https://bugzilla.redhat.com/show_bug.cgi?id=972477 --- Comment #9 from Björn Esser <bjoern.esser@xxxxxxxxx> --- (In reply to Björn Esser from comment #8) > [!]: %build honors applicable compiler flags or justifies otherwise. > > ---> {C,LD}FLAGS possibly ignored by Makefile; GOT is still writeable > caused by "partial RELRO", complete RELRO needs > `-Wl,-z,relro,-z,now` > doesn't build PIE, although %global _hardened_build 1 is in spec > > `hardening-check --verbose fido` > fido: > Position Independent Executable: no, normal executable! > ... > Immediate binding: no, not found! > > see attached build.log Upstream's way to build the binary is the key to this: Makefile compiles a STATIC-lib and links this into the sbin-exec, which makes real, useful hardening impossible. Static libs can't be build as PIE and linked with -z,now, afaik. You should work out a way, with upstream, avoiding this static-lib during build; either it should build a shlib and link this or just building the sbin-exec from all single objects. -- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=yJpQsHUxGn&a=cc_unsubscribe _______________________________________________ package-review mailing list package-review@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/package-review