Bug 1548676
| Summary: | openldap: Does not use Fedora build flags | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Florian Weimer <fweimer> | ||||
| Component: | openldap | Assignee: | Matus Honek <mhonek> | ||||
| Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | rawhide | CC: | fweimer, mhonek, rmeggins | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | openldap-2.4.45-13.fc28 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2018-03-01 15:22:01 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1539083 | ||||||
| Attachments: |
|
||||||
Created attachment 1400831 [details] consolidate build flags Thanks for looking into this. I'm attaching a patch that should resolve the issue. However, before applying it I'd like to have the possible issue described in the following paragraph resolved. However, I'm a bit concerned about the -fPIE vs. -fpie on s390/s390x vs. others. I'm not sure if this is somehow taken into account with the redhat-rpm-config. I'd like to avoid reintroducing bug 1020661. I cannot see from the build.log if the flag was actually pulled in as it is included with -specs. Anyway, I'd like to prevent a possible regression in the future. Could you please provide some guidance here? Thanks. (In reply to Matus Honek from comment #1) > However, I'm a bit concerned about the -fPIE vs. -fpie on s390/s390x vs. > others. I'm not sure if this is somehow taken into account with the > redhat-rpm-config. I'd like to avoid reintroducing bug 1020661. I cannot see > from the build.log if the flag was actually pulled in as it is included with > -specs. Anyway, I'd like to prevent a possible regression in the future. > Could you please provide some guidance here? The GCC specs fragment will use -fPIC or -fPIE, to be conservative. It will not override -fpic or -fpie specified on the command line, but if there is nothing there, it will use the version that supports larger shared objects. (In reply to Matus Honek from comment #1) > Created attachment 1400831 [details] > consolidate build flags I don't like the explicit list of flags there: +export CFLAGS="${CFLAGS} -Wl,--as-needed,-z,relro,-z,now -DLDAP_CONNECTIONLESS" It should be something like this, to inherit all future changes in redhat-rpm-config: +export CFLAGS="${CFLAGS} ${LDFLAGS} -Wl,--as-needed -DLDAP_CONNECTIONLESS" Applying as Florian proposed. The effective flags in the build.log look fine. https://src.fedoraproject.org/rpms/openldap/c/cd7bdcf821f7ae4c1d97189129cdbbfdfe9d5210?branch=f28 Also dropping an old unnecessary patch: https://src.fedoraproject.org/rpms/openldap/c/6f8a4c6436709dd6c43c64e8006bc26946cab63f?branch=f28 |
The spec file for openldap-2.4.45-11.fc28 contains this: %ifarch s390 s390x export CFLAGS="-fPIE" %else export CFLAGS="-fpie" %endif export LDFLAGS="-pie" # avoid stray dependencies (linker flag --as-needed) # enable experimental support for LDAP over UDP (LDAP_CONNECTIONLESS) export CFLAGS="${CFLAGS} %{optflags} -Wl,--as-needed,-z,relro,-z,now -DLDAP_CONNECTIONLESS" The PIE flags should simply be inherited from the build environment. Apparently, this causes /usr/lib64/openldap/check_password.so.1.1 to be compiled and linked like this: gcc -fpie -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -mcet -fcf-protection -Wl,--as-needed,-z,relro,-z,now -DLDAP_CONNECTIONLESS -fpic -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"/usr/share/cracklib/pw_dict\"" -DCONFIG_FILE="\"/etc/openldap/check_password.conf\"" -DDEBUG -c -I../openldap-2.4.45/include -I../openldap-2.4.45/servers/slapd -I../openldap-2.4.45/build-servers/include check_password.c gcc -pie -shared -o check_password.so check_password.o -lcrack -pie -shared does not make sense, and the usual LDFLAGS from redhat-rpm-config are missing. See https://src.fedoraproject.org/rpms/redhat-rpm-config/blob/master/f/buildflags.md for information on RPM macros and environment variables provided by the build environment.