Bug 977446 - Review Request: nbdkit - NBD server
Review Request: nbdkit - NBD server
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Matthew Booth
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-24 10:50 EDT by Richard W.M. Jones
Modified: 2013-07-02 23:31 EDT (History)
5 users (show)

See Also:
Fixed In Version: nbdkit-1.0.0-4.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-07-02 21:43:12 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
mbooth: fedora‑review+
limburgher: fedora‑cvs+


Attachments (Terms of Use)

  None (edit)
Description Richard W.M. Jones 2013-06-24 10:50:22 EDT
Spec URL: http://git.annexia.org/?p=fedora-specs.git;a=blob_plain;f=nbdkit.spec;hb=HEAD
SRPM URL: http://oirase.annexia.org/reviews/nbdkit/nbdkit-1.0.0-1.fc18.src.rpm
Description: NBD server
Fedora Account System Username: rjones

https://github.com/libguestfs/nbdkit

NBD is a protocol for accessing block devices (hard disks and
disk-like things) over the network.

'nbdkit' is a toolkit for creating NBD servers.

The key features are:

* Multithreaded NBD server written in C with good performance.

* Well-documented, simple plugin API with a stable ABI guarantee.
  Let's you export "unconventional" block devices easily.

* Liberal license (BSD) allows nbdkit to be linked to proprietary
  libraries or included in proprietary code.

Several example plugins are included in the package.

To develop plugins, install the nbdkit-devel package and start by
reading the nbdkit(1) and nbdkit-plugin(3) manual pages.
Comment 1 Richard W.M. Jones 2013-06-24 11:04:26 EDT
Koji scratch build against f20:
http://koji.fedoraproject.org/koji/taskinfo?taskID=5535852

rpmlint output:

nbdkit.src: W: spelling-error %description -l en_US devel -> delve, devil, revel
nbdkit.x86_64: W: spelling-error %description -l en_US devel -> delve, devil, revel
4 packages and 0 specfiles checked; 0 errors, 2 warnings.
Comment 2 Richard W.M. Jones 2013-06-24 11:06:57 EDT
We might want to put the plugins in a subpackage (now or
later).  The reason is that if we have then in the main
nbdkit package, then that package will depend on all the
libraries that the plugins need.  Currently:

$ rpm -qR nbdkit
libc.so.6()(64bit)
libc.so.6(GLIBC_2.14)(64bit)
libc.so.6(GLIBC_2.2.5)(64bit)
libc.so.6(GLIBC_2.3.4)(64bit)
libc.so.6(GLIBC_2.4)(64bit)
libc.so.6(GLIBC_2.7)(64bit)
libc.so.6(GLIBC_2.8)(64bit)
libdl.so.2()(64bit)
libdl.so.2(GLIBC_2.2.5)(64bit)
libgcc_s.so.1()(64bit)
libgcc_s.so.1(GCC_3.0)(64bit)
libgcc_s.so.1(GCC_3.3.1)(64bit)
liblzma.so.5()(64bit)                 # needed by xz plugin
liblzma.so.5(XZ_5.0)(64bit)
libpthread.so.0()(64bit)
libpthread.so.0(GLIBC_2.2.5)(64bit)
libvirt.so.0()(64bit)                 # needed by libvirt plugin
libvirt.so.0(LIBVIRT_0.0.3)(64bit)
libvirt.so.0(LIBVIRT_0.4.2)(64bit)
libvirt.so.0(LIBVIRT_0.8.1)(64bit)
libz.so.1()(64bit)                    # needed by gzip plugin
libz.so.1(ZLIB_1.2.3.5)(64bit)
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(FileDigests) <= 4.6.0-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rtld(GNU_HASH)
rpmlib(PayloadIsXz) <= 5.2-1
Comment 3 Richard W.M. Jones 2013-06-24 11:23:18 EDT
Apparently fedora-review doesn't like my spec URL.
Comment 4 Richard W.M. Jones 2013-06-24 11:23:45 EDT
Spec URL: http://oirase.annexia.org/reviews/nbdkit/nbdkit.spec
SRPM URL: http://oirase.annexia.org/reviews/nbdkit/nbdkit-1.0.0-1.fc18.src.rpm
Description: NBD server
Fedora Account System Username: rjones
Comment 5 Matthew Booth 2013-06-24 11:49:33 EDT
Raw fedora-review output:

===== MUST items =====

C/C++:
[ ]: Package does not contain kernel modules.
[ ]: Package contains no static executables.
[ ]: Development (unversioned) .so files in -devel subpackage, if present.
     Note: Unversioned so-files in private %_libdir subdirectory (see
     attachment). Verify they are not in ld path.
[x]: Header files in -devel subpackage, if present.
[x]: Package does not contain any libtool archives (.la)
[x]: Rpath absent or only used for internal libs.

Generic:
[ ]: Package is licensed with an open-source compatible license and meets
     other legal requirements as defined in the legal section of Packaging
     Guidelines.
[ ]: %build honors applicable compiler flags or justifies otherwise.
[ ]: Package contains no bundled libraries without FPC exception.
[ ]: Changelog in prescribed format.
[ ]: Sources contain only permissible code or content.
[ ]: Package contains desktop file if it is a GUI application.
[ ]: Development files must be in a -devel package
[ ]: Package requires other packages for directories it uses.
[ ]: Package uses nothing in %doc for runtime.
[ ]: Package is not known to require ExcludeArch.
[ ]: Fully versioned dependency in subpackages, if present.
     Note: No Requires: %{name}%{?_isa} = %{version}-%{release} in nbdkit-
     devel
[ ]: Package complies to the Packaging Guidelines
[ ]: License field in the package spec file matches the actual license.
     Note: Checking patched sources after %prep for licenses. Licenses found:
     "BSD (3 clause)", "GPL (v2 or later)". Detailed output of licensecheck in
     /home/mbooth/977446-nbdkit/licensecheck.txt
[ ]: License file installed when any subpackage combination is installed.
[ ]: Package consistently uses macro is (instead of hard-coded directory
     names).
[ ]: Package is named according to the Package Naming Guidelines.
[ ]: Package does not generate any conflict.
[ ]: Package obeys FHS, except libexecdir and /usr/target.
[ ]: If the package is a rename of another package, proper Obsoletes and
     Provides are present.
[ ]: Package must own all directories that it creates.
[ ]: Package does not own files or directories owned by other packages.
[ ]: Requires correct, justified where necessary.
[ ]: Spec file is legible and written in American English.
[ ]: Package contains systemd file(s) if in need.
[ ]: Useful -debuginfo package or justification otherwise.
[ ]: Large documentation must go in a -doc subpackage.
     Note: Documentation size is 40960 bytes in 8 files.
[x]: All build dependencies are listed in BuildRequires, except for any that
     are listed in the exceptions section of Packaging Guidelines.
[x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the
     beginning of %install.
[x]: Each %files section contains %defattr if rpm < 4.4
[x]: Macros in Summary, %description expandable at SRPM build time.
[x]: Package does not contain duplicates in %files.
[x]: Permissions on files are set properly.
[x]: If (and only if) the source package includes the text of the license(s)
     in its own file, then that file, containing the text of the license(s)
     for the package is included in %doc.
[x]: Package use %makeinstall only when make install' ' DESTDIR=... doesn't
     work.
[x]: Package is named using only allowed ASCII characters.
[x]: Package do not use a name that already exist
[x]: Package is not relocatable.
[x]: Sources used to build the package match the upstream source, as provided
     in the spec URL.
[x]: Spec file name must match the spec package %{name}, in the format
     %{name}.spec.
[x]: File names are valid UTF-8.
[x]: Packages must not store files under /srv, /opt or /usr/local
[x]: Package successfully compiles and builds into binary rpms on at least one
     supported primary architecture.
[x]: Package installs properly.
[x]: Rpmlint is run on all rpms the build produces.
     Note: There are rpmlint messages (see attachment).

===== SHOULD items =====

Generic:
[ ]: If the source package does not include license text(s) as a separate file
     from upstream, the packager SHOULD query upstream to include it.
[ ]: Final provides and requires are sane (see attachments).
[ ]: Package functions as described.
[ ]: Latest version is packaged.
[ ]: Package does not include license text files separate from upstream.
[ ]: Description and summary sections in the package spec file contains
     translations for supported Non-English languages, if available.
[ ]: Package should compile and build into binary rpms on all supported
     architectures.
[ ]: %check is present and all tests pass.
[ ]: Packages should try to preserve timestamps of original installed files.
[x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file
[x]: Sources can be downloaded from URI in Source: tag
[x]: Reviewer should test that the package builds in mock.
[x]: Buildroot is not present
[x]: Package has no %clean section with rm -rf %{buildroot} (or
     $RPM_BUILD_ROOT)
[x]: Dist tag is present.
[x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin.
[x]: Uses parallel make.
[x]: SourceX tarball generation or download is documented.
[x]: SourceX is a working URL.
[x]: Spec use %global instead of %define.

===== EXTRA items =====

Generic:
[x]: Large data in /usr/share should live in a noarch subpackage if package is
     arched.
[x]: Rpmlint is run on all installed packages.
     Note: There are rpmlint messages (see attachment).
[x]: Spec file according to URL is the same as in SRPM.


Rpmlint
-------
Checking: nbdkit-1.0.0-1.fc18.x86_64.rpm
          nbdkit-devel-1.0.0-1.fc18.x86_64.rpm
nbdkit.x86_64: W: spelling-error %description -l en_US devel -> delve, devil, revel
2 packages and 0 specfiles checked; 0 errors, 1 warnings.




Rpmlint (installed packages)
----------------------------
# rpmlint nbdkit-devel nbdkit
nbdkit.x86_64: W: spelling-error %description -l en_US devel -> delve, devil, revel
2 packages and 0 specfiles checked; 0 errors, 1 warnings.
# echo 'rpmlint-done:'



Requires
--------
nbdkit-devel (rpmlib, GLIBC filtered):
    nbdkit

nbdkit (rpmlib, GLIBC filtered):
    libc.so.6()(64bit)
    libdl.so.2()(64bit)
    libgcc_s.so.1()(64bit)
    libgcc_s.so.1(GCC_3.0)(64bit)
    libgcc_s.so.1(GCC_3.3.1)(64bit)
    liblzma.so.5()(64bit)
    liblzma.so.5(XZ_5.0)(64bit)
    libpthread.so.0()(64bit)
    libvirt.so.0()(64bit)
    libvirt.so.0(LIBVIRT_0.0.3)(64bit)
    libvirt.so.0(LIBVIRT_0.4.2)(64bit)
    libvirt.so.0(LIBVIRT_0.8.1)(64bit)
    libz.so.1()(64bit)
    libz.so.1(ZLIB_1.2.3.5)(64bit)
    rtld(GNU_HASH)



Provides
--------
nbdkit-devel:
    nbdkit-devel
    nbdkit-devel(x86-64)

nbdkit:
    nbdkit
    nbdkit(x86-64)
    nbdkit-example1-plugin.so()(64bit)
    nbdkit-example2-plugin.so()(64bit)
    nbdkit-example3-plugin.so()(64bit)
    nbdkit-file-plugin.so()(64bit)
    nbdkit-gzip-plugin.so()(64bit)
    nbdkit-libvirt-plugin.so()(64bit)
    nbdkit-xz-plugin.so()(64bit)



Unversioned so-files
--------------------
nbdkit: /usr/lib64/nbdkit/plugins/nbdkit-example1-plugin.so
nbdkit: /usr/lib64/nbdkit/plugins/nbdkit-example2-plugin.so
nbdkit: /usr/lib64/nbdkit/plugins/nbdkit-example3-plugin.so
nbdkit: /usr/lib64/nbdkit/plugins/nbdkit-file-plugin.so
nbdkit: /usr/lib64/nbdkit/plugins/nbdkit-gzip-plugin.so
nbdkit: /usr/lib64/nbdkit/plugins/nbdkit-libvirt-plugin.so
nbdkit: /usr/lib64/nbdkit/plugins/nbdkit-xz-plugin.so

Source checksums
----------------
http://libguestfs.org/download/nbdkit/nbdkit-1.0.0.tar.gz :
  CHECKSUM(SHA256) this package     : d7c46d60f071c5d85da50bb39d1551273a6c5f6cd88ed34fd89ce58335734972
  CHECKSUM(SHA256) upstream package : d7c46d60f071c5d85da50bb39d1551273a6c5f6cd88ed34fd89ce58335734972


Generated by fedora-review 0.4.1 (b2e211f) last change: 2013-04-29
Buildroot used: fedora-18-x86_64
Command line :/usr/bin/fedora-review -b 977446
Comment 6 Matthew Booth 2013-06-24 12:01:34 EDT
QUERIES
=======

It's a server, but it doesn't contain a systemd unit. Should it?

PROBLEMS
========

I'm pretty sure the %changelog format should be:
* Mon Jun 24 2013 Richard W.M. Jones <rjones@redhat.com> - 1.0.0-1
(Note the additional '-', no idea why)

Missing fully versioned dependency on -devel package:
 Requires: %{name}%{?_isa} = %{version}-%{release} in nbdkit-devel

Example plugins are all packaged and installed, including:
nbdkit: /usr/lib64/nbdkit/plugins/nbdkit-example1-plugin.so
nbdkit: /usr/lib64/nbdkit/plugins/nbdkit-example2-plugin.so
nbdkit: /usr/lib64/nbdkit/plugins/nbdkit-example3-plugin.so


REPORTED NON-PROBLEMS
=====================

Detected GPL (v2 or later) is a false positive on ltmail.sh
Comment 7 Björn 'besser82' Esser 2013-06-24 12:05:21 EDT
(In reply to Matthew Booth from comment #6)
> QUERIES
> =======
> 
> It's a server, but it doesn't contain a systemd unit. Should it?

It's a server/daemon, but spec doesn't enable hardened build. Why?
Comment 8 Richard W.M. Jones 2013-06-24 12:10:39 EDT
(In reply to Matthew Booth from comment #6)
> QUERIES
> =======
> 
> It's a server, but it doesn't contain a systemd unit. Should it?

Good question, but I think not.  The reason is that you
can't "just run" it without at least specifying a plugin
and a file to serve, and even if you assume the default
plugin should be 'file' it's not clear what file you would
want to serve by default.

> PROBLEMS
> ========
> 
> I'm pretty sure the %changelog format should be:
> * Mon Jun 24 2013 Richard W.M. Jones <rjones@redhat.com> - 1.0.0-1
> (Note the additional '-', no idea why)

Fixed.

> Missing fully versioned dependency on -devel package:
>  Requires: %{name}%{?_isa} = %{version}-%{release} in nbdkit-devel

I guess missing %{?_isa}?  Fixed.

> Example plugins are all packaged and installed, including:
> nbdkit: /usr/lib64/nbdkit/plugins/nbdkit-example1-plugin.so
> nbdkit: /usr/lib64/nbdkit/plugins/nbdkit-example2-plugin.so
> nbdkit: /usr/lib64/nbdkit/plugins/nbdkit-example3-plugin.so

Yup, that's intentional.

> 
> REPORTED NON-PROBLEMS
> =====================
> 
> Detected GPL (v2 or later) is a false positive on ltmail.sh

Second version is here:

Spec URL: http://oirase.annexia.org/reviews/nbdkit/nbdkit.spec
SRPM URL: http://oirase.annexia.org/reviews/nbdkit/nbdkit-1.0.0-2.fc18.src.rpm
Description: NBD server
Fedora Account System Username: rjones
Comment 9 Richard W.M. Jones 2013-06-24 12:12:38 EDT
Third version adds _hardened_build:

Spec URL: http://oirase.annexia.org/reviews/nbdkit/nbdkit.spec
SRPM URL: http://oirase.annexia.org/reviews/nbdkit/nbdkit-1.0.0-3.fc18.src.rpm
Description: NBD server
Fedora Account System Username: rjones
Comment 10 Björn 'besser82' Esser 2013-06-24 12:18:56 EDT
(In reply to Richard W.M. Jones from comment #9)
> Third version adds _hardened_build:

The sbin looks fine:

usr/sbin/nbdkit:
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
	unprotected: poll
	unprotected: read
	unprotected: memcpy
	protected: snprintf
	protected: vfprintf
	protected: read
	protected: asprintf
	protected: memcpy
	protected: printf
	protected: fprintf
 Read-only relocations: yes
 Immediate binding: yes


Unfortunately the plugins do not:

usr/lib64/nbdkit/plugins/nbdkit-example1-plugin.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: no, not found!
 Fortify Source functions: no, only unprotected functions found!
	unprotected: memcpy
 Read-only relocations: yes
 Immediate binding: no, not found!


usr/lib64/nbdkit/plugins/nbdkit-example2-plugin.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: no, not found!
 Fortify Source functions: no, only unprotected functions found!
	unprotected: pread
 Read-only relocations: yes
 Immediate binding: no, not found!


usr/lib64/nbdkit/plugins/nbdkit-example3-plugin.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: yes
 Fortify Source functions: no, only unprotected functions found!
	unprotected: pread
 Read-only relocations: yes
 Immediate binding: no, not found!


usr/lib64/nbdkit/plugins/nbdkit-file-plugin.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: no, not found!
 Fortify Source functions: no, only unprotected functions found!
	unprotected: pread
 Read-only relocations: yes
 Immediate binding: no, not found!


usr/lib64/nbdkit/plugins/nbdkit-gzip-plugin.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: yes
 Fortify Source functions: unknown, no protectable libc functions used
 Read-only relocations: yes
 Immediate binding: no, not found!


usr/lib64/nbdkit/plugins/nbdkit-libvirt-plugin.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: no, not found!
 Fortify Source functions: unknown, no protectable libc functions used
 Read-only relocations: yes
 Immediate binding: no, not found!


usr/lib64/nbdkit/plugins/nbdkit-xz-plugin.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
	unprotected: read
	unprotected: memcpy
	protected: read
 Read-only relocations: yes
 Immediate binding: no, not found!
Comment 11 Richard W.M. Jones 2013-06-24 12:25:37 EDT
(In reply to Björn Esser from comment #10)
> Unfortunately the plugins do not:
> 
> usr/lib64/nbdkit/plugins/nbdkit-example1-plugin.so:
>  Position Independent Executable: no, regular shared library (ignored)
>  Stack protected: no, not found!
>  Fortify Source functions: no, only unprotected functions found!
> 	unprotected: memcpy
>  Read-only relocations: yes
>  Immediate binding: no, not found!

I have no idea -- they're just built using standard automake
libtool rules, eg:

https://github.com/libguestfs/nbdkit/blob/master/plugins/example1/Makefile.am#L37

We don't remove any options from CFLAGS.
Comment 12 Matthew Booth 2013-06-24 12:34:38 EDT
Discussion of _hardened_build options aside, I think this meets the packaging guidelines. That could perhaps move into a separate BZ so it doesn't get lost.
Comment 13 Björn 'besser82' Esser 2013-06-24 12:36:33 EDT
(In reply to Richard W.M. Jones from comment #11)
> I have no idea -- they're just built using standard automake
> libtool rules, eg:
> 
> https://github.com/libguestfs/nbdkit/blob/master/plugins/example1/Makefile.
> am#L37
> 
> We don't remove any options from CFLAGS.

but autocrap's libtool does when assembling single objects to lib.so

adding this BEFORE %configure in spec-file should fix one issue:

# force Immediate binding for hardenend build with autocrap libtool
export LDFLAGS="$LDFLAGS -Wl,-z,now"
Comment 14 Richard W.M. Jones 2013-06-24 12:48:29 EDT
(In reply to Björn Esser from comment #13)
> (In reply to Richard W.M. Jones from comment #11)
> > I have no idea -- they're just built using standard automake
> > libtool rules, eg:
> > 
> > https://github.com/libguestfs/nbdkit/blob/master/plugins/example1/Makefile.
> > am#L37
> > 
> > We don't remove any options from CFLAGS.
> 
> but autocrap's libtool does when assembling single objects to lib.so
> 
> adding this BEFORE %configure in spec-file should fix one issue:
> 
> # force Immediate binding for hardenend build with autocrap libtool
> export LDFLAGS="$LDFLAGS -Wl,-z,now"

It's still not quite right.  With this change, I get:

$ hardening-check /usr/lib64/nbdkit/plugins/nbdkit-example1-plugin.so
/usr/lib64/nbdkit/plugins/nbdkit-example1-plugin.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: no, not found!
 Fortify Source functions: no, only unprotected functions found!
 Read-only relocations: yes
 Immediate binding: yes

It looks like fortify source CFLAGS are being dropped somewhere.
Comment 15 Richard W.M. Jones 2013-06-24 12:50:40 EDT
New Package SCM Request
=======================
Package Name: nbdkit
Short Description: NBD server
Owners: rjones
Branches: f18 f19
InitialCC:
Comment 16 Gwyn Ciesla 2013-06-24 13:22:44 EDT
Git done (by process-git-requests).
Comment 17 Björn 'besser82' Esser 2013-06-24 13:23:40 EDT
(In reply to Richard W.M. Jones from comment #14)
> It's still not quite right.  With this change, I get:
> 
> $ hardening-check /usr/lib64/nbdkit/plugins/nbdkit-example1-plugin.so
> /usr/lib64/nbdkit/plugins/nbdkit-example1-plugin.so:
>  Position Independent Executable: no, regular shared library (ignored)
>  Stack protected: no, not found!
>  Fortify Source functions: no, only unprotected functions found!
>  Read-only relocations: yes
>  Immediate binding: yes
> 
> It looks like fortify source CFLAGS are being dropped somewhere.

According to build.log CFLAGS are always applied correctly.  Do these plugins which fail stack-protector even do any operation on stack or are they performing on heap, only?
Comment 18 Richard W.M. Jones 2013-06-24 13:31:52 EDT
(In reply to Björn Esser from comment #17)
> According to build.log CFLAGS are always applied correctly.  Do these
> plugins which fail stack-protector even do any operation on stack or are
> they performing on heap, only?

There's really no "funny business" about them at all.  See:

https://github.com/libguestfs/nbdkit/blob/master/plugins/example1/example1.c
https://github.com/libguestfs/nbdkit/blob/master/plugins/example2/example2.c
https://github.com/libguestfs/nbdkit/blob/master/plugins/example3/example3.c

The first one happens to have a large uninitialized data
section, but the others are just normal C code.  None of them
are fortified according to hardening-check.
Comment 19 Fedora Update System 2013-06-24 13:57:51 EDT
nbdkit-1.0.0-4.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/nbdkit-1.0.0-4.fc19
Comment 20 Fedora Update System 2013-06-24 13:58:12 EDT
nbdkit-1.0.0-4.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/nbdkit-1.0.0-4.fc18
Comment 21 Richard W.M. Jones 2013-06-24 16:11:09 EDT
(In reply to Björn Esser from comment #17)
> (In reply to Richard W.M. Jones from comment #14)
> > It's still not quite right.  With this change, I get:
> > 
> > $ hardening-check /usr/lib64/nbdkit/plugins/nbdkit-example1-plugin.so
> > /usr/lib64/nbdkit/plugins/nbdkit-example1-plugin.so:
> >  Position Independent Executable: no, regular shared library (ignored)
> >  Stack protected: no, not found!
> >  Fortify Source functions: no, only unprotected functions found!
> >  Read-only relocations: yes
> >  Immediate binding: yes
> > 
> > It looks like fortify source CFLAGS are being dropped somewhere.
> 
> According to build.log CFLAGS are always applied correctly.  Do these
> plugins which fail stack-protector even do any operation on stack or are
> they performing on heap, only?

OK looks like this is a false alarm:
https://lists.fedoraproject.org/pipermail/devel/2013-June/184424.html

I have checked the xz plugin and it is indeed being fully
hardened:
https://lists.fedoraproject.org/pipermail/devel/2013-June/184428.html
Comment 22 Fedora Update System 2013-06-24 23:27:17 EDT
nbdkit-1.0.0-4.fc18 has been pushed to the Fedora 18 testing repository.
Comment 23 Fedora Update System 2013-07-02 21:43:12 EDT
nbdkit-1.0.0-4.fc18 has been pushed to the Fedora 18 stable repository.
Comment 24 Fedora Update System 2013-07-02 23:31:58 EDT
nbdkit-1.0.0-4.fc19 has been pushed to the Fedora 19 stable repository.

Note You need to log in before you can comment on or make changes to this bug.