On 19/04/17 00:45, Matthew Patton wrote: >> I believe at one time it was possible to tell RPM to omit the >> symbol table from stripping, but it seems this is no longer the >> case. Other distributions suffer in the same way (I've observed it >> on Gentoo as well). > > Surely we just need to revert whatever was introduced in 1.7.80 to > "helpfully" strip it and also put 'jmap' at least and perhaps > 'jstack' back into the non-devel RPM, which if I'm not mistaken was > also a change about the same time. Jmap in particular is frequently > used in production to measure health of a JVM and jstack to capture > vital information in the event of a (semi-)crash, and where a core > file (for security or space reasons) may not be permitted at all or > to persist for very long.
We did look at this, but it would require some fairly complex changes to RPM to allow us to selectively control debuginfo stripping. I wonder if we could perhaps extract the small subset of debuginfo into a separate before packaging. > Yes, I'm sure developers like to use them too, but corporate > security gets bent out of shape big time when it sees compilers and > debuggers installed, so installing -devel is problematic. Gosh, that problem hadn't even occurred to me. It's a mad world. Andrew.
