----- Original Message ----- > From: "Alexander Bokovoy" <abokovoy@xxxxxxxxxx> > To: "Development discussions related to Fedora" <devel@xxxxxxxxxxxxxxxxxxxxxxx> > Sent: Friday, March 26, 2021 10:06:28 PM > Subject: Re: Proposal to fail builds if RPATH is found in Fedora 35 > > On pe, 26 maalis 2021, Charalampos Stratakis wrote: > >Hi all. > > > >Some time ago there was a discussion from the Fedora Packaging > >Committee [0] about automatically disallowing the usage of RPATH in > >Fedora to bring it in-line with the packaging guidelines[1]. > >Essentially a package MUST remove the RPATH entry from its binaries > >and/or .so files if it is detected by the check-rpaths script [2] > >coming from the rpm-build package. > > > >However, the script was never run during rpmbuild so it was on the > >discretion of the packager if they'd check for it or not. The intention > >is to enable the check through redhat-rpm-config during the the > >invocation of %__os_install_post. An opt-out mechanism will be > >provided for cases where it's absolutely necessary. > > > >After an analysis of all the x86_64 packages, 92 fail to build due to > >an RPATH issue detected by the check-rpaths script [3]. Full list is > >provided bellow. > > > >Everything will be implemented through a Fedora change and all the > >packagers that their package has been affected by the preliminary > >analysis will be contacted first. > > The logic for banning RPATH in the packaging guidelines operates terms like > "usually smarter than" and "usually do not permit" but has very little > to describe why this should be done. Indeed and the guidelines will need to be updated to clarify that (and a motivation section at the change proposal). Security is the main thing, as directories arbitrary set by various upstreams won't be included in the search path, a minor speed bump could be noticed as well for the same reason. The main idea though is to make the rpath usage opt-in and have packagers clarify why rpath should be used for their packages. I believe using an opt-in (yet to be defined) macro in the SPEC with a comment explaining should be enough justification. > > It also lacks clarity for the most common valid use of Rpath, namely, a > plugin support for an application. > > For example, Samba has a number of internal libraries in > /usr/lib64/samba which have to be linked to by any plugin built for > Samba, even when it is provided by a different package. This situation > is not described in the packaging guidelines and practically ignored. Thanks for this example, I'll investigate that specific usecase. > "Alternatives to Rpath" in this cases do not exist because adding custom > configuration file into a system-wide dynamic linker configuration is > the last thing you should do for this use case at all. > > It is interesting that the behavior of check-rpaths script also isn't > really outlawing any plugin's Rpath use either so you don't see Samba or > similar plugin-based applications in the list of affected packages. > > To me it looks like the packaging guidelines are incomplete and > misleading and better be clarified with regards to Rpath use. > > > > > >Thoughts and feedback are welcome. > > > >[0] https://pagure.io/packaging-committee/issue/886 > >[1] > >https://docs.fedoraproject.org/en-US/packaging-guidelines/#_beware_of_rpath > >[2] > >https://github.com/rpm-software-management/rpm/blob/6b21e736a3e47071b33ff7c34e5cfb5447997e18/scripts/check-rpaths-worker > >[3] https://copr.fedorainfracloud.org/coprs/cstratak/rpath/builds/ > > > >List of packages affected so far: > > > >Maintainers by package: > >Io-language limb > >NLopt besser82 > >SDL_image jwrdegoede limb moezroy > >WindowMaker sham1 > >abc brouhaha jjames somlo > >audiofile ajax alexl caillon caolanm limb rhughes rstrode ssp > >binutils aoliva jakub jankratochvil law mcermak nickc > >cfitsio orion sergiopr > >community-mysql hhorak ljavorsk mmuzila mschorm > >compat-guile18 jskarvad limb mlichvar tkorbar > >condor bbockelm bcotton eerlands matt matyas stevetraylen > >tstclair ttheisen valtri > >conky-manager moceap > >czmq denisarnaud jpo > >eb moceap petersen > >esc jmagne > >ettercap limb > >fcl rmattes thofmann > >fortune-mod sheltren shlomif > >freeradius cipherboy nkondras rharwood > >glib2 alexl caillon caolanm mbarnes mclasen rhughes rstrode > >rtcm ssp > >gnokii limb robert snirkel > >gpgme fkluknav ignatenkobrain isimluk rdieter > >gpick luya > >gupnp-dlna kalev zeenix > >hdf orion sagitter > >jq hguemar lon > >k3guitune dtimms > >kdebase3 jreznik kkofler rdieter than > >kdegames3 kkofler rdieter than > >kdepim3 jreznik ovasik rdieter than > >kicad avigne coremodule lkundrak stevenfalco tnorth > >koffice-kivio kkofler rdieter > >komparator nbecker > >laszip devrim neteler smani > >levmar aalvarez brouhaha > >libXcm cicku kwizart > >libburn cwickert fkluknav hhorak pcahyna robert > >libcommuni atim > >libdkimpp dfateyev > >libdxfrw hobbes1069 spot > >libeXosip2 nucleo > >libisoburn fkluknav hhorak robert > >libkkc ueno > >libminc ignatenkobrain > >liboping fab lkundrak > >libosip2 nucleo > >libprelude fab totol > >librfid kushal > >lutok jmmv > >mcpp kmatsui mef > >mingw-qt5-qt3d epienbro smani > >mingw-qt5-qtbase epienbro smani > >mingw-qt5-qtdeclarative epienbro smani > >mingw-qt5-qttools epienbro smani > >mod_wsgi jdornak jkaluza jorton lmacken mrunge > >mongo-c-driver remi > >ncview deji orion > >nightview lkundrak > >openjade ovasik > >openscap evgenyz isimluk jcerny matyc mmarhefk pvrabec vpolasek > >wsato > >pam_mount lupinix steve till > >pam_yubico nb ohaessler wzzrd > >perl-SDL jwrdegoede > >pinentry branto jjelen rdieter > >plotmm orphan > >python2.7 churchyard cstratak torsava vstinner > >qucs avigne jskarvad > >qwtpolar volter > >rarian nonamedotc > >rb_libtorrent fale mooninite > >rrdtool jskarvad > >scap-workbench evgenyz jcerny matyc mbarabas mlysonek mmarhefk pvrabec > >wsato > >scipy cstratak jspaleta nforro orion tomspur ttomecek > >sofia-sip orphan > >sqlite2 spot > >stp amdunn jjames > >suitesparse deji jkastner mjakubicek nphilipp orion > >sylfilter aarem > >texlive-base spot > >tracker amigadave deji garnacho ignatenkobrain mcrha rishi > >tracker-miners garnacho kalev rishi > >usnic-tools honli > >vanessa_logger hubbitus > >verbiste cicku icon tartare > >woff2 erack tpopela > >xbsql spot > >xdotool ohaessler orion slankes > >xeus qulogic > >xmms spot > >yaz cicku guidograzioli > >zinnia liangsuilong pwu > >zvbi buc jwrdegoede mchehab > > > >Packages by maintainer: > >aalvarez levmar > >aarem sylfilter > >ajax audiofile > >alexl audiofile glib2 > >amdunn stp > >amigadave tracker > >aoliva binutils > >atim libcommuni > >avigne kicad qucs > >bbockelm condor > >bcotton condor > >besser82 NLopt > >branto pinentry > >brouhaha abc levmar > >buc zvbi > >caillon audiofile glib2 > >caolanm audiofile glib2 > >churchyard python2.7 > >cicku libXcm verbiste yaz > >cipherboy freeradius > >coremodule kicad > >cstratak python2.7 scipy > >cwickert libburn > >deji ncview suitesparse tracker > >denisarnaud czmq > >devrim laszip > >dfateyev libdkimpp > >dtimms k3guitune > >eerlands condor > >epienbro mingw-qt5-qt3d mingw-qt5-qtbase mingw-qt5-qtdeclarative > >mingw-qt5-qttools > >erack woff2 > >evgenyz openscap scap-workbench > >fab liboping libprelude > >fale rb_libtorrent > >fkluknav gpgme libburn libisoburn > >garnacho tracker tracker-miners > >guidograzioli yaz > >hguemar jq > >hhorak community-mysql libburn libisoburn > >hobbes1069 libdxfrw > >honli usnic-tools > >hubbitus vanessa_logger > >icon verbiste > >ignatenkobrain gpgme libminc tracker > >isimluk gpgme openscap > >jakub binutils > >jankratochvil binutils > >jcerny openscap scap-workbench > >jdornak mod_wsgi > >jjames abc stp > >jjelen pinentry > >jkaluza mod_wsgi > >jkastner suitesparse > >jmagne esc > >jmmv lutok > >jorton mod_wsgi > >jpo czmq > >jreznik kdebase3 kdepim3 > >jskarvad compat-guile18 qucs rrdtool > >jspaleta scipy > >jwrdegoede SDL_image perl-SDL zvbi > >kalev gupnp-dlna tracker-miners > >kkofler kdebase3 kdegames3 koffice-kivio > >kmatsui mcpp > >kushal librfid > >kwizart libXcm > >law binutils > >liangsuilong zinnia > >limb Io-language SDL_image audiofile compat-guile18 ettercap gnokii > >ljavorsk community-mysql > >lkundrak kicad liboping nightview > >lmacken mod_wsgi > >lon jq > >lupinix pam_mount > >luya gpick > >matt condor > >matyas condor > >matyc openscap scap-workbench > >mbarabas scap-workbench > >mbarnes glib2 > >mcermak binutils > >mchehab zvbi > >mclasen glib2 > >mcrha tracker > >mef mcpp > >mjakubicek suitesparse > >mlichvar compat-guile18 > >mlysonek scap-workbench > >mmarhefk openscap scap-workbench > >mmuzila community-mysql > >moceap conky-manager eb > >moezroy SDL_image > >mooninite rb_libtorrent > >mrunge mod_wsgi > >mschorm community-mysql > >nb pam_yubico > >nbecker komparator > >neteler laszip > >nforro scipy > >nickc binutils > >nkondras freeradius > >nonamedotc rarian > >nphilipp suitesparse > >nucleo libeXosip2 libosip2 > >ohaessler pam_yubico xdotool > >orion cfitsio hdf ncview scipy suitesparse xdotool > >orphan plotmm sofia-sip > >ovasik kdepim3 openjade > >pcahyna libburn > >petersen eb > >pvrabec openscap scap-workbench > >pwu zinnia > >qulogic xeus > >rdieter gpgme kdebase3 kdegames3 kdepim3 koffice-kivio pinentry > >remi mongo-c-driver > >rharwood freeradius > >rhughes audiofile glib2 > >rishi tracker tracker-miners > >rmattes fcl > >robert gnokii libburn libisoburn > >rstrode audiofile glib2 > >rtcm glib2 > >sagitter hdf > >sergiopr cfitsio > >sham1 WindowMaker > >sheltren fortune-mod > >shlomif fortune-mod > >slankes xdotool > >smani laszip mingw-qt5-qt3d mingw-qt5-qtbase mingw-qt5-qtdeclarative > >mingw-qt5-qttools > >snirkel gnokii > >somlo abc > >spot libdxfrw sqlite2 texlive-base xbsql xmms > >ssp audiofile glib2 > >steve pam_mount > >stevenfalco kicad > >stevetraylen condor > >tartare verbiste > >than kdebase3 kdegames3 kdepim3 > >thofmann fcl > >till pam_mount > >tkorbar compat-guile18 > >tnorth kicad > >tomspur scipy > >torsava python2.7 > >totol libprelude > >tpopela woff2 > >tstclair condor > >ttheisen condor > >ttomecek scipy > >ueno libkkc > >valtri condor > >volter qwtpolar > >vpolasek openscap > >vstinner python2.7 > >wsato openscap scap-workbench > >wzzrd pam_yubico > >zeenix gupnp-dlna > > > > > >-- > >Regards, > > > >Charalampos Stratakis > >Software Engineer > >Python Maintenance Team, Red Hat > >_______________________________________________ > >devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > >To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > >Fedora Code of Conduct: > >https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > >List Archives: > >https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx > >Do not reply to spam on the list, report it: > >https://pagure.io/fedora-infrastructure > > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > _______________________________________________ > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > -- Regards, Charalampos Stratakis Software Engineer Python Maintenance Team, Red Hat _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
