Here's the problem (found by Björn Esser): https://bugzilla.redhat.com/show_bug.cgi?id=977446#c10 and then later on: https://bugzilla.redhat.com/show_bug.cgi?id=977446#c14 So it seems as if _hardened_build for some reason doesn't work for libtool-compiled libraries. It does look as if the correct CFLAGS and LDFLAGS are getting to the build. See for example: http://koji.fedoraproject.org/koji/buildinfo?buildID=429062 http://kojipkgs.fedoraproject.org//packages/nbdkit/1.0.0/4.fc20/data/logs/x86_64/build.log but the plugins from that build are not hardened fully: $ hardening-check ./usr/lib64/nbdkit/plugins/nbdkit-example1-plugin.so ./usr/lib64/nbdkit/plugins/nbdkit-example1-plugin.so: Position Independent Executable: no, regular shared library (ignored) Stack protected: no, not found! Fortify Source functions: no, only unprotected functions found! Read-only relocations: yes Immediate binding: yes Also we had to add an LDFLAGS hack into the %build section to even get this far. Any ideas? Is this a bug or how it should be? Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones libguestfs lets you edit virtual machines. Supports shell scripting, bindings from many languages. http://libguestfs.org -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
