Strip all extension builder flags except -fexceptions and -fcf-protection
This preserves binary compatibility with the main interpreters the extensions are built against while removing Fedora's flags that are not required to be inherited on user built extensions. This implements https://fedoraproject.org/wiki/Changes/Python_Extension_Flags_Reduction
This commit is contained in:
parent
f447520e2d
commit
7331757cf1
@ -660,16 +660,11 @@ with such toolchains.
|
||||
The macros `%{extension_cflags}`, `%{extension_cxxflags}`,
|
||||
`%{extension_fflags}`, `%{extension_ldflags}` contain a subset of
|
||||
flags that have been adjusted for compatibility with alternative
|
||||
toolchains, while still preserving some of the compile-time security
|
||||
hardening that the standard Fedora build flags provide.
|
||||
toolchains.
|
||||
|
||||
The current set of differences are:
|
||||
|
||||
* No GCC plugins (such as annobin) are activated.
|
||||
* No GCC spec files (`-specs=` arguments) are used.
|
||||
|
||||
Additional flags may be removed in the future if they prove to be
|
||||
incompatible with alternative toolchains.
|
||||
Currently the -fexceptions and -fcf-protection flags are preserved
|
||||
for binary compatibility with the languages the extensions are
|
||||
built against.
|
||||
|
||||
Extension builders should detect whether they are performing a regular
|
||||
RPM build (e.g., by looking for an `RPM_OPT_FLAGS` variable). In this
|
||||
|
18
macros
18
macros
@ -113,13 +113,19 @@
|
||||
# Internal-only. Do not use. Expand a variable and strip the flags
|
||||
# not suitable to extension builders.
|
||||
%__extension_strip_flags() %{lua:
|
||||
--the only argument to this macro is the "name" of the flags we strip (e.g. cflags, ldflags, etc.)
|
||||
local name = rpm.expand("%{1}")
|
||||
local value = " " .. rpm.expand("%{build_" .. name .. "}")
|
||||
local specs_pattern = "%s+-specs=[^%s]+"
|
||||
local lto_flags_pattern = rpm.expand("%{?_lto_cflags}"):gsub("[%-%.]", "%%%1")
|
||||
local package_note_flags_pattern = "%-Wl,%S*package_note%S*"
|
||||
local result = value:gsub(specs_pattern, " "):gsub(lto_flags_pattern, ""):gsub(package_note_flags_pattern, "")
|
||||
print(result)
|
||||
--store all the individual flags in a variable as a continuous string
|
||||
local flags = rpm.expand("%{build_" .. name .. "}")
|
||||
--create an empty table for the minimal set of flags we wanna preserve
|
||||
local stripped_flags = { }
|
||||
--iterate over the individual flags and store the ones we want in the table as unique keys
|
||||
for flag in flags:gmatch("%S+") do
|
||||
if flag:find("^%-fexceptions") or flag:find("^%-fcf%-protection") then
|
||||
stripped_flags[flag] = true end
|
||||
end
|
||||
--print out the finalized set of flags for use by the extension builders
|
||||
for k,_ in pairs(stripped_flags) do print(k .. " ") end
|
||||
}
|
||||
|
||||
# Variants of CFLAGS, CXXFLAGS, FFLAGS, LDFLAGS for use within
|
||||
|
@ -4,7 +4,7 @@
|
||||
# 2) When making changes, increment the version (in baserelease) by 1.
|
||||
# rpmdev-bumpspec and other tools update the macro below, which is used
|
||||
# in Version: to get the desired effect.
|
||||
%global baserelease 261
|
||||
%global baserelease 262
|
||||
|
||||
Summary: Red Hat specific rpm configuration files
|
||||
Name: redhat-rpm-config
|
||||
@ -254,6 +254,10 @@ install -p -m 644 -t %{buildroot}%{_rpmluadir}/fedora/srpm forge.lua
|
||||
%doc buildflags.md
|
||||
|
||||
%changelog
|
||||
* Wed Aug 02 2023 Charalampos Stratakis <cstratak@redhat.com> - 262-1
|
||||
- Strip all extension builder flags except -fexceptions and -fcf-protection
|
||||
- https://fedoraproject.org/wiki/Changes/Python_Extension_Flags_Reduction
|
||||
|
||||
* Fri Jul 7 2023 Florian Weimer <fweimer@redhat.com> - 261-1
|
||||
- Fix warnings that appear during the build of the llvm package
|
||||
|
||||
|
5
tests/extension-builder-flags/main.fmf
Normal file
5
tests/extension-builder-flags/main.fmf
Normal file
@ -0,0 +1,5 @@
|
||||
summary: Test that the extension builder flags contain the proper flags
|
||||
require:
|
||||
- redhat-rpm-config
|
||||
test: ./runtest.sh
|
||||
|
11
tests/extension-builder-flags/runtest.sh
Executable file
11
tests/extension-builder-flags/runtest.sh
Executable file
@ -0,0 +1,11 @@
|
||||
#!/bin/bash
|
||||
|
||||
set -ex
|
||||
# Verify that the extension builder flags are stripped of non-required flags.
|
||||
# The flags may appear in random order due to being accessed through a lua
|
||||
# associative array.
|
||||
for f in %{extension_cflags} %{extension_cxxflags} %{extension_fflags}; do
|
||||
[[ $(rpm --eval "$f") =~ ^[[:space:]]*(-fexceptions -fcf-protection|-fcf-protection -fexceptions)[[:space:]]*$ ]]
|
||||
done
|
||||
# The extension ldflag should always be empty
|
||||
[[ -z $(rpm --eval "%extension_ldflags") ]]
|
Loading…
Reference in New Issue
Block a user