"rpmbuild --rebuild" does not result in hardened build

Reindl Harald h.reindl at thelounge.net
Tue Jun 18 19:41:37 UTC 2013



Am 18.06.2013 19:18, schrieb Panu Matilainen:
> On 06/18/2013 04:21 PM, Reindl Harald wrote:
>> can someone lokk at this?
>> https://bugzilla.redhat.com/show_bug.cgi?id=975273
>>
>> why are the hardening-macros not respected with "rpmbuild"?
> 
> Because of this (from https://bugzilla.redhat.com/show_bug.cgi?id=975273#c3):
> 
>> [builduser at buildserver64:~]$ cat .rpmrc
> optflags: x86_64 -m64 -O3 -march=corei7 -mtune=corei7 -fopenmp -mmmx -msse2 -msse3 -msse4.1 -msse4.2 -maes -pipe
> -fstack-protector --param=ssp-buffer-size=4 -mfpmath=sse -D_FORTIFY_SOURCE=2 -fexceptions
> 
> You're overriding the distro defaults and not including
> %{__global_cflags} which a part of how the hardening flags (among all sorts of other distro defaults) get set for
> builds

because it ends in double options with different values
"-O3 -O2" makes little sense and looks not predictable

IMHO the hardening-macro should ADD his params to whatever existing ones

-m64 -O3 -march=corei7 -mtune=corei7 -fopenmp -mmmx -msse2 -msse3 -msse4.1 -msse4.2 -maes -pipe -fstack-protector
--param=ssp-buffer-size=4 -mfpmath=sse -D_FORTIFY_SOURCE=2 -fexceptions -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2
-fexceptions -fstack-protector --param=ssp-buffer-size=4


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20130618/1e2809a0/attachment.sig>


More information about the devel mailing list