This feature will never be implemented in the Linux kernel, so it does not make sense to generate the additional support code for it. Related code has already been removed from rawhide glibc.
Thanks, Florian
Unfortunately this is causing gating tests to fail for rawhide builds, e.g.:
https://artifacts.dev.testing-farm.io/081ad2a3-76cd-4aa0-b95e-e870ff75a65c/
Hardened: /usr/bin/pkcon: FAIL: cf-protection test because .note.gnu.property section did not contain the necessary flags
I'm not sure whether to report a bug to rpminspect or to annocheck. One or the other needs to stop testing for this.
The timing is unfortunate because the mass rebuild has started today. I'm not sure what the impact will be. I guess packages will build, but get stuck in gating?
Michael
On 2024-01-18 12:28, Michael Catanzaro wrote:
Unfortunately this is causing gating tests to fail for rawhide builds, e.g.:
https://artifacts.dev.testing-farm.io/081ad2a3-76cd-4aa0-b95e-e870ff75a65c/
Hardened: /usr/bin/pkcon: FAIL: cf-protection test because .note.gnu.property section did not contain the necessary flags
I'm not sure whether to report a bug to rpminspect or to annocheck. One or the other needs to stop testing for this.
The timing is unfortunate because the mass rebuild has started today. I'm not sure what the impact will be. I guess packages will build, but get stuck in gating?
rpminspect does not gate by default. None of the tests run by Fedora CI (any test whose name as shown in Bodhi begins with 'fedora-ci') gates by default, in fact.
Only packages which opt in to gating on these tests via their per-package gating.yaml files should be gated by failures of Fedora CI tests.
The only tests that gate packages *without* a per-package gating.yaml are the openQA tests that gate critpath packages (the names for these always start with 'update.').
In Bodhi's 'automated test results' table, gating tests have an asterisk as the first item in their row. Non-gating tests do not.
* Michael Catanzaro:
Unfortunately this is causing gating tests to fail for rawhide builds, e.g.:
https://artifacts.dev.testing-farm.io/081ad2a3-76cd-4aa0-b95e-e870ff75a65c/
Hardened: /usr/bin/pkcon: FAIL: cf-protection test because .note.gnu.property section did not contain the necessary flags
As Adam said, these reports should not alter the automatically determined outcome of the gating process. Updates for annobin are on their way, to reduce confusion.
The -fcf-protection change did not change this because the markup was gone before the change due to upstream glibc changes, which impact all newly linked binaries due to their dependency on the statically linked glibc startup code.
Thanks, Florian
-
Adam Williamson -
Florian Weimer -
Michael Catanzaro