The spec file for openldap-2.4.45-11.fc28 contains this: %ifarch s390 s390x export CFLAGS="-fPIE" %else export CFLAGS="-fpie" %endif export LDFLAGS="-pie" # avoid stray dependencies (linker flag --as-needed) # enable experimental support for LDAP over UDP (LDAP_CONNECTIONLESS) export CFLAGS="${CFLAGS} %{optflags} -Wl,--as-needed,-z,relro,-z,now -DLDAP_CONNECTIONLESS" The PIE flags should simply be inherited from the build environment. Apparently, this causes /usr/lib64/openldap/check_password.so.1.1 to be compiled and linked like this: gcc -fpie -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -mcet -fcf-protection -Wl,--as-needed,-z,relro,-z,now -DLDAP_CONNECTIONLESS -fpic -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"/usr/share/cracklib/pw_dict\"" -DCONFIG_FILE="\"/etc/openldap/check_password.conf\"" -DDEBUG -c -I../openldap-2.4.45/include -I../openldap-2.4.45/servers/slapd -I../openldap-2.4.45/build-servers/include check_password.c gcc -pie -shared -o check_password.so check_password.o -lcrack -pie -shared does not make sense, and the usual LDFLAGS from redhat-rpm-config are missing. See https://src.fedoraproject.org/rpms/redhat-rpm-config/blob/master/f/buildflags.md for information on RPM macros and environment variables provided by the build environment.
Created attachment 1400831 [details] consolidate build flags Thanks for looking into this. I'm attaching a patch that should resolve the issue. However, before applying it I'd like to have the possible issue described in the following paragraph resolved. However, I'm a bit concerned about the -fPIE vs. -fpie on s390/s390x vs. others. I'm not sure if this is somehow taken into account with the redhat-rpm-config. I'd like to avoid reintroducing bug 1020661. I cannot see from the build.log if the flag was actually pulled in as it is included with -specs. Anyway, I'd like to prevent a possible regression in the future. Could you please provide some guidance here? Thanks.
(In reply to Matus Honek from comment #1) > However, I'm a bit concerned about the -fPIE vs. -fpie on s390/s390x vs. > others. I'm not sure if this is somehow taken into account with the > redhat-rpm-config. I'd like to avoid reintroducing bug 1020661. I cannot see > from the build.log if the flag was actually pulled in as it is included with > -specs. Anyway, I'd like to prevent a possible regression in the future. > Could you please provide some guidance here? The GCC specs fragment will use -fPIC or -fPIE, to be conservative. It will not override -fpic or -fpie specified on the command line, but if there is nothing there, it will use the version that supports larger shared objects.
(In reply to Matus Honek from comment #1) > Created attachment 1400831 [details] > consolidate build flags I don't like the explicit list of flags there: +export CFLAGS="${CFLAGS} -Wl,--as-needed,-z,relro,-z,now -DLDAP_CONNECTIONLESS" It should be something like this, to inherit all future changes in redhat-rpm-config: +export CFLAGS="${CFLAGS} ${LDFLAGS} -Wl,--as-needed -DLDAP_CONNECTIONLESS"
Applying as Florian proposed. The effective flags in the build.log look fine. https://src.fedoraproject.org/rpms/openldap/c/cd7bdcf821f7ae4c1d97189129cdbbfdfe9d5210?branch=f28 Also dropping an old unnecessary patch: https://src.fedoraproject.org/rpms/openldap/c/6f8a4c6436709dd6c43c64e8006bc26946cab63f?branch=f28