Harden_all_packages_with_position-independent_code + guile modules
Tomas Mraz
tmraz at redhat.com
Thu Mar 19 10:08:29 UTC 2015
On 19.3.2015 08:16, Nikos Mavrogiannopoulos wrote:
> On Wed, 2015-03-18 at 11:37 -0700, Moez Roy wrote:
>>>>>> FULL RELRO
>>>>>> http://tk-blog.blogspot.co.at/2009/02/relro-not-so-well-known-memory.html
>>>>> If that's all we got I suggest to remove this flag or (better) provide a
>>>>> way for applications that use modules to compile themselves, without
>>>>> removing the whole set of hardening flags.
>>>>
>>>> Any advise from the change owners? How should applications that use
>>>> modules with undefined systems should handle that? Should they add %
>>>> undefine _hardened_build by default?
>>> I was doing some research last night but not tested it yet:
>>> "nonow"
>>> 1) add -nonow to the CFLAGS
>>> 2) or add -z nonow to the LDFLAGS
>>> doing the koji builds now to test and see if it works.
>>> Also need to test if there is a -lazy option.
>> Why are you using -Wl,--no-add-needed in the LD flags?
>
> I don't see the reason for it. Added Tomas (the previous maintainer) in
> case he remembers.
If I remember correctly it was added to get rid of some unneeded
dependency that was otherwise pulled in. But it might be unnecessary
now. You could try to build the rpm (without hardening) with and without
the -Wl,--no-add-needed and see whether there are some additional
Requires added to the resulting rpms.
Regards,
Tomas
More information about the devel
mailing list