On Wed, Mar 18, 2015 at 7:21 AM, Moez Roy <moez.roy@xxxxxxxxx> wrote: > On Wed, Mar 18, 2015 at 6:54 AM, Nikos Mavrogiannopoulos > <nmav@xxxxxxxxxx> wrote: >> On Mon, 2015-03-16 at 10:57 +0100, Nikos Mavrogiannopoulos wrote: >> >>> > Am 16.03.2015 um 09:47 schrieb Nikos Mavrogiannopoulos: >>> > > What was the rationale of adding -z now to the hardening flags? Looking >>> > > its description doesn't reveal any "hardening" features, and the gnutls >>> > > guile module failure to build seems to be directly related to that flag: >>> > > https://bugzilla.redhat.com/show_bug.cgi?id=1196556 >>> > >>> > FULL RELRO >>> > http://tk-blog.blogspot.co.at/2009/02/relro-not-so-well-known-memory.html >>> If that's all we got I suggest to remove this flag or (better) provide a >>> way for applications that use modules to compile themselves, without >>> removing the whole set of hardening flags. >> >> Any advise from the change owners? How should applications that use >> modules with undefined systems should handle that? Should they add % >> undefine _hardened_build by default? >> > > I was doing some research last night but not tested it yet: > > "nonow" > > 1) add -nonow to the CFLAGS > 2) or add -z nonow to the LDFLAGS > > doing the koji builds now to test and see if it works. > > Also need to test if there is a -lazy option. > Why are you using -Wl,--no-add-needed in the LD flags? I am able to get much further ahead in the build process when I remove this. I was not successful with -Wl,-z -Wl,nonow Kept getting "/usr/bin/ld: warning: -z nonow ignored." Maybe there is no option as -z nonow. Or maybe -z now takes precedence based on the RPM flags. Adding '%global _hardened_build 1' to the spec file and setting the target to F21 caused it to fail: https://koji.fedoraproject.org/koji/taskinfo?taskID=9264983 If I used the F20 source and set target for F23 it succeeded with the default hardening flags: https://koji.fedoraproject.org/koji/taskinfo?taskID=9265633 >From the changelog I see F20 does not have guile bindings. * Mon Jan 05 2015 Nikos Mavrogiannopoulos <nmav@xxxxxxxxxx> 3.3.11-2 - enabled guile bindings (#1177847) So maybe you should considering reverting the above change, and sticking with the default hardening flags? Regards, Moez -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
