/usr/lib64/jss/libjss4.so in jss-4.4.2-10.fc28.x86_64 is not linked with the standard Fedora linker flags (LDFLAGS) from redhat-rpm-config. I tried setting LDFLAGS in the %build section of the RPM spec file (similar to XCFLAGS), but this did not have the desired effect. See https://src.fedoraproject.org/rpms/redhat-rpm-config/blob/master/f/buildflags.md for information on RPM macros and environment variables provided by the build environment.
If I understand correctly basically the linker needs to be invoked with -specs=/usr/lib/rpm/redhat/redhat-hardened-ld flag. I have tried adding %set_build_flags into the %build section, which added the above flag into LDFLAGS, but it only affected one linker: gcc -o Linux4.16_x86_64_glibc_PTH_64_OPT.OBJ/nsinstall -O2 -D_POSIX_SOURCE -D_BSD_SOURCE -D_XOPEN_SOURCE -fPIC -DLINUX2_1 -Wall -Werror-implicit-function-declaration -Wno-switch -pipe -DLINUX -Dlinux -DHAVE_STRERROR -DXP_UNIX -UDEBUG -DNDEBUG -D_REENTRANT -DUSE_UTIL_DIRECTLY -I/usr/include/nspr4 -I/usr/include/nss3 -I/usr/include/nspr4 -I../../../dist/Linux4.16_x86_64_glibc_PTH_64_OPT.OBJ/include -I../../../dist/public/coreconf -I../../../dist/private/coreconf -g -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -mcet -fcf-protection Linux4.16_x86_64_glibc_PTH_64_OPT.OBJ/nsinstall.o Linux4.16_x86_64_glibc_PTH_64_OPT.OBJ/pathsub.o -Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -lpthread -ldl -lc and not the other: gcc -shared -Wl,-z,defs -Wl,-soname -Wl,libjss4.so -Wl,--version-script,Linux4.14_x86_64_glibc_PTH_64_OPT.OBJ/jssmap.linux -o Linux4.14_x86_64_glibc_PTH_64_OPT.OBJ/libjss4.so ...<snip>... -L/usr/lib64 -lsmime3 -lssl3 -lnss3 -lnssutil3 -L/usr/lib64 -lplc4 -lplds4 -lnspr4 -lpthread -ldl -lc Christina, Jack, or Matt, do you know which code that triggers the second linker, and how should we fix it? Should this be fixed upstream as well? Thanks.
This seems to be caused by an upstream JSS bug: https://bugzilla.mozilla.org/show_bug.cgi?id=583666
Florian, I created a COPR build using a patch from the upstream bug: https://copr.fedorainfracloud.org/coprs/edewata/pki-10.6/build/725449/ Does this look OK? Once confirmed, I'll create a Koji build. Thanks.
(In reply to Endi Sukma Dewata from comment #3) > Florian, > > I created a COPR build using a patch from the upstream bug: > > https://copr.fedorainfracloud.org/coprs/edewata/pki-10.6/build/725449/ jss-4.4.3-1.fc28.x86_64.rpm under that URL looks fixed.
Can you build it in Fedora too?
jss-4.4.3-1.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-acd3fd298c
I've built it for Fedora 28 and 29 on Koji.
jss-4.4.3-1.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-acd3fd298c
jss-4.4.3-1.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.