The package rpms/podman.git has added or updated architecture specific content in its
spec file (ExclusiveArch/ExcludeArch or %ifarch/%ifnarch) in commit(s):
https://src.fedoraproject.org/cgit/rpms/podman.git/commit/?id=9f65dc10414....
Change:
+%ifarch x86_64
Thanks.
Full change:
============
commit 5f556ba7908ae9d6137f9590c083861fc6c65d44
Author: Lokesh Mandvekar <lsm5(a)fedoraproject.org>
Date: Mon Dec 7 09:45:04 2020 -0500
podman-2:2.2.0-3
- harden cgo based golang binaries
Reported-by: Wade Mealing <wmealing(a)gmail.com>
Signed-off-by: Lokesh Mandvekar <lsm5(a)fedoraproject.org>
diff --git a/podman.spec b/podman.spec
index 911192a..40d0ef1 100644
--- a/podman.spec
+++ b/podman.spec
@@ -56,7 +56,7 @@ Version: 2.2.0
# N.foo if released, 0.N.foo if unreleased
# Rawhide almost always ships unreleased builds,
# so release tag should be of the form 0.N.foo
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: Manage Pods, Containers and Container Images
License: ASL 2.0
URL: https://%{name}.io/
@@ -680,6 +680,10 @@ exit 0
# rhcontainerbot account currently managed by lsm5
%changelog
+* Mon Dec 7 2020 Lokesh Mandvekar <lsm5(a)fedoraproject.org> - 2:2.2.0-3
+- harden cgo based golang binaries
+- Reported-by: Wade Mealing <wmealing(a)gmail.com>
+
* Tue Dec 1 2020 Lokesh Mandvekar <lsm5(a)fedoraproject.org> - 2:2.2.0-2
- use podman-plugins / dnsname upstream v1.1.1
commit 9f65dc104148c4d54c1246e887586b634e3089f5
Author: Lokesh Mandvekar <lsm5(a)fedoraproject.org>
Date: Thu Dec 3 11:12:40 2020 -0500
Harden cgo based golang binaries
- adjust CGO_CFLAGS to make both koji and checksec happy
Reported-by: Wade Mealing <wmealing(a)gmail.com>
Signed-off-by: Lokesh Mandvekar <lsm5(a)fedoraproject.org>
diff --git a/podman.spec b/podman.spec
index 9c6ad37..911192a 100644
--- a/podman.spec
+++ b/podman.spec
@@ -20,7 +20,6 @@
%if ! 0%{?gobuild:1}
%define gobuild(o:) GO111MODULE=off go build -buildmode pie -compiler gc
-tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -B
0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '-Wl,-z,relro
-Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld '" -a -v -x %{?**};
%endif
-%define gogenerate go generate
%global provider github
%global provider_tld com
@@ -70,6 +69,7 @@ Source1:
https://github.com/containers/dnsname/archive/%{commit_plugins}/dnsname
Provides: %{name}-manpages = %{epoch}:%{version}-%{release}
Obsoletes: %{name}-manpages < %{epoch}:%{version}-%{release}
# If go_compiler is not set to 1, there is no virtual provide. Use golang instead.
+BuildRequires: gcc
BuildRequires: golang
BuildRequires: glib2-devel
BuildRequires: glibc-devel
@@ -462,6 +462,12 @@ tar zxf %{SOURCE1}
%build
export GO111MODULE=off
export GOPATH=$(pwd)/_build:$(pwd)
+export CGO_CFLAGS="-O2 -g -grecord-gcc-switches -pipe -Wall -Werror=format-security
-Wp,-D_FORTIFY_SOURCE=2 -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -ffat-lto-objects
-fexceptions -fasynchronous-unwind-tables -fstack-protector-strong
-fstack-clash-protection -D_GNU_SOURCE -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE
-D_FILE_OFFSET_BITS=64"
+%ifarch x86_64
+export CGO_CFLAGS="$CGO_CFLAGS -m64 -mtune=generic -fcf-protection"
+%endif
+# These extra flags present in %%{optflags} have been skipped for now as they break the
build
+#export CGO_CFLAGS="$CGO_CFLAGS -flto=auto -Wp,D_GLIBCXX_ASSERTIONS
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1"
mkdir _build
pushd _build