Bug 1616185

Summary: meson: Loss of -pie compared to traditional builds [rhel-7]
Product: Red Hat Enterprise Linux 7 Reporter: Cedric Buissart <cbuissar>
Component: mesonAssignee: Kalev Lember <klember>
Status: CLOSED ERRATA QA Contact: Desktop QE <desktop-qa-list>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 7.6CC: jkoten, lmiksik, mboisver, rhughes, thoger, tpelka, victortoso
Target Milestone: rcKeywords: Regression, TestBlocker
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: fwupd-1.0.8-4.el7 libappstream-glib-0.7.8-2.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1618722 (view as bug list) Environment:
Last Closed: 2018-10-30 10:27:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Cedric Buissart 2018-08-15 08:18:36 UTC 
Description of problem:

Autotools, during the ./configure process, was checking if the compiler & linker were PIE-compatible.
Meson, however, seems to prefer the simple default of enabling PIC.

PIC is good for shared libraries, but wont ensure that the executable itself is fully position independent.

This is a problem because it causes hardening regression in our build system when a project migrates from autotools to meson.

Ideally, Meson should automagically enable PIE (`-pie -fPIE` on gcc) on executable without maintainer having to manually adapt the CFLAGS & so on.
Comment 6 Kalev Lember 2018-09-03 12:00:33 UTC 
Sorry for the late reply, I was on a long PTO. I believe hughsie was investigating the fwupd and libappstream-glib regressions in the matching RHEL8 ticket, https://bugzilla.redhat.com/show_bug.cgi?id=1618722 and the fix should be applicable to RHEL7 as well.
Comment 7 Kalev Lember 2018-09-05 09:22:16 UTC 
I spent some time today investigating this and looks like we can work this around by setting "%global _hardened_build 1" in fwupd and libappstream-glib spec files (longer explanation in the 8.0 ticket, https://bugzilla.redhat.com/show_bug.cgi?id=1618722). Can I get exception/blocker acks for this, please? I'll use it for rebuilding fwupd and libappstream-glib.
Comment 11 errata-xmlrpc 2018-10-30 10:27:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3140