Compare commits

...

No commits in common. "imports/c8-beta/redhat-rpm-config-123-1.el8" and "c8" have entirely different histories.

10 changed files with 601 additions and 34 deletions

View File

@ -93,7 +93,14 @@ while IFS= read -r line; do
fi
read shebang_line < "$f"
if ! read shebang_line < "$f"; then
echo >&2 "*** WARNING: Cannot read the first line from $f, removing executable bit"
ts=$(stat -c %y "$f")
chmod -x "$f"
touch -d "$ts" "$f"
continue
fi
orig_shebang="${shebang_line#\#!}"
if [ "$orig_shebang" = "$shebang_line" ]; then
echo >&2 "*** WARNING: $f is executable but has no shebang, removing executable bit"

View File

@ -13,6 +13,8 @@ this:
This will invoke the `./configure` with arguments (such as
`--prefix=/usr`) to adjust the paths to the packaging defaults.
Prior to that, some common problems in autotools scripts are
automatically patched across the source tree.
As a side effect, this will set the environment variables `CFLAGS`,
`CXXFLAGS`, `FFLAGS`, `FCFLAGS`, and `LDFLAGS`, so they can be used by
@ -25,7 +27,8 @@ environment variables using
%set_build_flags
early in the `%build` section. (Again, existing environment variables
are not overwritten.)
are not overwritten.) `%set_build_flags` does not perform autotools
script rewriting, unlike `%configure`.
Individual build flags are also available through RPM macros:
@ -66,11 +69,24 @@ For other considerations involving shared objects, see:
* [Fedora Packaging Guidelines: Shared Libraries](https://fedoraproject.org/wiki/Packaging:Guidelines#Shared_Libraries)
# Customizing compiler flags
# Customizing compiler and other build flags
It is possible to set RPM macros to change some aspects of the
compiler flags. Changing these flags should be used as a last
recourse if other workarunds are not available.
recourse if other workarounds are not available.
### Disable autotools compatibility patching
By default, the invocation of the `%configure` macro replaces
`config.guess` files in the source tree with the system version. To
disable that, define this macro:
%global _configure_gnuconfig_hack 0
`%configure` also patches `ltmain.sh` scripts, so that linker flags
are set as well during libtool-. This can be switched off using:
%global _configure_libtool_hardening_hack 0
### Lazy binding
@ -145,6 +161,63 @@ to the RPM spec file to disable these strict checks. Alternatively,
you can pass `-z undefs` to ld (written as `-Wl,-z,undefs` on the gcc
command line). The latter needs binutils 2.29.1-12.fc28 or later.
### Post-build ELF object processing
By default, DWARF debugging information is separated from installed
ELF objects and put into `-debuginfo` subpackages. To disable most
debuginfo processing (and thus the generation of these subpackages),
define `_enable_debug_packages` as `0`.
Processing of debugging information is controlled using the
`find-debuginfo` tool from the `debugedit` package. Several aspects
of its operation can be controlled at the RPM level.
* Creation of `-debuginfo` subpackages is enabled by default.
To disable, undefine `_debuginfo_subpackages`.
* Likewise, `-debugsource` subpackages are automatically created.
To disable, undefine `_debugsource_subpackages`.
See [Separate Subpackage and Source Debuginfo](https://fedoraproject.org/wiki/Changes/SubpackageAndSourceDebuginfo)
for background information.
* `_build_id_links`, `_unique_build_ids`, `_unique_debug_names`,
`_unique_debug_srcs` control how debugging information and
corresponding source files are represented on disk.
See `/usr/lib/rpm/macros` for details. The defaults
enable parallel installation of `-debuginfo` packages for
different package versions, as described in
[Parallel Installable Debuginfo](https://fedoraproject.org/wiki/Changes/ParallelInstallableDebuginfo).
* By default, a compressed symbol table is preserved in the
`.gnu_debugdata` section. To disable that, undefine
`_include_minidebuginfo`.
* To speed up debuggers, a `.gdb_index` section is created. It can be
disabled by undefining `_include_gdb_index`.
* Missing build IDs result in a build failure. To ignore such
problems, undefine `_missing_build_ids_terminate_build`.
* During processing, build IDs are recomputed to match the binary
content. To skip this step, define `_no_recompute_build_ids` as `1`.
* By default, the options in `_find_debuginfo_dwz_opts` turn on `dwz`
(DWARF compression) processing. Undefine this macro to disable this
step.
* Additional options can be passed by defining the
`_find_debuginfo_opts` macro.
After separation of debugging information, additional transformations
are applied, most of them also related to debugging information.
These steps can be skipped by undefining the corresponding macros:
* `__brp_strip`: Removal of leftover debugging information. The tool
specified by the `__strip` macro is invoked with the `-g` option on
ELF object (`.o`) files.
* `__brp_strip_static_archive`: This is similar to `__brp_strip`, but
processes static `.a` archives instead.
* `__brp_strip_comment_note`: This step removes unallocated `.note`
sections, and `.comment` sections from ELF files.
* `__brp_ldconfig`: For each shared object on the library search path
whose soname does not match its file name, a symbolic link from the
soname to the file name is created. This way, these shared objects
are loadable immediately after installation, even if they are not yet
listed in the `/etc/ld.so.cache` file (because `ldconfig` has not been
invoked yet).
# Individual compiler flags
Compiler flags end up in the environment variables `CFLAGS`,
@ -202,6 +275,11 @@ The general (architecture-independent) build flags are:
variables. (If the address of a variable is never taken, it is not
possible that a buffer overflow is caused by incorrect pointer
arithmetic involving a pointer to that variable.)
* `-fstack-clash-protection`: Turn on instrumentation to avoid
skipping the guard page in large stack frames. (Without this flag,
vulnerabilities can result where the stack overlaps with the heap,
or thread stacks spill into other regions of memory.) This flag is
fully ABI-compatible and has adds very little run-time overhead.
* `-grecord-gcc-switches`: Include select GCC command line switches in
the DWARF debugging information. This is useful for detecting the
presence of certain build flags and general hardening coverage.
@ -240,13 +318,6 @@ added by default. This can be switched off by undefining the
These compiler flags are enabled for all builds (hardened/annotated or
not), but their selection depends on the architecture:
* `-fstack-clash-protection`: Turn on instrumentation to avoid
skipping the guard page in large stack frames. (Without this flag,
vulnerabilities can result where the stack overlaps with the heap,
or thread stacks spill into other regions of memory.) This flag is
fully ABI-compatible and has adds very little run-time overhead, but
is only available on certain architectures (currently aarch64, i386,
ppc64, ppc64le, s390x, x86_64).
* `-fcf-protection`: Instrument binaries to guard against
ROP/JOP attacks. Used on i686 and x86_64.
* `-m64` and `-m32`: Some GCC builds support both 32-bit and 64-bit in
@ -260,24 +331,18 @@ not), but their selection depends on the architecture:
useful because unwind information is available without having to
install (and load) debugging ienformation.
Asynchronous unwind tables are enabled for aarch64, i686, s390x,
and x86_64. They are not needed on armhfp, ppc64 and ppc64le due
and x86_64. They are not needed on ppc64le due
to architectural differences in stack management. On these
architectures, `-fexceptions` (see above) still enables regular
unwind tables (or they are enabled by default even without this
option).
* `-funwind-tables`: A subset of the unwind information restricted
to actual call sites. Used on ppc64, ppc64le. Also implied by
to actual call sites. Used on ppc64le. Also implied by
`-fexceptions`.
In addition, `redhat-rpm-config` re-selects the built-in default
tuning in the `gcc` package. These settings are:
* **armhfp**: `-march=armv7-a -mfpu=vfpv3-d16 -mfloat-abi=hard`
selects an Arm subarchitecture based on the ARMv7-A architecture
with 16 64-bit floating point registers. `-mtune=cortex-8a` selects
tuning for the Cortex-A8 implementation (while preserving compatibility
with other ARMv7-A implementations). `-mabi=aapcs-linux` switches to
the AAPCS ABI for GNU/Linux.
* **i686**: `-march=x86-64` is used to select a minimum supported
CPU level matching the baseline for the x86_64 architecture.
`-mtune=generic` activates tuning for a current blend of CPUs.
@ -296,7 +361,7 @@ tuning in the `gcc` package. These settings are:
(z14).
* **x86_64**: `-mtune=generic` selects tuning which is expected to
beneficial for a broad range of current CPUs.
* **ppc64** and **aarch64** do not have any architecture-specific tuning.
* **aarch64** does not have any architecture-specific tuning.
# Individual linker flags

111
SOURCES/gpgverify Executable file
View File

@ -0,0 +1,111 @@
#!/bin/bash
# Copyright 2018 B. Persson, Bjorn@Rombobeorn.se
#
# This material is provided as is, with absolutely no warranty expressed
# or implied. Any use is at your own risk.
#
# Permission is hereby granted to use or copy this shellscript
# for any purpose, provided the above notices are retained on all copies.
# Permission to modify the code and to distribute modified code is granted,
# provided the above notices are retained, and a notice that the code was
# modified is included with the above copyright notice.
function print_help {
cat <<'EOF'
Usage: gpgverify --keyring=<pathname> --signature=<pathname> --data=<pathname>
gpgverify is a wrapper around gpgv designed for easy and safe scripting. It
verifies a file against a detached OpenPGP signature and a keyring. The keyring
shall contain all the keys that are trusted to certify the authenticity of the
file, and must not contain any untrusted keys.
The differences, compared to invoking gpgv directly, are that gpgverify accepts
the keyring in either ASCII-armored or unarmored form, and that it will not
accidentally use a default keyring in addition to the specified one.
Parameters:
--keyring=<pathname> keyring with all the trusted keys and no others
--signature=<pathname> detached signature to verify
--data=<pathname> file to verify against the signature
EOF
}
fatal_error() {
message="$1" # an error message
status=$2 # a number to use as the exit code
echo "gpgverify: $message" >&2
exit $status
}
require_parameter() {
term="$1" # a term for a required parameter
value="$2" # Complain and terminate if this value is empty.
if test -z "${value}" ; then
fatal_error "No ${term} was provided." 2
fi
}
check_status() {
action="$1" # a string that describes the action that was attempted
status=$2 # the exit code of the command
if test $status -ne 0 ; then
fatal_error "$action failed." $status
fi
}
# Parse the command line.
keyring=
signature=
data=
for parameter in "$@" ; do
case "${parameter}" in
(--help)
print_help
exit
;;
(--keyring=*)
keyring="${parameter#*=}"
;;
(--signature=*)
signature="${parameter#*=}"
;;
(--data=*)
data="${parameter#*=}"
;;
(*)
fatal_error "Unknown parameter: \"${parameter}\"" 2
;;
esac
done
require_parameter 'keyring' "${keyring}"
require_parameter 'signature' "${signature}"
require_parameter 'data file' "${data}"
# Make a temporary working directory.
workdir="$(mktemp --directory)"
check_status 'Making a temporary directory' $?
workring="${workdir}/keyring.gpg"
# Decode any ASCII armor on the keyring. This is harmless if the keyring isn't
# ASCII-armored.
gpg2 --homedir="${workdir}" --yes --output="${workring}" --dearmor "${keyring}"
check_status 'Decoding the keyring' $?
# Verify the signature using the decoded keyring.
gpgv2 --homedir="${workdir}" --keyring="${workring}" "${signature}" "${data}"
check_status 'Signature verification' $?
# (--homedir isn't actually necessary. --dearmor processes only the input file,
# and if --keyring is used and contains a slash, then gpgv2 uses only that
# keyring. Thus neither command will look for a default keyring, but --homedir
# makes extra double sure that no default keyring will be touched in case
# another version of GPG works differently.)
# Clean up. (This is not done in case of an error that may need inspection.)
rm --recursive --force ${workdir}

View File

@ -0,0 +1,79 @@
# Some miscellaneous Fedora-related macros
# List files matching inclusion globs, excluding files matching exclusion blogs
# Optional parameters:
# -i "<globs>" inclusion globs
# -x "<globs>" exclusion globs
# Globs are space-separated lists of shell globs. Such lists require %{quote:}
# use for safe rpm argument passing.
# Alternatively, set the following rpm variables before calling the macro:
# “listfiles_include” inclusion globs
# — “listfiles_exclude” exclusion globs
# Arguments passed to the macro without flags will be interpreted as inclusion
# globs.
%listfiles(i:x:) %{expand:
%if %{lua: print(string.len(rpm.expand("%{?-i*}%{?listfiles_include}%*")))}
listfiles_include=$(realpath -e --relative-base=. %{?-i*} %{?listfiles_include} %* | sort -u)
%if %{lua: print(string.len(rpm.expand("%{?-x*}%{?listfiles_exclude}")))}
while IFS= read -r finc ; do
realpath -qe --relative-base=. %{?-x*} %{?listfiles_exclude} \\
| sort -u | grep -q "${finc}" || echo "${finc}"
done <<< "${listfiles_include}"
%else
echo "${listfiles_include}"
%endif
%endif
}
# https://github.com/rpm-software-management/rpm/issues/581
# Write the contents of a list of rpm variables to a macro file.
# The target file must contain the corresponding anchors.
# For example %writevars -f myfile foo bar will replace:
# @@FOO@@ with the rpm evaluation of %{foo} and
# @@BAR@@ with the rpm evaluation of %{bar}
# in myfile
%writevars(f:) %{lua:
local fedora = require "fedora.common"
local macrofile = rpm.expand("%{-f*}")
local rpmvars = {}
for i = 1, rpm.expand("%#") do
table.insert(rpmvars, rpm.expand("%" .. i))
end
fedora.writevars(macrofile,rpmvars)
}
# gpgverify verifies signed sources. There is documentation in the script.
%gpgverify(k:s:d:) %{lua:
local script = rpm.expand("%{_rpmconfigdir}/redhat/gpgverify ")
local keyring = rpm.expand("%{-k*}")
local signature = rpm.expand("%{-s*}")
local data = rpm.expand("%{-d*}")
print(script)
if keyring ~= "" then
print(rpm.expand("--keyring='%{SOURCE" .. keyring .. "}' "))
end
if signature ~= "" then
print(rpm.expand("--signature='%{SOURCE" .. signature .. "}' "))
end
if data ~= "" then
print(rpm.expand("--data='%{SOURCE" .. data .. "}' "))
end
}
# gpgverify verifies signed sources. There is documentation in the script.
%gpgverify(k:s:d:) %{lua:
local script = rpm.expand("%{_rpmconfigdir}/redhat/gpgverify ")
local keyring = rpm.expand("%{-k*}")
local signature = rpm.expand("%{-s*}")
local data = rpm.expand("%{-d*}")
print(script)
if keyring ~= "" then
print(rpm.expand("--keyring='%{SOURCE" .. keyring .. "}' "))
end
if signature ~= "" then
print(rpm.expand("--signature='%{SOURCE" .. signature .. "}' "))
end
if data ~= "" then
print(rpm.expand("--data='%{SOURCE" .. data .. "}' "))
end
}

View File

@ -0,0 +1,3 @@
# kernel_arches lists what arches the full kernel is built for.
%kernel_arches x86_64 s390x ppc64le aarch64 %{arm}

View File

@ -1,4 +1,4 @@
#! /bin/sh
#! /bin/bash -efu
# heavily based upon find-suggests.ksyms by Andreas Gruenbacher <agruen@suse.de>.
# with modifications by Michael Brown <Michael_E_Brown@dell.com>
@ -14,7 +14,8 @@ IFS=$'\n'
# completeness, so that we can determine when drivers are folded into
# mainline kernel.
#
case "$1" in
is_kernel_package=""
case "${1:-}" in
kernel-module-*) ;; # Fedora kernel module package names start with
# kernel-module.
kernel*) is_kernel_package=1 ;;
@ -25,6 +26,11 @@ if ! [ -z "$is_kernel_package" ]; then
exit 0
fi
# Check for presence of the commands used
which /sbin/modinfo >/dev/null || exit 0
which sed >/dev/null || exit 0
which sort >/dev/null || exit 0
print_modaliases() {
declare class=$1 variants=$2 pos=$3
if [ -n "$variants" ]; then
@ -35,7 +41,7 @@ print_modaliases() {
}
combine_modaliases() {
declare tag class variants pos n
declare tag class variants="" pos="" n
read class
while read tag; do
for ((n=0; n<${#class}; n++)); do
@ -58,19 +64,15 @@ combine_modaliases() {
print_modaliases "$class" "$variants" "$pos"
}
for module in $(grep -E '/lib/modules/.+\.ko$') $*; do
for module in $(grep -E '/lib/modules/.+\.ko(\.gz|\.bz2|\.xz)?$') "$@"; do
# | head -n1 because some modules have *two* version tags. *cough*b44*cough*
modver=$(/sbin/modinfo -F version "$module"| head -n1)
modver=${modver// /_}
modver=${modver//[^0-9a-zA-Z._]/_}
# only add version tag if it has a version
if [ -n "$modver" ]; then
/sbin/modinfo -F alias "$module" \
| sed -nre "s,(.+),modalias(\\1) = $modver,p"
else
/sbin/modinfo -F alias "$module" \
| sed -nre "s,(.+),modalias(\\1),p"
fi
[ -z "$modver" ] || modver=" = $modver"
/sbin/modinfo -F alias "$module" \
| sed -nre "s,[^][0-9a-zA-Z._:*?/-],_,g; s,(.+),modalias(\\1)$modver,p"
done \
| sort -u \
| combine_modaliases

View File

@ -0,0 +1,199 @@
#!/usr/bin/sh
# This is a script to select which GCC spec file fragment
# should be the destination of the redhat-annobin-cc1 symlink.
# Author: Nick Clifton <nickc@redhat.com>
# Copyright (c) 2021 Red Hat.
#
# This is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published
# by the Free Software Foundation; either version 2, or (at your
# option) any later version.
# It is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# Usage:
# redhat-annobin-plugin-select [script-dir]
#
# If script-dir is not provided then /usr/lib/rpm/redhat is used
# as the location where all of the annobin plugin selection files
# can be found.
if test "x$1" = "x" ;
then
rrcdir=/usr/lib/rpm/redhat
else
rrcdir=$1
fi
# Set this variable to non-zero to enable the generation of debugging
# messages.
debug=0
# Decide which version of the annobin plugin for gcc should be used.
# There are two possible versions, one created by the annobin package and one
# created by the gcc package. The logic selects the gcc version unless both
# have been built by the same version of the compiler. In that case the
# annobin version is selected instead.
#
# The point of all this is that the annobin plugin is very sensitive to
# mismatches with the version of gcc that built it. If the plugin is built
# by version A of gcc, but then run on version B of gcc, it is possible for
# the plugin to misbehave, which then causes problems if gating tests examine
# the plugin's output. (This has happened more than once in RHEL...).
#
# So the plugin is built both by gcc and by the annobin package. This means
# that whenever gcc is updated a fresh plugin is built, and the logic below
# will select that version. But in order to allow annobin development to
# proceed independtently of gcc, the annobin package can also update its
# version of the plugin, and the logic will select this new version.
# This is where the annobin package stores the information on the version
# of gcc that built the annobin plugin.
aver=`gcc --print-file-name=plugin`/annobin-plugin-version-info
# This is where the gcc package stores its version information.
gver=`gcc --print-file-name=rpmver`
aplugin=`gcc --print-file-name=plugin`/annobin.so.0.0.0
gplugin=`gcc --print-file-name=plugin`/gcc-annobin.so.0.0.0
# This is the file that needs to be updated when either of those version
# files changes.
rac1=redhat-annobin-cc1
# This is the GCC spec file fragment that selects the gcc-built version of
# the annobin plugin
select_gcc=redhat-annobin-select-gcc-built-plugin
# This is the GCC spec file fragment that selects the annobin-built version
# of the annobin plugin
select_annobin=redhat-annobin-select-annobin-built-plugin
install_annobin_version=0
install_gcc_version=0
if [ -f $aplugin ]
then
if [ -f $gplugin ]
then
if [ $debug -eq 1 ]
then
echo " redhat-rpm-config: Both plugins exist, checking version information"
fi
if [ -f $gver ]
then
if [ -f $aver ]
then
if [ $debug -eq 1 ]
then
echo " redhat-rpm-config: Both plugin version files exist - comparing..."
fi
# Get the first line from the version info files. This is just in
# vase there are extra lines in the files.
avers=`head --lines=1 $aver`
gvers=`head --lines=1 $gver`
if [ $debug -eq 1 ]
then
echo " redhat-rpm-config: Annobin plugin built by gcc $avers"
echo " redhat-rpm-config: GCC plugin built by gcc $gvers"
fi
# If both plugins were built by the same version of gcc then select
# the one from the annobin package (in case it is built from newer
# sources). If the plugin builder versions differ, select the gcc
# built version instead. This assumes that the gcc built version
# always matches the installed gcc, which should be true.
if [ $avers = $gvers ]
then
if [ $debug -eq 1 ]
then
echo " redhat-rpm-config: Both plugins built by the same compiler - using annobin-built plugin"
fi
install_annobin_version=1
else
if [ $debug -eq 1 ]
then
echo " redhat-rpm-config: Versions differ - using gcc-built plugin"
fi
install_gcc_version=1
fi
else
if [ $debug -eq 1 ]
then
echo " redhat-rpm-config: Annobin version file does not exist, using gcc-built plugin"
fi
install_gcc_version=1
fi
else
if [ -f $aver ]
then
# FIXME: This is suspicious. If the installed GCC does not supports plugins
# then enabling the annobin plugin will not work.
if [ $debug -eq 1 ]
then
echo " redhat-rpm-config: GCC plugin version file does not exist, using annobin-built plugin"
fi
install_annobin_version=1
else
if [ $debug -eq 1 ]
then
echo " redhat-rpm-config: Neither version file exists - playing safe and using gcc-built plugin"
echo " redhat-rpm-config: Note: expected to find $aver and/or $gver"
fi
install_gcc_version=1
fi
fi
else
if [ $debug -eq 1 ]
then
echo " redhat-rpm-config: Only the annobin plugin exists - using that"
fi
install_annobin_version=1
fi
else
if [ -f $gplugin ]
then
if [ $debug -eq 1 ]
then
echo " redhat-rpm-config: Only the gcc plugin exists - using that"
fi
else
if [ $debug -eq 1 ]
then
echo " redhat-rpm-config: Neither plugin exists - playing safe and using gcc-built plugin"
echo " redhat-rpm-config: Note: expected to find $aplugin and/or $gplugin"
fi
fi
install_gcc_version=1
fi
if [ $install_annobin_version -eq 1 ]
then
if [ $debug -eq 1 ]
then
echo " redhat-rpm-config: Installing annobin version of $rac1"
fi
pushd $rrcdir > /dev/null
rm -f $rac1
ln -s $select_annobin "$rac1"
popd > /dev/null
else if [ $install_gcc_version -eq 1 ]
then
if [ $debug -eq 1 ]
then
echo " redhat-rpm-config: Installing gcc version of $rac1"
fi
pushd $rrcdir > /dev/null
rm -f $rac1
ln -s $select_gcc $rac1
popd > /dev/null
fi
fi

View File

@ -0,0 +1,2 @@
*cc1_options:
+ %{!-fno-use-annobin:%{!iplugindir*:%:find-plugindir()} -fplugin=annobin}

View File

@ -0,0 +1,2 @@
*cc1_options:
+ %{!-fno-use-annobin:%{!iplugindir*:%:find-plugindir()} -fplugin=gcc-annobin}

View File

@ -6,7 +6,7 @@
Summary: Red Hat specific rpm configuration files
Name: redhat-rpm-config
Version: 123
Version: 131
Release: 1%{?dist}
# No version specified.
License: GPL+
@ -27,6 +27,9 @@ Source51: redhat-hardened-ld
# gcc specs files for annobin builds
Source52: redhat-annobin-cc1
Source53: redhat-annobin-select-gcc-built-plugin
Source54: redhat-annobin-select-annobin-built-plugin
Source55: redhat-annobin-plugin-select.sh
# The macros defined by these files are for things that need to be defined
# at srpm creation time when it is not feasible to require the base packages
@ -45,6 +48,8 @@ Source151: macros.kmp
Source152: macros.vpath
Source153: macros.forge
Source154: macros.ldconfig
Source155: macros.kernel-srpm
Source156: macros.fedora-misc
# Build policy scripts
# this comes from https://github.com/rpm-software-management/rpm/pull/344
@ -65,6 +70,7 @@ Source400: dist.sh
Source401: rpmsort
Source402: symset-table
Source403: kmodtool
Source404: gpgverify
# 2016-10-02 snapshots from http://git.savannah.gnu.org/gitweb/?p=config.git
Source500: config.guess
@ -102,6 +108,7 @@ Requires: rpm >= 4.11.0
Requires: dwz >= 0.4
Requires: zip
Requires: (annobin if gcc)
Requires: (gcc-plugin-annobin if gcc)
# for brp-mangle-shebangs
Requires: %{_bindir}/find
@ -110,6 +117,11 @@ Requires: %{_bindir}/grep
Requires: %{_bindir}/sed
Requires: %{_bindir}/xargs
# iconv modules have been split out of glibc into a separate package (#1971664)
# so let's ensure packages that require them at build time but haven't yet
# added an explicit BuildRequires will continue to work (#2013328)
Requires: glibc-gconv-extra
# -fstack-clash-protection and -fcf-protection require GCC 8.
Conflicts: gcc < 8
@ -143,6 +155,7 @@ install -p -m 444 -t %{buildroot}%{rrcdir} redhat-hardened-*
install -p -m 444 -t %{buildroot}%{rrcdir} redhat-annobin-*
install -p -m 755 -t %{buildroot}%{rrcdir} config.*
install -p -m 755 -t %{buildroot}%{rrcdir} dist.sh rpmsort symset-table kmodtool
install -p -m 755 -t %{buildroot}%{rrcdir} gpgverify
install -p -m 755 -t %{buildroot}%{rrcdir} brp-*
install -p -m 755 -t %{buildroot}%{rrcdir} find-*
@ -161,6 +174,54 @@ install -p -m 755 -t %{buildroot}%{_rpmconfigdir} kmod.prov
install -p -m 644 %{SOURCE20} %{buildroot}%{_fileattrsdir}/kabi.attr
install -p -m 755 %{SOURCE21} %{buildroot}%{_rpmconfigdir}/kabi.sh
# This trigger is used to decide which version of the annobin plugin for gcc
# should be used. See comments in the script for full details.
#
# Note: for RHEL the rpm containing the annobin built plugin is called
# "annobin", whereas in Fedora it is called "annobin-plugin-gcc". This is
# for historical reasons and will change with the introduction of RHEL-10.
#
# Note - whilst "gcc-plugin-annobin" requires "gcc" and hence in theory we
# do not need to trigger on "gcc", the redhat-annobin-plugin-select.sh
# script invokes gcc to determine the version of the gcc plugin, and this
# can be significant.
#
# For example, suppose that version N of gcc is installed and that annobin
# version A (built by gcc version N) is also installed. Then a new version
# of gcc is released. If the rpms are updated in this order:
# gcc-plugin-annobin
# gcc
# then when the trigger for gcc-plugin-annobin is run, the script will see
# (the not yet updated) gcc is currently version N, which matches the current
# annobin plugin A, so no changes are necessary. Then gcc is updated and,
# if the trigger below did not include "gcc", the script would not run again
# and so now you would have an out of date version of the annobin plugin.
#
# Alternatively imagine installing gcc and annobin for the first time.
# If the installation order is:
# gcc
# annobin-plugin-gcc
# gcc-plugin-annobin
# then the installation of gcc will not cause the gcc-plugin-annobin to be
# selected, since it does not exist yet. Then annobin-plugin-gcc is installed
# and since it is the only plugin, it will be selected. Then
# gcc-plugin-annobin is installed, and if the trigger below was not set to
# run on gcc-plugin-annobin, it would pass unnoticed.
#
# Hence it is necessary to trigger on both gcc and gcc-plugin-annobin.
%triggerin -- annobin gcc-plugin-annobin gcc
%{rrcdir}/redhat-annobin-plugin-select.sh
%end
# We also trigger when an annobin plugin is uninstalled. This allows us to switch
# over to the other version of the plugin. It does not matter if
# gcc is uninstalled, since if that happens the plugin cannot be used.
%triggerpostun -- annobin gcc-plugin-annobin
%{rrcdir}/redhat-annobin-plugin-select.sh
%end
%files
%dir %{rrcdir}
%{rrcdir}/macros
@ -168,6 +229,7 @@ install -p -m 755 %{SOURCE21} %{buildroot}%{_rpmconfigdir}/kabi.sh
%{rrcdir}/brp-mangle-shebangs
%{rrcdir}/brp-ldconfig
%{rrcdir}/dist.sh
%{rrcdir}/gpgverify
%{rrcdir}/redhat-hardened-*
%{rrcdir}/redhat-annobin-*
%{rrcdir}/config.*
@ -181,7 +243,15 @@ install -p -m 755 %{SOURCE21} %{buildroot}%{_rpmconfigdir}/kabi.sh
%{_rpmconfigdir}/macros.d/macros.forge
%{_rpmconfigdir}/macros.d/macros.ldconfig
%{_rpmconfigdir}/macros.d/macros.vpath
%{_rpmconfigdir}/macros.d/macros.kernel-srpm
%{_rpmconfigdir}/macros.d/macros.fedora-misc
%{_rpmconfigdir}/kabi.sh
%attr(0755,-,-) %{rrcdir}/redhat-annobin-plugin-select.sh
%verify(owner group mode) %{rrcdir}/redhat-annobin-cc1
%{rrcdir}/redhat-annobin-select-gcc-built-plugin
%{rrcdir}/redhat-annobin-select-annobin-built-plugin
%doc buildflags.md
%files -n kernel-rpm-macros
@ -198,6 +268,33 @@ install -p -m 755 %{SOURCE21} %{buildroot}%{_rpmconfigdir}/kabi.sh
%{_rpmconfigdir}/macros.d/macros.kmp
%changelog
* Wed Feb 08 2023 Nick Clifton <nickc@redhat.com> - 131-1
- Fix triggers for the installation and removal of gcc-plugin-annobin. (#2168233)
* Tue Apr 05 2022 Nick Clifton <nickc@redhat.com> = 130-1
- Select between gcc-built and annobin-built versions of the annobin plugin.
(#2067153)
* Wed Mar 23 2022 Michal Domonkos <mdomonko@redhat.com> - 129-1
- Fix handling of files without newlines in brp-mangle-shebang (#2063036)
* Wed Jan 05 2022 Eugene Syromiatnikov <esyr@redhat.com> - 128-1
- modalias.prov: handle compressed kmods, sanitise alias/version strings
(#1976000)
* Mon Dec 13 2021 Michal Domonkos <mdomonko@redhat.com> - 127-1
- Add Requires: glibc-gconv-extras to cover for the split (#2013328)
* Mon Nov 29 2021 Florian Weimer <fweimer@redhat.com> - 126-1
- buildflags.md: Documentation updates (#2005079)
* Fri Nov 27 2020 Florian Festi <ffesti@redhat.com> - 125-1
- Add missing macros.fedora-misc file (#1874576)
* Mon Nov 09 2020 Florian Festi <ffesti@redhat.com> - 124-1
- Add macros.kernel-srpm (#1874578)
- Added gpgverify (#1874576)
* Tue Jun 16 2020 Florian Festi <ffesti@redhat.com> - 123-1
- Update kmod.prov for better performance (#1794491)
- Backport performance improvements for brp-mangle-shebangs (#1794779)