On 11/13/19 8:23 PM, Jeff Law wrote:
On 11/13/19 2:37 AM, Martin Liška wrote:
As Nick also mentioned many times, -grecord-gcc-switches is in DWARF
and this causes a great disadvantage: it gets stripped out.
Well, that's still something I disagree. I bet RedHat is similarly to
openSUSE also building all packages with a debug info, which
is later stripped and put into a foo-devel package. That's why one can
easily read the compile options from these sub-packages.
My motivation is to write a rpm linter check that will verify that all
object files really used flags that we expect.
Hi.
Right. We inject -g into the default build flags. We extract the
resultant debug info into a .debuginfo RPM.
Which means it can be possible to you to process a rpm check on the .debuginfo
RPM packages. Right?
The original motivation behind annobin was to verify how well the
injection mechanism worked.
I thought the original motivation was to provide a sanity check on RPM level
which will verify that all object files use the proper $Optflags
(mainly security hardening ones like -D_FORTIFY_SOURCE=1,
-fstack-protector-strong, -fstack-clash-protection, ..)?
And so that you can guarantee that the packages are "safe" :)
Martin
We originally wanted to do something like
what Egeyar has done, but it's been proposed in the past and was highly
controversial. Rather than fight that problem or have a Red Hat
specific patch, we built annobin/annocheck which (IMHO) handles this
kind of need quite well.
Jeff
