On 01/29/2014 10:39 AM, Lukas Slebodnik wrote: > On (29/01/14 09:46), Martin Kosek wrote: >> On 01/28/2014 08:59 PM, Lukas Slebodnik wrote: >>> On (28/01/14 20:56), Lukas Slebodnik wrote: >>>> ehlo, >>>> >>>> How to test: >>>> -remove line "%define _hardened_build 1" from spec file >>>> -build freeeipa package (it should fail) >>>> -apply patch >>>> -build freeeipa package (it should work ) >>>> >>>> simple patch attached. >>>> >>>> LS >>> >>>> >From 0ae1582770706f5a88980c0a16d4c64ce58c98e2 Mon Sep 17 00:00:00 2001 >>>> From: Lukas Slebodnik <[email protected]> >>>> Date: Tue, 28 Jan 2014 19:58:40 +0100 >>>> Subject: [PATCH] Fix linking ipa-otpd with broken hardened build >>>> >>>> If there is problem with _hardened_build in rpm extra flag will not be >>>> included >>>> into CLFAGS and LDFLAGS ("-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1" ) >>>> and it will cause problem with linking binary ipa-otpd. >>>> >>>> /usr/bin/ld: bind.o: relocation R_X86_64_32 against `.rodata.str1.8' can >>>> not be >>>> used when making a shared object; recompile with -fPIC >>>> bind.o: error adding symbols: Bad value >>>> >>>> ipa-otpd will be linked successfully with this patch even if there is >>>> problem >>>> with hardened build on fedora. >>>> >>>> Resolves: >>>> https://fedorahosted.org/freeipa/ticket/4142 >>>> --- >>>> daemons/ipa-otpd/Makefile.am | 2 +- >>>> 1 file changed, 1 insertion(+), 1 deletion(-) >>>> >>>> diff --git a/daemons/ipa-otpd/Makefile.am b/daemons/ipa-otpd/Makefile.am >>>> index >>>> f0b75284dbbd46265a6ff366a7846da63c935986..0716e75b72cb7fb3910350fc0f9439a23c0bcf29 >>>> 100644 >>>> --- a/daemons/ipa-otpd/Makefile.am >>>> +++ b/daemons/ipa-otpd/Makefile.am >>>> @@ -1,4 +1,4 @@ >>>> -AM_CFLAGS := $(CFLAGS) @LDAP_CFLAGS@ @LIBVERTO_CFLAGS@ >>>> +AM_CFLAGS := $(CFLAGS) @LDAP_CFLAGS@ @LIBVERTO_CFLAGS@ -fPIE >>>> AM_LDFLAGS := $(LDFLAGS) @LDAP_LIBS@ @LIBVERTO_LIBS@ @KRAD_LIBS@ -pie >>>> -Wl,-z,relro -Wl,-z,now >>>> >>>> noinst_HEADERS = internal.h >>>> -- >>>> 1.8.5.3 >>>> >>> >>> I forgot to mention; patch applies only on ipa-3-3 branch, because file >>> daemons/ipa-otpd/Makefile.am is different on master. >>> >>> LS >> >> Thanks Lukas, good investigation. This made me realize that the rawhide build >> was indeed crashing due to missing section switching _hardened_build to 1 in >> downstream repo. The build seems OK now. >> > I used srpm from fedora 20 build and _hardened_build was available in spec > file. I expected all builds(f19, f20, rawhide} use the same spec file. > >> Do you still consider this patch as something that should be in git, given it >> was caused by missing _hardened_build? >> > There is condition in spec file > %if (0%{?fedora} > 15 || 0%{?rhel} >= 7) > %define _hardened_build 1 > %endif > > So _hardened_build will not be defined on other platforms (e.g. opensuse) > and there will be the same problem with linking ipa-otpd > > Other option is to remove "duplicated" hardened flags from AM_LDFLAGS > > -AM_LDFLAGS := $(LDFLAGS) @LDAP_LIBS@ @LIBVERTO_LIBS@ @KRAD_LIBS@ -pie > -Wl,-z,relro -Wl,-z,now > +AM_LDFLAGS := $(LDFLAGS) @LDAP_LIBS@ @LIBVERTO_LIBS@ @KRAD_LIBS@ > > LS >
I chose to do the second option as I see this is what Honza did in master branch. Thus, I cherry picked his patch pushed to ipa-3-3: 2d90c138ea63a74c90142e19d733e8c89ce81dab Martin _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
