Fedora approves shipping pre-built macOS binaries [LWN.net]

By Joe Brockmeier
May 29, 2024

The Asahi Linux project works to support Linux on Apple Silicon hardware. The project's flagship distribution is the Fedora Asahi Remix, which has its own installer (rather than Anaconda) to accommodate the unique requirements of installing on Apple's hardware. Previously the installer was built by the Asahi project, but it has asked for (and received) an exception from the Fedora Engineering Steering Committee (FESCo) to include two binaries from upstream open-source projects so that the installer can be built on Fedora infrastructure.

Apple Silicon does not support something as simple as plugging a USB stick in and rebooting into a Linux installer. Users who want to install Linux on an M1 or later Mac have to start the installation in macOS, resize the disk so there's room for Asahi, and then reboot into macOS Recovery (recoveryOS) to finish the installation. Asahi Linux is typically installed alongside macOS, so users can choose to boot into either operating system though users can get rid of the macOS partition entirely. As part of the process, Asahi replaces the macOS kernel used for system recovery with Asahi's m1n1 bootloader for Apple hardware. The entire boot process for Apple Silicon is well-described in the Asahi January/February 2021 progress report.

This means that the installer (which is written in Python) requires two macOS binaries to perform the installation: a Python interpreter for macOS and libffi, which is used by Python in recoveryOS to extract firmware from the macOS kernel for Linux to use. Unfortunately, it requires Xcode to build these for macOS so it's not possible to build the binaries on Linux, which means shipping prebuilt binaries.

According to Fedora packaging guidelines all "program binaries and program libraries" should be built from source for security and to ensure that they use the standard Fedora compiler flags. (This does not extend to content binaries such as images or PDFs, which may be included without corresponding sources.) Since this isn't possible, Asahi contributor Davide Cavalca requested an exception on May 15 for a macOS build of Python and a build of libffi from the Homebrew project:

We specifically want to do this because it will allow us to ship to users an m1n1 stage1 that is also built in Fedora (the Asahi Linux installer ships its own prebuit one).

Neal Gompa replied "this is probably fine, since from our perspective, macOS is 'firmware-ish'". Tom Stellard wondered whether it would be possible to cross-compile the binaries rather than pulling in binaries produced on macOS. Cavalca responded that he did not believe it was practically possible to do so, short of running a macOS virtual machine with Xcode on top of Linux. At some point it might be possible to use Darling, a project aimed at running macOS software on Linux, "but I don't believe it's in a usable state yet (which is also why we haven't packaged it for now)".

Former FESCo member Miro Hrončok said that he would probably be against allowing the exception. He made the argument that allowing prebuilt binaries in for macOS opened the door to dropping the requirement to build everything from source altogether. He also asked "how do we know the macOS binaries don't contain some proprietary macOS/Xcode bits?" and suggested that the request should be discussed on a mailing list or in Fedora's Discourse forum, but the conversation was never carried over.

Cavalca said he had not audited the binaries, but that they come from official upstream sources (Python and Homebrew, respectively) and are redistributable. He responded in a roundabout way to Hrončok's question about proprietary bits by saying that using Xcode does not preclude redistribution "as otherwise you wouldn't be able to use the compiler for much of anything".

The matter was taken up by FESCo as new business in the May 20 meeting. (The meeting log format for Fedora meetings, unfortunately, does not allow linking directly to individual comments or timestamps. The discussion begins at 19:11:58.) During the meeting it was noted that the Fedora Project has another program built outside Fedora's Koji build system that targets macOS: Fedora Media Writer. Josh Stone asked how that was handled, and Stephen Gallagher replied "poorly". Gompa followed up to explain that the macOS binary is built elsewhere and then submitted to Fedora release engineering to be notarized (digitally signed by Apple) so macOS users don't receive warnings when running the program.

After some back-and-forth discussion about the oddities and problematic licensing of the macOS toolchain, Gallagher said he did not understand the advantage of packaging the binaries if Fedora did not control the build system. Cavalca said that having the installer package built by Fedora means "we go from the installer being a random untrusted blob to it being a trusted package that relies on two smaller blobs".

Eventually, Zbigniew Jędrzejewski-Szmek said he had started out against the proposal but had come around to a "more positive view". He noted that the code would not run on Fedora, but on macOS, and that accepting upstream binaries was the least-bad solution:

We're not experts at building stuff for MacOS, so replicating the builds that are already done doesn't gain us much. It's likely that it could introduce additional problems and bugs. And since that code is never going to be executed on a Linux system, it's like firmware, i.e. something that we accept for pragmatic reasons.

Gallagher pressed for a vote after about 50 minutes of discussion on the topic. (Timestamp 19:50:20 in the meeting log.) David Cantrell, Kevin Fenzi, Josh Stone, and Stellard all voted against the exception. Major Hayden, Tomáš Hrčka, Gallagher, Gompa, and Jędrzejewski-Szmek voted in favor, approving the exception by one vote, five to four. After the vote was tallied, Gallagher said: "that's the most contentious vote I've seen in a while".

After the meeting minutes were posted to the Fedora development mailing list, Hrončok wrote: "I am a tad sad that this was approved by FESCo without being first discussed with the wider community." Fenzi agreed.

For Asahi Linux users, little will change. The installer will continue to work the same way as it had previously, but it will be built with Fedora infrastructure. It will be interesting to see whether this sets a precedent for prebuilt binaries, or ends up being a one-time concession to helping users migrate away from a proprietary operating systems. We have a chance to find out before long: FESCo is also being asked to approve an exception to allow signed SGX enclave binaries for running confidential virtual machines, and should be taking that up soon.

Fedora approves shipping pre-built macOS binaries

Posted May 30, 2024 0:32 UTC (Thu) by Heretic_Blacksheep (subscriber, #169992) [Link]

I'd counter argue that the FESCo exception only applies to those using Apple's hardware so the "wider community" doesn't really have a dog in the hunt. It's of no practical consequence to people using Pis, AMD64, RISC-V, etc. that Macs take a platform-specific installation step and must be built on a system using MacOS. The resource utilization on Fedora's side appears to be minimal. Besides, the opportunity was there and not even the two suggesting it be opened to wider discussion bothered to do so. It makes me skeptical of their argument.

Facilitation of migrations to Linux (or *BSD as the case may be, as a generic statement) should be entertained as needed in such minimal, but practical, methods that works around a platform's peculiar quirks.

Fedora approves shipping pre-built macOS binaries

Posted May 30, 2024 0:56 UTC (Thu) by mjg59 (subscriber, #23239) [Link] (4 responses)

Even allowing for the ability to run code under Darling, cross-compilation to MacOS has difficulties - the license associated with some of the build components (including the system headers and .dylib files needed for linking) forbids them from being installed on any other OS. There's probably an argument that the headers aren't meaningfully copyrightable, and the .dylib files are now apparently some sort of interface description rather than the actual library code, so someone could probably get around that with some work, but unless that's done it's simply not plausible that these artifacts can ever be built on Fedora so it's either prebuilt artifacts or no Fedora support for the hardware. Given it's only used in the installation process and not as part of the final system I think this is probably the right tradeoff.

Fedora approves shipping pre-built macOS binaries

Posted May 30, 2024 15:28 UTC (Thu) by linuxrocks123 (subscriber, #34648) [Link] (3 responses)

Cross-compilation to MacOS has been trivial for over a decade: https://github.com/tpoechtrager/osxcross

The SDK isn't installed, just downloaded, and then the API components are extracted from it. I agree that Oracle v. Google probably makes the API components uncopyrightable.

Fedora approves shipping pre-built macOS binaries

Posted May 30, 2024 17:47 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (2 responses)

I don't believe you can submit the software to Apple for notarization from Linux, though.

Fedora approves shipping pre-built macOS binaries

Posted May 30, 2024 19:36 UTC (Thu) by Heretic_Blacksheep (subscriber, #169992) [Link]

I don't think you can either, but you don't need notarization from Apple to run software on MacOS. I'd imagine the number of people looking to run Fedora on Macs coincides as a neat subset of those that know the permissions options to run any arbitrary program.

Fedora approves shipping pre-built macOS binaries

Posted Jun 2, 2024 12:49 UTC (Sun) by mathstuf (subscriber, #69389) [Link]

You can[1]. Not using Apple client-side software, but that feels obvious to me.

[1] https://gregoryszorc.com/blog/2022/08/08/achieving-a-comp...

Fedora approves shipping pre-built macOS binaries

Posted May 30, 2024 6:30 UTC (Thu) by marcH (subscriber, #57642) [Link]

> And since that code is never going to be executed on a Linux system, it's like firmware, i.e. something that we accept for pragmatic reasons.

It feels much more "secure" than most linux-firmware because:
- it runs in a totally different environment
- ... at a different time than Linux, not interacting with it.
- it's open-source, and
- the build is hopefully reproducible if you have Xcode?

The only thing that makes it "closer" to Linux: it's designed to run on the same CPU. Which does not really seem very relevant from a security perspective.

Fedora approves shipping pre-built macOS binaries

Posted May 31, 2024 0:11 UTC (Fri) by flussence (guest, #85566) [Link] (1 responses)

Treating macOS as a firmware blob is ridiculous but it makes sense if you squint hard, really hard. It's ontologically the same as the mystery meat a Raspberry Pi requires on the SD card to run Linux, just tens of gigabytes in size.

I'm not sure what the votes against are trying to accomplish.

Fedora approves shipping pre-built macOS binaries

Posted Jun 3, 2024 20:29 UTC (Mon) by riking (subscriber, #95706) [Link]

Note that I'm pretty sure this is treating "a macOS compilation of Python and of libffi" as the firmware blob, not all of macOS.

Fedora approves shipping pre-built macOS binaries

Posted May 31, 2024 18:29 UTC (Fri) by motiejus (subscriber, #92837) [Link] (1 responses)

Would be an interesting weekend to cross-compile CPython with `zig cc` for MacOS. If something relies only on CoreFoundation framework (from the first glimpse, it does), it's quite likely to compile+link for MacOS without XCode.

I have neither a MacOS machine nor a spare weekend for this right now. If someone feels nerd-sniped, here is a trimmed-down CPython on `x86_64-linux` (both glibc and musl) ported to zig build system: https://github.com/allyourcodebase/cpython

Fedora approves shipping pre-built macOS binaries

Posted May 31, 2024 22:53 UTC (Fri) by intelfx (subscriber, #130118) [Link]

> https://github.com/allyourcodebase/cpython

It took me a few seconds to realize the significance of the GitHub org name here. Was not disappointed when I looked at the list of other projects.

Bravo, whoever did this. :-)