[Fedora-packaging] RFC mass bug reporting: checksec failures

[Jerry James]

On Wed, Sep 16, 2015 at 10:24 AM, Alexander Todorov <atodorov at redhat.com> wrote:
> Please let me know which packages need to genuinely be excluded and what
> should we do with these packages ? Some will probably be fixed once they are
> rebuilt but that may take a while.

Some language environments provide their own memory managers that
don't take kindly to address randomization, such as:
- gcl
- polyml
- xemacs

Programs that use a plugin architecture have a distressing tendency to
be broken by full RELRO.  I maintain several packages like that:
- bigloo
- clisp
- libpuma
- polybori
- polymake

Richard already talked about ocaml programs.  I've got a few of those:
- coq
- frama-c
- gappalib-coq
- ocaml-menhir
- ocaml-ocamlgraph
- ocaml-tplib
- ocaml-zarith
- why
- why3
- z3
- zenon

We do some fancy aliasing inside cddlib to allow mixing the
gmp-compiled version and the non-gmp-compiled version, since polymake
wants to link against both.  That aliasing did not interact well with
-z now when trying to build gfan, so I turned -z now off for gfan
until I can understand the problem better, or find a better way of
giving polymake what it wants.

I am baffled as to why some of my packages show up on this list, as
they use %configure or invoke gcc with both $RPM_OPT_FLAGS and
$RPM_LD_FLAGS.  For example, memtailor, which I just built yesterday,
shows as lacking a canary, but it uses the %configure macro.  What is
going on there?

Regards,
-- 
Jerry James
http://www.jamezone.org/