https://bugzilla.redhat.com/show_bug.cgi?id=972477 --- Comment #11 from Roman Mohr <roman@xxxxxxxxxxxx> --- (In reply to Björn Esser from comment #9) > (In reply to Björn Esser from comment #8) > > [!]: %build honors applicable compiler flags or justifies otherwise. > > > > ---> {C,LD}FLAGS possibly ignored by Makefile; GOT is still writeable > > caused by "partial RELRO", complete RELRO needs > > `-Wl,-z,relro,-z,now` > > doesn't build PIE, although %global _hardened_build 1 is in spec > > > > `hardening-check --verbose fido` > > fido: > > Position Independent Executable: no, normal executable! > > ... > > Immediate binding: no, not found! > > > > see attached build.log > > Upstream's way to build the binary is the key to this: Makefile compiles a > STATIC-lib and links this into the sbin-exec, which makes real, useful > hardening impossible. Static libs can't be build as PIE and linked with > -z,now, afaik. > > You should work out a way, with upstream, avoiding this static-lib during > build; either it should build a shlib and link this or just building the > sbin-exec from all single objects. I just discovered a few minutes ago, that siege (also from the same author) which is already in fedora also includes lib/joedog. (In reply to Terje Røsten from comment #10) > Some of the functions on lib/ are simple/unneeded(?), building a static lib > for these seems like overkill. Yes most of these functions are just convenience wrappers of the author, but I think I have no choice, as the library is also in another package and I already found critical bugs in there. (In reply to Björn Esser from comment #8) > [?]: Package complies to the Packaging Guidelines > > ---> needs check for bundled libs, esp. files with license differing > from upstream The library is in all of the GPLv2 projects of the author. I have checked them, they have all the same license in the header. So I think the cleanest solution is, that I contact the author and the maintainer of siege and we will create a separate package for the library, what do you think? -- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=1d78RdIpZ7&a=cc_unsubscribe _______________________________________________ package-review mailing list package-review@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/package-review