Bug 892837

Summary: fix hardened specs to be safe against multiple inclusion
Product: [Fedora] Fedora Reporter: Matthias Clasen <mclasen>
Component: redhat-rpm-configAssignee: Adam Jackson <ajax>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 18CC: dcbw, dkholia, i, jonathan, mitr, nathanael, pmatilai, rdieter, rhughes
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: redhat-rpm-config-9.1.0-37.1.fc18 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-05-24 20:14:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 853199, 954347    

Description Matthias Clasen 2013-01-08 00:30:23 UTC 
I was trying a hardened build of polkit, but the build fails when it gets to the introspection part. What probably happens is that the introspection mangles the CFLAGS, and ends up duplicating the -specs=... line. This in turn causes gcc to complain about %rename defining something that already exists.

Using something like:

*cc1_options:
+ %{!fpie:%{!fPIE:%{!fpic:%{!fPIC:%{!fno-pic:-fPIE}}}}}

(and similar for ld) instead allows the build to succeed, and yields a fully relro polkit package.
Comment 1 Matthias Clasen 2013-04-30 20:53:18 UTC 
*** Bug 958290 has been marked as a duplicate of this bug. ***
Comment 2 Dhiru Kholia 2013-05-02 09:39:06 UTC 
Multiple packages are being affected by this bug. Both F18 and F19 are affected.

Why is fixing this almost trivial bug taking so long?
Comment 3 Richard Hughes 2013-05-03 20:28:23 UTC 
I'm having to fix this up in RHEL7 manually, it would be awesome to have the macro working. Thanks!
Comment 4 Dan Williams 2013-05-06 21:36:33 UTC 
Hitting this with NetworkManager as well, would be good to have this solved correctly instead of carrying a bunch of patches for a bunch of packages.
Comment 5 Dhiru Kholia 2013-05-08 15:02:04 UTC 
LibreOffice is affected too. Wasted many hours due to this bug.
Comment 6 Miloslav Trmač 2013-05-10 22:39:57 UTC 
At least for polkit, the compilation failure is caused by gdk-doc duplicating the -specs flags (#962005).

There's nothing obviously wrong with the -specs command in redhat-rpm-config AFAICS.  True, it is not idempotent - was it ever promised to be?
Comment 8 Panu Matilainen 2013-05-13 06:48:19 UTC 
Reassigning to ajax who added the hardening-stuff in the first place and thus likely has a better clue about the thing than me.
Comment 9 Adam Jackson 2013-05-13 15:17:54 UTC 
I'm... honestly not sure why we used %rename there, besides that I think that's the template Jakub(?) gave me to work with.  The + syntax is clearly more sane.

I've fixed this in git (bodhi update to follow in a moment).

However, when I tested it (both before and after) against libXext, a fairly trivial automake/libtool project, libtool seems to delight in just throwing away huge chunks of the link command line, including the -specs= part, because libtool is a net loss for humanity.  Sorry about that, but I don't see a reasonable workaround for it at the rpm macro level, it's really libtool's bug.
Comment 10 Fedora Update System 2013-05-13 15:26:37 UTC 
redhat-rpm-config-9.1.0-44.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/redhat-rpm-config-9.1.0-44.fc19
Comment 11 Fedora Update System 2013-05-14 03:45:22 UTC 
Package redhat-rpm-config-9.1.0-44.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing redhat-rpm-config-9.1.0-44.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-8112/redhat-rpm-config-9.1.0-44.fc19
then log in and leave karma (feedback).
Comment 12 Dhiru Kholia 2013-05-14 11:02:32 UTC 
The fix works great. Thanks Adam!
Comment 13 Nathanael Noblet 2013-05-15 16:44:32 UTC 
So I just attempted to do this today, my build failed. Is it because the fix above isn't in the buildroot?
Comment 14 Adam Jackson 2013-05-15 21:06:20 UTC 
(In reply to comment #13)
> So I just attempted to do this today, my build failed. Is it because the fix
> above isn't in the buildroot?

It won't be in the buildroot until the update gets approved, correct.  That's what karma is for...
Comment 15 Richard Hughes 2013-05-17 12:10:31 UTC 
FWIW, I ended up addin the PIE and full RELRO stuff upstream in my projects, rather than using the specfile macro.
Comment 16 Christopher Meng 2013-05-18 02:03:11 UTC 
Fixed.
Comment 17 Christopher Meng 2013-05-18 02:45:25 UTC 
Rawhide seems fixed.

BUt f19 still comes across this:

http://koji.fedoraproject.org/koji/taskinfo?taskID=5394351
Comment 18 Christopher Meng 2013-05-21 06:55:40 UTC 
Hi,

It seems OK now.

But will you have a update for fedora 18?
Comment 19 Fedora Update System 2013-05-24 20:14:57 UTC 
redhat-rpm-config-9.1.0-44.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 20 Fedora Update System 2013-05-29 15:43:28 UTC 
redhat-rpm-config-9.1.0-37.1.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/redhat-rpm-config-9.1.0-37.1.fc18
Comment 21 Fedora Update System 2013-06-11 09:18:34 UTC 
redhat-rpm-config-9.1.0-37.1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.