / report of an issue. As mentioned numerous times before, if there will be any issue we will immediately remedy with whatever is needed.

Thanks.

[freak4pc]

If Option 2 happens and you release a version, will the signature be included inside?

We've added self-signed binary signatures starting with RxSwift 6.7.0. Another option is creating your own xcframework(s) so you don't have any worries or needs for signatures to begin with :)

You can verify the fingerprint matches the one we provide, in Xcode:

We've listed the fingerprint with additional instructions in the README, here:
https://github.com/ReactiveX/RxSwift?tab=readme-ov-file#xcframeworks

More on how this works, here:
https://developer.apple.com/videos/play/wwdc2023/10061

[yly6518]

@freak4pc @danielt1263 The official document clearly states that you are required to add privacy manifest, since you are on the list. And all other SDKs that are not on the list add the manifest only if they have something to add. 官方文件明确指出，您需要添加隐私清单，因为您在名单上。所有不在列表上的其他sdk只有在需要添加内容时才会添加清单。
If this is not enough for you to make right decision, just show care about all these thousands of developers who use your SDK. Huge amount of apps that use RxSwift faced this challenge of figuring out how to deal with this new Apple requirement. I have 5 apps in the App Store. Each of them uses dozens of SPM dependencies. Each of them receive warnings from Apple about missing API declarations. Instead of looking for a needle in a haystack I would prefer that every SDK developer tell me whether they use these APIs or not.如果这还不足以让你做出正确的决定，那就关心那些使用你的SDK的开发者。大量使用RxSwift的应用都面临着如何处理苹果新要求的挑战。我在App Store里有5个应用。它们中的每一个都使用几十个SPM依赖项。它们都会收到来自Apple的关于缺少API声明的警告。与其大海捞针，我更希望每个SDK开发人员都告诉我他们是否使用这些api。

Wow, you are amazingly rude. We've been maintaining this project for years and putting our heart into it, using ridiculous claims like "showing care for developers" is amazingly detached from reality. I don't know who you are, I've never seen you contribute a single line of code to this project aside for coming here with demands without reading any part of this discussion.哇，你真是太粗鲁了。我们多年来一直在维护这个项目，并将我们的心投入其中，使用诸如“关心开发者”之类的荒谬声明是与现实脱节的。我不知道你是谁，我从来没有见过你为这个项目贡献过一行代码，除了在没有阅读任何讨论的情况下带着要求来到这里。

If the decision we took (after consulting the documentation and available online resources) does not suit you, feel free to fork the repo, add an empty manifest and link your apps towards your fork. The project is open and you're free to do so.如果我们所做的决定(在查阅文档和可用的在线资源之后)不适合你，请随意分叉repo，添加一个空清单并将你的应用程序链接到你的分支。这个项目是开放的，你可以自由地这样做。

For now, the yellow block you screenshotted links to the same section I mentioned earlier that shows this manifest requirement in our case is only required for entirely new apps that add RxSwift or updates of apps that add RxSwift (but didn't have it before).现在，你截屏的黄色块链接到我之前提到的同一节，在我们的例子中，这个清单需求只需要添加RxSwift的全新应用程序或添加RxSwift的应用程序的更新(但之前没有)。

We've also linked to the DTS answer that mentions there is no need to add an empty manifest if you have nothing to declare.我们还链接到DTS的回答，其中提到如果没有要声明的内容，则不需要添加空清单。

Beyond that, I really have nothing else to add to this discussion anymore.除此之外，我真的没有什么可以补充的了。

We might make a change if Apple answers our DTS but we have not heard back from them so far, we might also make a change at our own discretion (mainly to stop this ridiculous discussion). There is currently no reasoning / guidance of doing what you suggested, the fact you have 5 apps to deal with is not a reason for me to change my answer. I'm maintaining plenty of apps that use RxSwift heavily and am taking the same decision into my projects as well :)如果苹果回复我们的DTS，我们可能会做出改变，但到目前为止我们还没有收到他们的回复，我们也可能根据自己的判断做出改变(主要是为了停止这个荒谬的讨论)。目前没有你建议的理由/指导，你有5个应用程序要处理的事实并不是我改变答案的理由。我正在维护大量使用RxSwift的应用程序，我也在我的项目中做出同样的决定:)

Also, as I've noted, our own app has RxSwift in the App Store with no privacy warnings.此外，正如我所指出的，我们自己的应用程序在app Store中有RxSwift，没有隐私警告。

I've read all the responses in the above discussion, and I'm a bit confused. I have a new app that is about to be released on the App Store before May 1st, and I've used RxSwift. It seems that I should add an empty privacy file? However, according to DTS's answer, I shouldn't do that. Now I'm unsure what to do.

I am not a native English speaker, the content above is based on translation.

[linhaosunny]

I've process my app with all those privacy's problem to review and pass yesterday(prj use RxSwift, and do nothing). doesn't get the privacy warring email, it's that safe?

[wlxo0401]

@linhaosunny
Currently, there is no way to check except for mail.

If you didn't get an email before May 1st, you should see no problem.

[freak4pc]

@yly6518 @linhaosunny To my understanding, @wlxo0401's comment is correct. If you got no e-mail you should be fine.

[kapitoshka438]

@freak4pc Not really related to privacy manifest but to signature:

I've downloaded the latest RxSwift.xcframework from releases assets and included in my project. And I'm getting this error. Same if I run codesign -v RxSwift.xcframework
Is this something I should worry about?

[yly6518]

@yly6518 @linhaosunny To my understanding, @wlxo0401's comment is correct. If you got no e-mail you should be fine.据我所知，他的评论是正确的。如果你没有收到电子邮件，你应该没事。

Thank you for your reply :)

[freak4pc]

@freak4pc Not really related to privacy manifest but to signature: I've downloaded the latest RxSwift.xcframework from releases assets and included in my project. And I'm getting this error. Same if I run codesign -v RxSwift.xcframework Is this something I should worry about?

Can you try again? Seems like a weird hiccup, I uploaded a new zip on the latest version.

[kapitoshka438]

@freak4pc Not really related to privacy manifest but to signature: I've downloaded the latest RxSwift.xcframework from releases assets and included in my project. And I'm getting this error. Same if I run codesign -v RxSwift.xcframework Is this something I should worry about?

Can you try again? Seems like a weird hiccup, I uploaded a new zip on the latest version.

It works now thank you!

[Ro-M]

We talked to the Apple Review Team and they very clearly confirmed multiple times that if you do not receive any warnings after submitting your app for AppStore or external TestFlight review now, then you will not be blocked after 1st of May due to required reason API violations (assuming you don't change anything in your code).

Hope this helps in calming some people here.

[freak4pc]

We talked to the Apple Review Team and they very clearly confirmed multiple times that if you do not receive any warnings after submitting your app for AppStore or external TestFlight review now, then you will not be blocked after 1st of May due to required reason API violations (assuming you don't change anything in your code).

Hope this helps in calming some people here.

Glad they are answering some people 🤣

[Ro-M]

They currently offer consultation calls here for a limited time about AppStore Review changes. You can also sign up there, even for before May 1st still.

[tommyming]

We talked to the Apple Review Team and they very clearly confirmed multiple times that if you do not receive any warnings after submitting your app for AppStore or external TestFlight review now, then you will not be blocked after 1st of May due to required reason API violations (assuming you don't change anything in your code).

Hope this helps in calming some people here.

Definitely useful, Apple is finally answering people lol

[wlxo0401]

Now it's May 1st.

[freak4pc]

Now it's May 1st.

We've had no review issues.

[freak4pc]

I'm closing this issue for now, If anything arises feel free to comment and I can reopen.
Thanks everyone for your involvement !

[tommyming]

Finally.
Thanks @wlxo0401 and @freak4pc during the whole journey!

[wlxo0401]

Finally. Thanks @wlxo0401 and @freak4pc during the whole journey!

Thank you all for discussing with me.

I also submitted two apps and passed the review without any problems.

[tommyming]

Finally. Thanks @wlxo0401 and @freak4pc during the whole journey!

Thank you all for discussing with me.

I also submitted two apps and passed the review without any problems.

Same here, submitted an app with RxSwift with no issues at all.
(Btw the app review speed is very fast this week, seems Apple is prepared for a large amount of submissions and rejections. The review time has shortened from 3-7 days to a few hrs lmao.)