Bug 1973304 - check-rpath flags valid rpath as invalid
Summary: check-rpath flags valid rpath as invalid
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: rpm
Version: rawhide
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Packaging Maintenance Team
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-06-17 15:38 UTC by Michael Catanzaro
Modified: 2021-06-23 13:25 UTC (History)
10 users (show)

Fixed In Version: rpm-4.17.0-0.beta1.0.fc35.1
Clone Of:
Environment:
Last Closed: 2021-06-23 09:07:51 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github rpm-software-management rpm pull 1721 0 None open Allow /usr/libexec/* rpaths 2021-06-21 16:11:56 UTC

Description Michael Catanzaro 2021-06-17 15:38:09 UTC 
Hi, glib2 build is now failing in rawhide with:

+ /usr/lib/rpm/check-rpaths
*******************************************************************************
*
* WARNING: 'check-rpaths' detected a broken RPATH OR RUNPATH and will cause
*          'rpmbuild' to fail. To ignore these errors, you can set the
*          '$QA_RPATHS' environment variable which is a bitmask allowing the
*          values below. The current value of QA_RPATHS is 0x0000.
*
*    0x0001 ... standard RPATHs (e.g. /usr/lib); such RPATHs are a minor
*               issue but are introducing redundant searchpaths without
*               providing a benefit. They can also cause errors in multilib
*               environments.
*    0x0002 ... invalid RPATHs; these are RPATHs which are neither absolute
*               nor relative filenames and can therefore be a SECURITY risk
*    0x0004 ... insecure RPATHs; these are relative RPATHs which are a
*               SECURITY risk
*    0x0008 ... the special '$ORIGIN' RPATHs are appearing after other
*               RPATHs; this is just a minor issue but usually unwanted
*    0x0010 ... the RPATH is empty; there is no reason for such RPATHs
*               and they cause unneeded work while loading libraries
*    0x0020 ... an RPATH references '..' of an absolute path; this will break
*               the functionality when the path before '..' is a symlink
*          
*
* Examples:
* - to ignore standard and empty RPATHs, execute 'rpmbuild' like
*   $ QA_RPATHS=$(( 0x0001|0x0010 )) rpmbuild my-package.src.rpm
* - to check existing files, set $RPM_BUILD_ROOT and execute check-rpaths like
*   $ RPM_BUILD_ROOT=<top-dir> /usr/lib/rpm/check-rpaths
*  
*******************************************************************************
ERROR   0002: file '/usr/libexec/installed-tests/glib/gdbus-peer' contains an invalid runpath '/usr/libexec/installed-tests/glib' in [/usr/libexec/installed-tests/glib]

which is coming from https://fedoraproject.org/wiki/Changes/Broken_RPATH_will_fail_rpmbuild.

Problem is the runpath here looks fine. It is an absolute filename, so I don't see why it should fail the 0x0002 check. And it's pointing to a location for private libraries, which is also supposed to be allowed. The installed tests will not work without it.

I'm going to use __brp_check_rpaths %{nil} to disable check-rpath for the entire package as a temporary workaround.
Comment 1 Jerry James 2021-06-17 15:55:03 UTC 
I hit the same problem with swift-antlr4-runtime (a subpackage of antlr4-project), which has an RPATH pointing to the Swift runtime libraries, which are under /usr/libexec.  The Swift support will not work unless it can find the Swift runtime, so in this case, too, the RPATH is valid.
Comment 2 Miro Hrončok 2021-06-23 09:07:51 UTC 
Verified the fix with sudo package. Thanks.
Comment 3 Michael Catanzaro 2021-06-23 13:25:35 UTC 
Confirmed fixed.
Note You need to log in before you can comment on or make changes to this bug.