Bug 1967200

Summary: openscap fails to build in Fedora 35+: Broken RPATH will fail rpmbuild
Product: [Fedora] Fedora Reporter: Tomáš Hrnčiar <thrnciar>
Component: openscapAssignee: Jan Černý <jcerny>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: evgenyz, jcerny, matyc, mhaicman, mhroncok, mmarhefk, pvrabec, simi+fedora, thrnciar, vpolasek, wsato
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openscap-1.3.5-5.fc35 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-06-28 14:56:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1890881, 1927309, 1927313    

Description Tomáš Hrnčiar 2021-06-02 15:30:36 UTC
openscap fails to build with Python 3.10.0b1.

https://fedoraproject.org/wiki/Changes/Broken_RPATH_will_fail_rpmbuild 

Related section in packaging guidelines.
https://docs.fedoraproject.org/en-US/packaging-guidelines/#_beware_of_rpath

+ /usr/lib/rpm/check-rpaths
*******************************************************************************
*
* WARNING: 'check-rpaths' detected a broken RPATH OR RUNPATH and will cause
*          'rpmbuild' to fail. To ignore these errors, you can set the
*          '$QA_RPATHS' environment variable which is a bitmask allowing the
*          values below. The current value of QA_RPATHS is 0x0000.
*
*    0x0001 ... standard RPATHs (e.g. /usr/lib); such RPATHs are a minor
*               issue but are introducing redundant searchpaths without
*               providing a benefit. They can also cause errors in multilib
*               environments.
*    0x0002 ... invalid RPATHs; these are RPATHs which are neither absolute
*               nor relative filenames and can therefore be a SECURITY risk
*    0x0004 ... insecure RPATHs; these are relative RPATHs which are a
*               SECURITY risk
*    0x0008 ... the special '$ORIGIN' RPATHs are appearing after other
*               RPATHs; this is just a minor issue but usually unwanted
*    0x0010 ... the RPATH is empty; there is no reason for such RPATHs
*               and they cause unneeded work while loading libraries
*    0x0020 ... an RPATH references '..' of an absolute path; this will break
*               the functionality when the path before '..' is a symlink
*          
*
* Examples:
* - to ignore standard and empty RPATHs, execute 'rpmbuild' like
*   $ QA_RPATHS=$(( 0x0001|0x0010 )) rpmbuild my-package.src.rpm
* - to check existing files, set $RPM_BUILD_ROOT and execute check-rpaths like
*   $ RPM_BUILD_ROOT=<top-dir> /usr/lib/rpm/check-rpaths
*  
*******************************************************************************
ERROR   0001: file '/usr/bin/oscap' contains a standard runpath '/usr/lib64' in [/usr/lib64]
ERROR   0001: file '/usr/lib64/python3.10/site-packages/_openscap_py.so' contains a standard runpath '/usr/lib64' in [/usr/lib64]
ERROR   0001: file '/usr/lib64/libopenscap.so.25.4.0' contains a standard runpath '/usr/lib64' in [/usr/lib64]
ERROR   0001: file '/usr/lib64/libopenscap_sce.so.25.4.0' contains a standard runpath '/usr/lib64' in [/usr/lib64]

For the build logs, see:
https://copr-be.cloud.fedoraproject.org/results/@python/python3.10/fedora-rawhide-x86_64/02217832-openscap/

For all our attempts to build openscap with Python 3.10, see:
https://copr.fedorainfracloud.org/coprs/g/python/python3.10/package/openscap/

Testing and mass rebuild of packages is happening in copr. You can follow these instructions to test locally in mock if your package builds with Python 3.10:
https://copr.fedorainfracloud.org/coprs/g/python/python3.10/

Let us know here if you have any questions.

Python 3.10 will be included in Fedora 35. To make that update smoother, we're building Fedora packages with early pre-releases of Python 3.10.
A build failure prevents us from testing all dependent packages (transitive [Build]Requires), so if this package is required a lot, it's important for us to get it fixed soon.
We'd appreciate help from the people who know this package best, but if you don't want to work on this now, let us know so we can try to work around it on our side.

Comment 1 Miro Hrončok 2021-06-04 20:12:47 UTC
This is a mass-posted update. Sorry if it is not 100% accurate to this bugzilla.


The Python 3.10 rebuild is in progress in a Koji side tag. If you manage to fix the problem, please commit the fix in the rawhide branch, but don't build the package in regular rawhide.

You can either build the package in the side tag, with:

    $ fedpkg build --target=f35-python

Or you can the build and we will eventually build it for you.

Note that the rebuild is still in progress, so not all (build) dependencies of this package might be available right away.

Thanks.

See also https://fedoraproject.org/wiki/Changes/Python3.10

If you have general questions about the rebuild, please use this mailing list thread: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/G47SGOYIQLRDTWGOSLSWERZSSHXDEDH5/

Comment 2 Miro Hrončok 2021-06-07 22:57:46 UTC
The f35-python side tag has been merged to Rawhide. From now on, build as you would normally build.

Comment 3 Miro Hrončok 2021-06-08 11:18:48 UTC
*** Bug 1968851 has been marked as a duplicate of this bug. ***

Comment 4 Miro Hrončok 2021-06-15 20:28:57 UTC
Hello,

This is the first reminder (step 3 from https://docs.fedoraproject.org/en-US/fesco/Fails_to_build_from_source_Fails_to_install/#_package_removal_for_long_standing_ftbfs_and_fti_bugs).

If you know about this problem and are planning on fixing it, please acknowledge so by setting the bug status to ASSIGNED. If you don't have time to maintain this package, consider orphaning it, so maintainers of dependent packages realize the problem.

Comment 5 Jan Černý 2021-06-17 06:40:57 UTC
I think that the rpath settings in CMake aren't necessary and it seems to build without them so I proposed a patch that removes it last week https://github.com/OpenSCAP/openscap/pull/1765. I will make it assigned.

Comment 6 Miro Hrončok 2021-06-20 12:33:03 UTC
Note that a successful build is gated: https://bodhi.fedoraproject.org/updates/FEDORA-2021-8c148e7d7f -- pushing it fixes the installability problem.