Add -Wl,--build-id=sha1 to the default LDFLAGS
This is already the default for ld.bfd, so this is effectively a no-op for most packages. However, lld defaults different build-id algorithm that the RPM build process does not support, so it needs this flag. This flag can be overriden by setting the %_build_id_flags macro, which packages could do if they wanted to use a more secure build-id algorithm.
This commit is contained in:
parent
faf5c36887
commit
95f28bd10b
@ -195,6 +195,13 @@ For example, this can be required if shared objects are used for their
|
|||||||
side effects in ELF constructors, or for making them available to
|
side effects in ELF constructors, or for making them available to
|
||||||
dynamically loaded plugins.
|
dynamically loaded plugins.
|
||||||
|
|
||||||
|
### Specifying the build-id algorithm
|
||||||
|
|
||||||
|
If you want to specify a different build-id algorithm for your builds, you
|
||||||
|
can use the %_build_id_flags macro:
|
||||||
|
|
||||||
|
%_build_id_flags -Wl,--build-id=sha1
|
||||||
|
|
||||||
### Strict symbol checks in the link editor (ld)
|
### Strict symbol checks in the link editor (ld)
|
||||||
|
|
||||||
Optionally, the link editor will refuse to link shared objects which
|
Optionally, the link editor will refuse to link shared objects which
|
||||||
|
6
macros
6
macros
@ -72,7 +72,7 @@
|
|||||||
# When clang is used as a linker driver, it does not auto-detect the LTO
|
# When clang is used as a linker driver, it does not auto-detect the LTO
|
||||||
# bytecode and neither does bfd, so we need to explicitly pass the -flto
|
# bytecode and neither does bfd, so we need to explicitly pass the -flto
|
||||||
# flag when linking.
|
# flag when linking.
|
||||||
%build_ldflags -Wl,-z,relro %{_ld_as_needed_flags} %{_ld_symbols_flags} %{_hardened_ldflags} %{_annotation_ldflags} %[ "%{toolchain}" == "clang" ? "%{?_lto_cflags}" : "" ]
|
%build_ldflags -Wl,-z,relro %{_ld_as_needed_flags} %{_ld_symbols_flags} %{_hardened_ldflags} %{_annotation_ldflags} %[ "%{toolchain}" == "clang" ? "%{?_lto_cflags}" : "" ] %{_build_id_flags}
|
||||||
|
|
||||||
# Expands to shell code to set the compiler/linker environment
|
# Expands to shell code to set the compiler/linker environment
|
||||||
# variables CFLAGS, CXXFLAGS, FFLAGS, FCFLAGS, LDFLAGS if they have
|
# variables CFLAGS, CXXFLAGS, FFLAGS, FCFLAGS, LDFLAGS if they have
|
||||||
@ -325,6 +325,10 @@ print(result)
|
|||||||
%_clang_lto_cflags -flto
|
%_clang_lto_cflags -flto
|
||||||
%_lto_cflags %{expand:%%{_%{toolchain}_lto_cflags}}
|
%_lto_cflags %{expand:%%{_%{toolchain}_lto_cflags}}
|
||||||
|
|
||||||
|
# Some linkers default to a build-id algoritim that is not supported by rpmbuild,
|
||||||
|
# so we need to specify the right algorithm to use.
|
||||||
|
%_build_id_flags -Wl,--build-id=sha1
|
||||||
|
|
||||||
%_general_options -O2 %{?_lto_cflags} -fexceptions -g -grecord-gcc-switches -pipe
|
%_general_options -O2 %{?_lto_cflags} -fexceptions -g -grecord-gcc-switches -pipe
|
||||||
%_warning_options -Wall -Werror=format-security
|
%_warning_options -Wall -Werror=format-security
|
||||||
%_preprocessor_defines -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS
|
%_preprocessor_defines -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS
|
||||||
|
@ -6,7 +6,7 @@
|
|||||||
|
|
||||||
Summary: Red Hat specific rpm configuration files
|
Summary: Red Hat specific rpm configuration files
|
||||||
Name: redhat-rpm-config
|
Name: redhat-rpm-config
|
||||||
Version: 206
|
Version: 207
|
||||||
Release: 1%{?dist}
|
Release: 1%{?dist}
|
||||||
# No version specified.
|
# No version specified.
|
||||||
License: GPL+
|
License: GPL+
|
||||||
@ -190,6 +190,9 @@ install -p -m 644 -t %{buildroot}%{_rpmluadir}/fedora/srpm forge.lua
|
|||||||
%doc buildflags.md
|
%doc buildflags.md
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Dec 14 2021 Tom Stellard <tstellar@redhat.com> - 207-1
|
||||||
|
- Add -Wl,--build-id=sha1 to the default LDFLAGS
|
||||||
|
|
||||||
* Tue Dec 07 2021 Miro Hrončok <mhroncok@redhat.com> - 206-1
|
* Tue Dec 07 2021 Miro Hrončok <mhroncok@redhat.com> - 206-1
|
||||||
- brp-mangle-shebangs: also mangle shebangs of JavaScript executables
|
- brp-mangle-shebangs: also mangle shebangs of JavaScript executables
|
||||||
- Fixes: rhbz#1998924
|
- Fixes: rhbz#1998924
|
||||||
|
Loading…
Reference in New Issue
Block a user