Investigation of the F23 mass rebuild
moez.roy at gmail.com
Mon Jul 6 13:31:35 UTC 2015
On Thu, Jul 2, 2015 at 7:49 AM, Adam Jackson <ajax at redhat.com> wrote:
> ....Since the change was
> done by changing the rpm build macros, I think we can conclude that the
> build macros aren't being applied. Granted, packages can disable the
> hardened build macros, but the packages I've called out above aren't
> trying to disable them, or at least not doing so with %undefine.
> - ajax
The problem is that some packages just look at the CFLAGS & CXXFLAGS.
They ignore the LDFLAGS.
The rpm build macros says to link with -pie and to add -z now in the LDFLAGS.
If you were to move those to the CFLAGS section the remaining packages
should get hardened.
As an example, this was the situation for Firefox:
Then we come to the part where it says if it is not shared only then
add -pie. Is that really required? You can link shared libraries with
So in another scenario, for example the LDFLAGS of the tracker.spec
had -fPIC so it did not get linked with -pie even though it is an
executable that runs at startup.
The point I am trying to get at is that if you do decide to move -pie
to the CFLAGS section please consider removing the !shared
And if you do decide to move -Wl,-z,now to the CFLAGS please consider
adding a rule if it is not -Wl,-z,lazy. Probably something like this:
More information about the devel