Hello Perl hackers. You could read <http://permalink.gmane.org/gmane.linux.redhat.fedora.devel/208954> about poor implementation of Fedora 23 hardening feature. It turned out that perl is broken too. Fortunately, only /usr/bin/perl is broken. Not the libperl.so or any other XS modules. This issue is known as <https://bugzilla.redhat.com/show_bug.cgi?id=1238804>. Playing with perl's Configure arguments shows different options are used at different places and the best configuration looks like this (from perl.spec): -/bin/sh Configure -des -Doptimize="$RPM_OPT_FLAGS" \ - -Dccdlflags="-Wl,--enable-new-dtags" \ - -Dlddlflags="-shared $RPM_OPT_FLAGS $RPM_LD_FLAGS" \ +# ldflags is not used when linking XS modules. +# Only ldflags is used when linking miniperl. +# Only ccflags and ldflags are used for Configure's compiler checks. +# Set optimize=none to prevent from injecting upstream's value. +/bin/sh Configure -des \ + -Doptimize="none" \ + -Dccflags="$RPM_OPT_FLAGS" \ + -Dldflags="$RPM_LD_FLAGS" \ + -Dccdlflags="-Wl,--enable-new-dtags $RPM_LD_FLAGS" \ + -Dlddlflags="-shared $RPM_LD_FLAGS" \ I tested this change locally and everything looks better then before. Also this change makes other Perl packages' Makefile.PL's OPTIMIZE argument redundant. Please also note the Build.PL's optimize argument is completly ignored by Build.PL. After sub-packaging some core modules, I will push this change into Fedora 23 only. I believe it does not break anything that does not have broken build script. I did tests on architecture-specific packages perl-B-Utils (drivern by ExtUtils::MakeMaker) and perl-PerlIO-Layers (driven by Module::Build). You can use this simple script to verify you ELFs links as bind-now: #!/usr/bin/perl use strict; use warnings; while (<>) { chomp; my $f = $_; if (-f $f and -x $f and `file $f` =~ /ELF/) { my $ok = `eu-readelf -d $f` =~ /BIND_NOW/; print $ok ? q{OK} : q{BAD}, qq{\t$f\n}; } } Feed it with list of files to check. Thus no other Perl mass rebuild is needed. I will check all the executables procuduced from Perl packags after next perl weekly scratch rebuild. I also think you still can use the OPTIMIZE and optimize arguments to Makefile.PL and Build.PL in your packages. They are not harmfull. We can evaluate they removal in the future. I'd like to hear any critics. -- Petr
Attachment:
pgpiF7Nmajcl5.pgp
Description: PGP signature
-- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/perl-devel
