V Thu, Apr 21, 2022 at 11:12:41PM +0200, Marcin Zajączkowski napsal(a):
Upgrading NetworkManager-sstp to the latest version, I've noticed
that
there is a failed test related to missing branch protection on AArch64
[1].
Check annocheck version installed when building your package (root.log). There
was a bug manifesting as -mbranch-protection=standard failure on AArch64 and
fixed in 10.66:
* Wed Apr 13 2022 Nick Clifton <nickc(a)redhat.com> - 10.66-1
- Annocheck: Do not complain about missing -mbranch-protection option in AArch64 binaries
if compiled in LTO mode.
After reading that and [2], I know what it is all about, however, I
wonder what is the best way to apply it to my package?
Should I check if the build is for AArch64 and for Fedora 33+ (35+?) and
just add "-mbranch-protection=standard"? Or there is some magic macro to
add that (and maybe some other useful security options), similar to
%{?_smp_mflags} (or maybe even included in %make_build on ARM64)?
The option is already presented in system-wide CFLAGS. Check any build.log.
If you package respects the flags (check your build.log), you don't need to do
anything. Otherwise, you should correct your package use all the options from
CFLAGS enviroment variable or %{build_cflags} RPM macro.
-- Petr