Fabio Valentini wrote:
> And, lo and behold, now there's a third update for annobin:
> https://bodhi.fedoraproject.org/updates/FEDORA-2022-3dd2ddf4ab
>
> The update for LLVM 14 was pushed to stable due to a freeze exception,
> but the GCC+annobin update is still in "testing".
> And now there's a new version of annobin in an additional update.
>
> Please, given that we're *this close* to F36 release, coordinate
> better on updates for such "unimportant packages" as the default
> compiler toolchain ..
Given that this is not the first time that we have annobin-induced breakage
endangering a release, I really have to wonder why we insist on shipping
this debugging tool by default for production builds. I understand that the
security team wants to analyze the annotations to, e.g., detect packages
built with insecure flags, but I do not see why that analysis needs to be
done on the official binary packages, i.e., why the packages cannot just
(for that analysis) be rebuilt with annobin enabled on a private system that
does not expose the entire community to the fragility of annobin (and the
increased package sizes due to the annotations).
Kevin Kofler
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
