https://bugzilla.redhat.com/show_bug.cgi?id=1294568 --- Comment #4 from Robert Scheck <redhat-bugzilla@xxxxxxxxxxxx> --- (In reply to Antonio Trande from comment #3) > Full RELRO and PIE (http://fedoraproject.org/wiki/Packaging:Guidelines#PIE) > issue are part of packaging guidelines, I don't understand why EPEL > packagers should choice what they follow or not. > Also, we are talking of security issues important for EPEL too, or not? RHEL 6 doesn't support the %_hardened_build macro. Additionally, even the base operating system dependencies of libmtp do not have full relro - why would it make sense for a single relatively unimportant library on top? I also looked to other EPEL packages...this is usually not manually done. So why is this here expected? I get "security", but the impact is relatively low from my point of view (libmtp is not used by a network daemon AFAIK). Check for full relro for libmtp dependencies: readelf -l /usr/lib*/libusb-0.1.so.4 | grep -c GNU_RELRO readelf -d /usr/lib*/libusb-0.1.so.4 | grep -c BIND_NOW readelf -l /lib*/libgcrypt.so.11 | grep -c GNU_RELRO readelf -d /lib*/libgcrypt.so.11 | grep -c BIND_NOW If you still insist on full relro for EPEL 6 for libmtp11, let me know and I will add: export LDFLAGS="-Wl,-z,now -Wl,-z,relro %{?__global_ldflags}" -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component _______________________________________________ package-review mailing list package-review@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/package-review