[cfarm-users] New Apple Mac M1 machine (gcc304)
Jeffrey Walton
noloader at gmail.com
Wed Mar 24 16:09:24 CET 2021
On Wed, Mar 24, 2021 at 10:50 AM Jonas Maebe via cfarm-users
<cfarm-users at lists.tetaneutral.net> wrote:
>
> On 23/03/2021 01:31, Assaf Gordon via cfarm-users wrote:
> > - will it compromise SIP (
> > https://en.wikipedia.org/wiki/System_Integrity_Protection ) ?
>
> Note that keeping SIP enabled completely decimates compiler regression
> testing performance, because it means that every time you execute a
> compiled binary for the first time,
> 1) it gets checked for malware (XprotectService)
> 2) its code signature gets checked (syspolicyd, trustd, tccd) [1]
>
> Both 1) and 2) happen in single-threaded processes that handle only a
> single binary at a time. Moreover, if a network connection is available,
> checking a code signature involves checking with Apple's root
> certificate servers (to verify that the used certificate has not been
> revoked) [2]. The combination of these points is that the system spends
> way more time checking for malware and verifying certificates than
> executing test programs.
Yeah, but the other side to disabling SIP is a bunch of broken
packages. Libgcrypt, Nettle, GnuPG and friends can't get through their
self tests because they are not being tested on a SIP-enabled machine.
Some of the breaks have been known for over a year...
Jeff
More information about the cfarm-users
mailing list