Harden_all_packages_with_position-independent_code + guile modules
Moez Roy
moez.roy at gmail.com
Wed Mar 18 14:21:18 UTC 2015
On Wed, Mar 18, 2015 at 6:54 AM, Nikos Mavrogiannopoulos
<nmav at redhat.com> wrote:
> On Mon, 2015-03-16 at 10:57 +0100, Nikos Mavrogiannopoulos wrote:
>
>> > Am 16.03.2015 um 09:47 schrieb Nikos Mavrogiannopoulos:
>> > > What was the rationale of adding -z now to the hardening flags? Looking
>> > > its description doesn't reveal any "hardening" features, and the gnutls
>> > > guile module failure to build seems to be directly related to that flag:
>> > > https://bugzilla.redhat.com/show_bug.cgi?id=1196556
>> >
>> > FULL RELRO
>> > http://tk-blog.blogspot.co.at/2009/02/relro-not-so-well-known-memory.html
>> If that's all we got I suggest to remove this flag or (better) provide a
>> way for applications that use modules to compile themselves, without
>> removing the whole set of hardening flags.
>
> Any advise from the change owners? How should applications that use
> modules with undefined systems should handle that? Should they add %
> undefine _hardened_build by default?
>
I was doing some research last night but not tested it yet:
"nonow"
1) add -nonow to the CFLAGS
2) or add -z nonow to the LDFLAGS
doing the koji builds now to test and see if it works.
Also need to test if there is a -lazy option.
-Moez
More information about the devel
mailing list