iTerm2 increasingly seems too complex and bloated to me, with too many security issues. I haven't shopped for a new terminal emulator on macOS in a long time, but perhaps it's now time.
I should also get around to switching to tmux, now that GNU Screen seems to be stagnant...
Probably worth noting that Ghostty was very recently vulnerable to an old/familiar class of terminal vuln that bit a bunch of older terminal applications a while back: https://dgl.cx/2024/12/ghostty-terminal-title
So moving to a newer / less "bloated" terminal may also just wind the clock back and cause you to encounter a similar sequence of vulns again, like some kind of unfortunate real-world "New Game Plus".
Having a vuln that many other terminal emulators have had is pretty different from the string of unique and extremely bad vulns that iTerm has had over the years. It’s possible that we’ll see similar from Ghostty, but it’s a much newer and I believe smaller codebase, so I’m willing to give it a second chance.
I've been using iTerm daily for something like a decade at this point and I'm struggling to think of any examples of this string of extremely bad vulns. There's this one, which is specific to SSH integration. There was CVE-2024-38396, which is the window title escape sequences I was talking about above.
A vuln every 7-8 years is "a string of unique and extremely bad vulns"?
I use iTerm2, mostly because that's what I'm used to: I installed it on my first Mac years ago when Terminal.app was really bad. I'm willing to switch to another terminal, but I don't see yet how iTerm2 is so much worse than the competition security-wise.
(I also don't understand the general animosity towards an opensource project with one developer doing all the work for 15 years.)
Point being: it’s not hard to see what I’m talking about if you look up previous vulnerabilities in iTerm2, particularly around its sophisticated integration features. (I suppose I talk about this enough that it might be worth compiling all the history I’m aware of somewhere, I don’t want to sound like I’m just making this up)
> I also don't understand the general animosity towards an opensource project with one developer doing all the work for 15 years
I have nothing against George Nachman and iTerm2 is certainly an achievement, one that I probably couldn’t replicate myself. Nonetheless I feel the need to hold my terminal emulator to higher standards because it processes sensitive data and untrusted input with (inherently) poor isolation between the two. Until Ghostty I used Terminal.app for many years, having previously switched away from iTerm2 after the vulnerability discovered in 2017. That’s still what I recommend to people because it has a much smaller feature set and thus attack surface compared to iTerm.
I hope I didn´t sound like I did not believe you, I honestly had no idea. I don´t get an update for iTerm2 every week so I figured it was mostly stable / had no sec issue.
Following this discussion I decided to give Ghostty and kitty a try. I kept Ghostty, mainly because the shortcuts I use the most in iTerm2 are there and I like the default theme (yes, I'm a simple person.) It has less features / integrations I don´t use anyway so I guess the attack surface is smaller.
Probably true, but it still stings that this dubious piece of software (speaking as a former iTerm2 user still holding a grudge) had been spraying my passwords and random terminal activity all over the internet in the form of unencrypted DNS requests for who knows how long, deliberately, due to mindless opt-out featuritis on the part of the developer. In my mind this is one of the clearest violations of privacy and information security I've been directly subjected to, because the developer had some gee-whiz-neato idea of highlighting URLs in a terminal and making them clickable.
It pains me to think people are still exposing themselves to this class of risk because of whatever iTerm2's latest and greatest idea is.
I think it's very reasonable to point at the development model and go, "I think this is bad and specifically the cause for security vulnerabilities". If you want to make that your position (I am sure it is already, and I don't think it is particularly controversial) that is completely fine. But there's a difference between holding that and your actual comment. Like, this was 100% unintentional, and people literally introduce malicious or undesirable features in their software all the time. Maybe we should save the tarring and feathering for that, and come up with a more measured take for stuff like this?
I can only find three CVEs prior to this. It's only one of those that I would qualify as "extremely bad" (the DNS query leak you mention below). The others are the window title bug GP mentions and the undocumented maintenance of a plain text search history file.
Ghostty has also been out for what, a week? So this is the open season / shakedown, when security researchers get to try out all the old favorites and see what got missed.
I don't think there are larger lessons to draw from that occurrence. A reputation for security has to be earned, and Ghostty hasn't been around long enough for that. From my vantage point it's on track, but only time will tell.
I'm not trying to knock either Ghostty in particular or new software in general. But the kind of "open season" phase you're referring to is basically the same point I'm making: new software still has to go through the phase where they work through their security model, have it probed by researchers, and earn their reputation.
Unfortunately, it's nowhere near close feature-wise just yet: proper quake mode, search, prompt navigation, line timestamps, tab output indicators, forced keyboard locales, customizable toolbar with user-defined variables/indicators, are all too useful to give up iTerm2 for anything.
The others do sound useful too -- I personally hit a lot of spurious "tab output indicator" notifications in iTerm2, but if it _did_ work I could see how giving it up would be painful.
Proper quake mode is just one shortcut to show/hide the entire terminal window, otherwise the app is completely hidden from the app switcher and the dock. This also involves handling macOS keyboard-to-app layout mapper not reacting to this event as the window loses its first-class citizen status in this mode.
I tried iTerm’s quake mode after the Visor haxie for Terminal.app was shuttered, but unfortunately was left disappointed. Its behavior is kinda glitchy and inconsistent in comparison, which was surprising because one would expect a native feature to be better than one hacked in by a third party, but that was not the case here.
I tried Ghostty earlier in the week, but couldn’t get it set up to look the same as iterm2 (the colours are off and text looks different somehow with the same typeface at the same size). Which is just cosmetic but makes it feel wrong viscerally.
Somehow this is the first time I see anyone else bring this up, but the fonts are absolutely displayed with wrong kerning on my mac, for my font (at 12pt) I was able to make it look the same as iTerm2 with adjust-cell-{width,height} both set to -5%.
I had an issue where Ghostty failed to render the text "th", so I think Ghostty just generally has a lot of font issues. Gave up trying to use it within minutes.
It seems that I had iTerm2 configured to display bold text as bright text (instead of bold). And I use bold, coloured text in my prompt, so that threw me.
I configured
bold-is-bright = true
and suddenly everything looks fine. I'll see how I get on with it.
I noticed the colors looked off when I was trying out Ghostty as well. Adding this line to my config fixed it after restarting the app: `window-colorspace = display-p3`
Ghostty supports iTerm themes, so you should be able to transfer your preferred look-and-feel directly. I just picked one I liked, so I'm not familiar with the process, but it can be done.
It looks like the process is more manual than I thought, sorry. There's something which imports themes from the iTerm2 color schemes website weekly, but from what I can find that isn't a feature which ships with Ghostty itself.
Here's the relevant docs page, which I hope explains why I mistakenly thought that transferring a theme directly from iTerm to Ghostty was possible. You could upload your theme to the website they're being sourced from, and wait a week. But that's clearly not the same thing.
I am using both at the moment, but iTerm has many, many features missing in ghostty. Most of them are not huge, but overall that’s a lot of paper cuts. Ultimately I wish both will stick around. Both have good ideas and I’d like them to keep evolving.
I tried Ghostty but the configuration file seems to be flakey. For example I wasn't able to turn off the cursor blinking in it (huge distraction for me) despite there being a configuration flag for it, it just wouldn't take it.
I also switched over to Ghostty, but now can't do Cmd+F to search for strings, I think it's on the roadmap though. Also, there are no scroll bars on the Mac version, which I guess is not that important for a terminal.
I've resorted to using Cmd-Shift-J (scrollback buffer) and grepping that, but its flaky about whether it will honor the command and emit a history file.
I'm a heavy use of tmux integration in iterm2. this allows seamless mouse scroll in a tmux window. I haven't seen any other terminals that provide the same tmux support.
Wezterm doesn’t have tmux integration but instead implements multiplexing natively, meaning if you install it on a remote, it will host a mux server you can attach to over ssh. Pretty cool, and much faster/lower latency than tmux.
I have used Terminal.app since 10.0, and have never felt like it needed replacing. What is lacking in Terminal that would improve my day to day by using a different app?
That's a question that only you can answer. We have no idea what your average terminal activity involves.
(I can't remember why I switched. It must have been 10 years ago now, maybe more, and I've stuck with iTerm2 ever since (even though it annoys me with a new beta update practically every time I launch it). It could have been nothing fancier than the vertical window split. But there was definitely something that persuaded me to change!)
EDIT: this did get me wondering, and I noticed two things it does have that it looks like Terminal still doesn't: configurable mouse selection word boundary chars, and implicit copy-to-clipboard on selection. As an inveterate mouse selector, I wonder if it was these. I might well actually have the word boundary chars still set to the default ("/-+\~_." is what I've got), but I do use the click-to-copy a lot.
There's a mini-renaissance going on with new terminal tools, like tmux, neovim (which has an ecosystem of plugins itself), htop, and many more (https://github.com/rothgar/awesome-tuis). They take greater advantage of 24-bit color, "nerd" fonts (that have icons for glyphs), some graphics capability, and so on.
I used Terminal for many years, too, but switched to iTerm2 a little over a year ago as I wanted to learn neovim.
In my opinion, the most notable feature missing from Terminal.app is 24-bit color support. This is a standard feature in modern terminal emulators, and is one that I enjoy very much. But for many people, that is not a feature that makes a big difference.
Still use GNU Screen? Both GNU Screen and tmux had security issues in past, but GNU Screen had worse ones and that is why I switched. Zellij is a Rust terminal multiplexer, might wanna look into that. What I especially love about it, is tge discoverability of the keybinds. TUI wet dream.
> I don't use Mac but what's wrong with the default?
Nothing, it works great. As someone who tried a bunch of alternatives: sorry but it's a waste of time unless you look at the long list of iterm2 features (terminal.app has many of them anyway) and think you might use those often (I don't, quite happy with my other apps covering for most of the features missing from the terminal.app): https://iterm2.com/features.html
Complete I would say. However Mac uses GNU software from around 2006, since around that time a lot of GNU software switched from GPLv2 to GPLv3.
That means Mac ships GNU screen version 4 from 2006, while latest version is 5.
I try out the new apps each year and always go back to Terminal.app. My one gripe with it was that Opt-Del didn't delete words, which I learned last year can be fixed by Preferences > Profiles > Keyboard > Use Option as Meta key
I recently ran into a bunch of problems running neovim under GNU Screen with `TERM=screen.xterm-256color`. There was some kind of problem relating to GNU Screen's parsing and re-transmit of certain full-color terminal escape codes. I don't remember the details right now, but what I know is that building the latest from source didn't help. (I wish I could remember the specific issues)
I haven't looked super hard, but an iTerm feature I "gotta have" is triggers - regexps that match lines of text in the terminal and do an action.
You can do some complex stuff with them, but I "just" use them to highlight specific things when tailing output. Some of it might be possible with grep, but probably not
I should also get around to switching to tmux, now that GNU Screen seems to be stagnant...