On Thu, Jul 2, 2015 at 7:49 AM, Adam Jackson <ajax@xxxxxxxxxx> wrote: > > ....Since the change was > done by changing the rpm build macros, I think we can conclude that the > build macros aren't being applied. Granted, packages can disable the > hardened build macros, but the packages I've called out above aren't > trying to disable them, or at least not doing so with %undefine. > >... > - ajax The problem is that some packages just look at the CFLAGS & CXXFLAGS. They ignore the LDFLAGS. The rpm build macros says to link with -pie and to add -z now in the LDFLAGS. If you were to move those to the CFLAGS section the remaining packages should get hardened. As an example, this was the situation for Firefox: http://pkgs.fedoraproject.org/cgit/firefox.git/commit/?id=ded1820a4f7f445b440a40a0e584bf3038307066 ----------------------------------- Then we come to the part where it says if it is not shared only then add -pie. Is that really required? You can link shared libraries with -pie http://sourceware.org/ml/binutils/2009-10/msg00088.html So in another scenario, for example the LDFLAGS of the tracker.spec had -fPIC so it did not get linked with -pie even though it is an executable that runs at startup. The point I am trying to get at is that if you do decide to move -pie to the CFLAGS section please consider removing the !shared requirement. And if you do decide to move -Wl,-z,now to the CFLAGS please consider adding a rule if it is not -Wl,-z,lazy. Probably something like this: %{!-Wl,-z,lazy:-Wl,-z,now} - Moez -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
