A scratch build won't find bind now errors as they are discovered at run time when the dlopen occurs.
I have been using:
%define _hardened_ldflags "-Wl,-z,lazy"
to allow the compile-time hardening, stack protection, etc to remain but filter out the -z now linker flag.
I assume this won't work anymore.
On Saturday, February 24, 2018 1:03 PM, Florian Weimer <fweimer@xxxxxxxxxx> wrote:
On 02/24/2018 06:32 PM, Jerry James wrote:
> On Sat, Feb 24, 2018 at 10:24 AM, Florian Weimer <fweimer@xxxxxxxxxx> wrote:
>> We currently inject “-z now” hidden behind a -specs= option for the gcc
>> compiler driver. libtool drops this -specs= option from the linker command
>> line, but it preserves -Wl,-z,relro, so I'm trying whether listing
>> -Wl,-z,now directly improves the linker flag injection here.
>>
>> I'm doing this in two stages and will remove -z now from the GCC specs file
>> only after I have rebuilt a couple of extension builders (python2, python3,
>> ruby), so that we do not lose -z now due to the non-synchronized switchover
>> between the hard-coded command line (in the extension builder) and the GCC
>> specs file contents (from redhat-rpm-config).
>>
>> This will happen both in rawhide and Fedora 28.
>
> Are you also implementing a way to disable it, as Philip Kovacs asked
> for yesterday?
It's still for hardened builds only. Sorry, I should have mentioned
that. It's next to -specs=…/redhat-hardened-ld, not next to -Wl,-z,relro.
> I also maintain some packages that use plugins, and
> are broken by -z now. If you would like to look at any of them to see
> what might be done, these are the packages that currently use
> %undefine _hardened_build to work around the issue:
That should just work as before. Feel free to do a (scratch) build in
rawhide to verify.
Thanks,
Florian
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
> On Sat, Feb 24, 2018 at 10:24 AM, Florian Weimer <fweimer@xxxxxxxxxx> wrote:
>> We currently inject “-z now” hidden behind a -specs= option for the gcc
>> compiler driver. libtool drops this -specs= option from the linker command
>> line, but it preserves -Wl,-z,relro, so I'm trying whether listing
>> -Wl,-z,now directly improves the linker flag injection here.
>>
>> I'm doing this in two stages and will remove -z now from the GCC specs file
>> only after I have rebuilt a couple of extension builders (python2, python3,
>> ruby), so that we do not lose -z now due to the non-synchronized switchover
>> between the hard-coded command line (in the extension builder) and the GCC
>> specs file contents (from redhat-rpm-config).
>>
>> This will happen both in rawhide and Fedora 28.
>
> Are you also implementing a way to disable it, as Philip Kovacs asked
> for yesterday?
It's still for hardened builds only. Sorry, I should have mentioned
that. It's next to -specs=…/redhat-hardened-ld, not next to -Wl,-z,relro.
> I also maintain some packages that use plugins, and
> are broken by -z now. If you would like to look at any of them to see
> what might be done, these are the packages that currently use
> %undefine _hardened_build to work around the issue:
That should just work as before. Feel free to do a (scratch) build in
rawhide to verify.
Thanks,
Florian
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
