On 09/16/2015 11:08 AM, Orion Poplawski wrote: > On 09/16/2015 10:24 AM, Alexander Todorov wrote: >> From today's Rawhide snapshot my script counted around 4500 offending >> packages. You can find links to the script and execution log here: >> http://atodorov.org/blog/2015/09/16/4000-bugs-in-fedora-checksec-failures/ >> >> >> Please let me know which packages need to genuinely be excluded and what >> should we do with these packages ? Some will probably be fixed once they are >> rebuilt but that may take a while. >> >> Any package maintainers out there - please fix your packages in Rawhide so we >> don't have to file bugs for all of them. > > I think we may have an issue with libtool throwing away the > '-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1' option: > > /bin/sh ../libtool --tag=CC --mode=link gcc -ansi -pedantic -Wall -W > -Wundef -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align > -Wwrite-strings -Wconversion -Waggregate-return -Wstrict-prototypes > -Wmissing-prototypes -Wmissing-declarations -Wredundant-decls -Wnested-externs > -Winline -O -fomit-frame-pointer -finline-functions -O2 -g -pipe -Wall > -Werror=format-s > ecurity -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong > --param=ssp-buffer-size=4 -grecord-gcc-switches > -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic > -version-info 10:1 :0 -Wl,-z,relro > -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -o libhdf5.la -rpath /usr/lib64 > H5.lo.... H5Ztrans.lo -lz -ldl -lm > > libtool: link: gcc -shared -fPIC -DPIC .libs/H5.o ... .libs/H5Ztrans.o -lz > -ldl -lm -O -O2 -g -fstack-protector-strong -grecord-gcc-switches -m64 > -mtune=generic -Wl,-z -Wl,relro -Wl,-soname -Wl,libhdf5.so.10 -o > .libs/libhdf5.so.10.0.1 > Looks like this has been known for two years: Bug 985592 libtool + %global _hardened_build 1 = no full hardening - https://bugzilla.redhat.com/985592 Reported upstream but no response: http://lists.gnu.org/archive/html/bug-libtool/2013-10/msg00000.html Work around would be to use -Wc,-specs=... -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion@xxxxxxxx Boulder, CO 80301 http://www.nwra.com -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct