Description of problem ---------------------- ga fails to build if "-Werror=format-security" flag is used. ... ma/ma.c:1379:17: error: format not a string literal and no format arguments [-Werror=format-security] ma/ma.c:1403:17: error: format not a string literal and no format arguments [-Werror=format-security] ma/ma.c:1428:17: error: format not a string literal and no format arguments [-Werror=format-security] ... We are working on a proposal to enable "-Werror=format-security" for all packages. Once this flag is enabled, GCC will refuse to compile code that could be vulnerable to a string format security flaw. For more details, please see https://fedorahosted.org/fesco/ticket/1185 page. To understand why it is important to fix this, please see https://fedoraproject.org/wiki/Format-Security-FAQ page. How to fix this --------------- The fix for these errors is quite simple. It's a matter of changing a line like, printf(foo); to read, printf("%s", foo); That's it. Please fix this issue in rawhide with a patch (which you should submit to upstream to merge moving forward). Please do a new build with the fix in rawhide. Other releases do not need to be directly fixed, but there should be no harm in pushing out this fix/patch with other needed changes to those branches. In the event you don't fix this bug before the next mass rebuild, provenpackagers may step in and update your package(s) to fix this issue. How reproducible ---------------- Build ga-5.1.1-8.fc21.src.rpm with "-Werror=format-security" flag to reproduce the problem. To make this process easier, you can use a modified "redhat-rpm-config" package from http://people.fedoraproject.org/~halfie/artifacts/redhat-rpm-config/ URL. $ sha256sum redhat-rpm-config-9.1.0-56.fc20.* faad7594b2080fe76497d0ce50808c905a93dd7b41c1defdde5ca57e3833d3d2 redhat-rpm-config-9.1.0-56.fc20.noarch.rpm 5aa9357174305c7285ffdbc92d7ffe1c07a8a95d5459b930461308f5aad75413 redhat-rpm-config-9.1.0-56.fc20.src.rpm
So does rawhide have this enabled by default yet? (or) How can I run mock locally to make sure its fixed? I'm currently on Fedora 20.
For example: mock -r fedora-rawhide-i386 --rebuild ./ga-5.1.1-8.fc21.src.rpm See http://fedoraproject.org/wiki/Using_Mock_to_test_package_builds Or use koji (see http://fedoraproject.org/wiki/Using_the_Koji_build_system), e.g.: koji build --scratch --arch-override i686 rawhide ./ga-5.1.1-8.fc21.src.rpm
Okay I think I have a build for rawhide that works. Task Info: http://koji.fedoraproject.org/koji/taskinfo?taskID=6460192 Build Info: http://koji.fedoraproject.org/koji/buildinfo?buildID=494200 I'm currently backporting to f20/epel5/epel6.
Created attachment 869017 [details] start backporting to older Fedora/epel6 Trying to build for epel5 (with a trivially modified spec) fails - see http://koji.fedoraproject.org/koji/taskinfo?taskID=6579813 Use the patch as a starting point. Note that in order to link nwchem against ga i enabled configure --enable-peigs.
Marcin, I'll take a look at the patch for the spec. How did you approach ripping out the GA parts of the NWChem build? Would it be easier if I included some of the makefiles generated by GA in the devel packages? This way you could include them as part of the build of NWChem? Did you make the openmpi nwchem use ibverbs? Also, depending on how far you want to go, I think the upstream NWChem guys would be receptive to autotooling the NWChem build. They just don't have the money or time to make that happen here at PNNL. I can help facilitate patches to the primary developers here at PNNL to include NWChem in EPEL or Fedora with a proper build system as well.
(In reply to David Brown from comment #5) > Marcin, > > I'll take a look at the patch for the spec. > > How did you approach ripping out the GA parts of the NWChem build? for the moment i do: # remove bundling of GA rm -rf src/tools sed -i "/^include.*makecoms\.h/d" src/GNUmakefile sed -i "/^include.*makemp\.h/d" src/GNUmakefile sed -i "/.*-C tools configure_ga$/d" src/GNUmakefile sed -i "s/NW_CORE_SUBDIRS = tools/NW_CORE_SUBDIRS =/" src/config/makefile.h sed -i "s|INCPATH =.*|INCPATH = -I\$(MPI_INCLUDE)|" src/config/makefile.h sed -i "s|-lga -larmci|-L\$(MPI_LIB) -lga -larmci|" src/config/makefile.h Would it > be easier if I included some of the makefiles generated by GA in the devel > packages? i hope one can just get rid completely of any GA related files when building Nwchem - one needs to do that in the %prep section: http://fedoraproject.org/wiki/Packaging:Treatment_Of_Bundled_Libraries#Packages_with_Bundled_Libraries This way you could include them as part of the build of NWChem? > Did you make the openmpi nwchem use ibverbs? no, i do a standard linking to openmpi. Building GA --with-openib is actually a concern of Nwchem developers: http://www.nwchem-sw.org/index.php/Special:AWCforum/st/id1164/Building_Nwchem_against_a_separa....html > > Also, depending on how far you want to go, I think the upstream NWChem guys > would be receptive to autotooling the NWChem build. They just don't have the > money or time to make that happen here at PNNL. I can help facilitate > patches to the primary developers here at PNNL to include NWChem in EPEL or > Fedora with a proper build system as well. for the moment my priority is to get few more packages into Fedora. Changing the build system of Nwchem would be a large task.
Hi, any progress about the patch?
Marcin, The GA package is patched and has a build for Fedora 21. http://koji.fedoraproject.org/koji/buildinfo?buildID=500173 So I think it means its fixed now. Just wanted to wait until the mirrors got the right version out there and forgot to close it.
OK. I have opened two separate bugs that deal with the patch: bug #1081403 and bug #1081404