qt5-qtwebengine-5.10.0-3.fc28 was only partially build with the intended compiler and linker flags from redhat-rpm-config. For example, for this file, all the hardening flags are missing: [24/367] c++ -MMD -MF base/at_exit.o.d -I/builddir/build/BUILD/qtwebengine-everywhere-src-5.10.0/x86_64-redhat-linux-gnu/src/3rdparty/chromium/tools/gn/out/Release/gen -I/builddir/build/BUILD/qtwebengine-everywhere-src-5.10.0/src/3rdparty/chromium -DNO_TCMALLOC -D__STDC_FORMAT_MACROS -O2 -g0 -DTOOLKIT_QT -D_FILE_OFFSET_BITS=64 -D__STDC_CONSTANT_MACROS -D__STDC_FORMAT_MACROS -pthread -pipe -fno-exceptions -D__STDC_FORMAT_MACROS -std=c++11 -Wno-c++11-narrowing -c /builddir/build/BUILD/qtwebengine-everywhere-src-5.10.0/src/3rdparty/chromium/base/at_exit.cc -o base/at_exit.o
This bug appears to have been reported against 'rawhide' during the Fedora 28 development cycle. Changing version to '28'.
ping?
This file is part of the GN bootstrap code, so I'm surprised it ends up in the final binary at all. It looks like we have a handful of those .o files that are shared between GN and Chromium. So the GN build flags need to be fixed. This was just all the way at the bottom of my priority list. I no longer own this package, so I am reassigning this bug to the new owner, Rex Dieter, and will let him decide what to do about it.
rebasing to avoid autoclose. Based on Kevin's analysis, my feeling is similar, that the cost/benefit to fix this is pretty high.