On Fri, 2020-06-05 at 22:22 +0200, Igor Raits wrote: > On Fri, 2020-06-05 at 14:16 -0600, Jeff Law wrote: > > On Fri, 2020-06-05 at 22:07 +0200, Igor Raits wrote: > > > Just curious, how is it done in RHEL? Just some kind of CI that > > > analyses all builds or? > > So we have a step that sits between the build phase and when the > > resultant > > packages land in the distro which runs annocheck to validate options > > used, CET > > coverage across the binary, PIE, etc etc. If that annocheck run > > fails, then the > > packages are not allowed into the distribution, buildroots, etc. > > > > We flipped it on a couple years ago in the run up to RHEL 8 and it > > proved to be > > quite valuable. > > Seems like a thing we should do in Fedora CI for each update! Possibly. It requires some work on by the packagers to understand the new requirements and how to interpret the annocheck results. Nick & Florian spent countless hours working with RHEL developers to understand and fix packaging issues. But it's awful nice once it's in and everyone's updated their packages. jeff _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
