On Wed, Mar 24, 2021 at 10:50 AM Jonas Maebe via cfarm-users <cfarm-users@lists.tetaneutral.net> wrote: > > On 23/03/2021 01:31, Assaf Gordon via cfarm-users wrote: > > - will it compromise SIP ( > > https://en.wikipedia.org/wiki/System_Integrity_Protection ) ? > > Note that keeping SIP enabled completely decimates compiler regression > testing performance, because it means that every time you execute a > compiled binary for the first time, > 1) it gets checked for malware (XprotectService) > 2) its code signature gets checked (syspolicyd, trustd, tccd) [1] > > Both 1) and 2) happen in single-threaded processes that handle only a > single binary at a time. Moreover, if a network connection is available, > checking a code signature involves checking with Apple's root > certificate servers (to verify that the used certificate has not been > revoked) [2]. The combination of these points is that the system spends > way more time checking for malware and verifying certificates than > executing test programs.
Yeah, but the other side to disabling SIP is a bunch of broken packages. Libgcrypt, Nettle, GnuPG and friends can't get through their self tests because they are not being tested on a SIP-enabled machine. Some of the breaks have been known for over a year... Jeff _______________________________________________ cfarm-users mailing list cfarm-users@lists.tetaneutral.net https://lists.tetaneutral.net/listinfo/cfarm-users
