[Fedora-packaging] RFC mass bug reporting: checksec failures
Ben Boeckel
mathstuf at gmail.com
Thu Sep 17 05:33:56 UTC 2015
On Wed, 16 Sep, 2015 at 16:24:02 GMT, Alexander Todorov wrote:
> Please let me know which packages need to genuinely be excluded and what should
> we do with these packages ? Some will probably be fixed once they are rebuilt
> but that may take a while.
>
> Any package maintainers out there - please fix your packages in Rawhide so we
> don't have to file bugs for all of them.
I see lots (probably all) of ghc-* packages, so filing one against
ghc-rpm-macros or ghc itself would probably be the most expedient there.
If it is just a missed flag or something, it can be rolled up with the
7.10.0 rebuild which I believe is planned for Rawhide.
Of course, if ghc doesn't support everything checksec looks for,
ignoring everything under %{_libdir}/ghc-*/ would be best. Jens?
For any CMake-using projects (I see at least CMake itself and ParaView
in the list), setting the `POSITION_INDEPENDENT_CODE` property[1] on
targets would fix any missing -fPIE. It is initialized with
`CMAKE_POSITION_INDEPENDENT_CODE`, so adding:
-DCMAKE_POSITION_INDEPENDENT_CODE:BOOL=ON
to %cmake when hardening is enabled should fix -fPIE missing. Anything
with internal static libraries *might* need a scalpel to turn off the
property on those targets.
--Ben
[1]http://www.cmake.org/cmake/help/v3.3/prop_tgt/POSITION_INDEPENDENT_CODE.html
More information about the devel
mailing list