Strip all extension builder flags except -fexceptions and -fcf-protection

This preserves binary compatibility with the main interpreters
the extensions are built against while removing Fedora's flags
that are not required to be inherited on user built extensions.

This implements https://fedoraproject.org/wiki/Changes/Python_Extension_Flags_Reduction

buildflags.md

@@ -660,16 +660,11 @@ with such toolchains.
 The macros `%{extension_cflags}`, `%{extension_cxxflags}`,
 `%{extension_fflags}`, `%{extension_ldflags}` contain a subset of
 flags that have been adjusted for compatibility with alternative
-toolchains, while still preserving some of the compile-time security
-hardening that the standard Fedora build flags provide.
+toolchains.
 
-The current set of differences are:
-
-* No GCC plugins (such as annobin) are activated.
-* No GCC spec files (`-specs=` arguments) are used.
-
-Additional flags may be removed in the future if they prove to be
-incompatible with alternative toolchains.
+Currently the -fexceptions and -fcf-protection flags are preserved
+for binary compatibility with the languages the extensions are
+built against.
 
 Extension builders should detect whether they are performing a regular
 RPM build (e.g., by looking for an `RPM_OPT_FLAGS` variable).  In this

macros

@@ -113,13 +113,19 @@
 # Internal-only.  Do not use.  Expand a variable and strip the flags
 # not suitable to extension builders.
 %__extension_strip_flags() %{lua:
+--the only argument to this macro is the "name" of the flags we strip (e.g. cflags, ldflags, etc.)
 local name = rpm.expand("%{1}")
-local value = " " .. rpm.expand("%{build_" .. name .. "}")
-local specs_pattern = "%s+-specs=[^%s]+"
-local lto_flags_pattern = rpm.expand("%{?_lto_cflags}"):gsub("[%-%.]", "%%%1")
-local package_note_flags_pattern = "%-Wl,%S*package_note%S*"
-local result = value:gsub(specs_pattern, " "):gsub(lto_flags_pattern, ""):gsub(package_note_flags_pattern, "")
-print(result)
+--store all the individual flags in a variable as a continuous string
+local flags = rpm.expand("%{build_" .. name .. "}")
+--create an empty table for the minimal set of flags we wanna preserve
+local stripped_flags = { }
+--iterate over the individual flags and store the ones we want in the table as unique keys
+for flag in flags:gmatch("%S+") do
+  if flag:find("^%-fexceptions") or flag:find("^%-fcf%-protection") then
+    stripped_flags[flag] = true end
+  end
+--print out the finalized set of flags for use by the extension builders
+for k,_ in pairs(stripped_flags) do print(k .. " ") end
 }
 
 # Variants of CFLAGS, CXXFLAGS, FFLAGS, LDFLAGS for use within

redhat-rpm-config.spec

@@ -4,7 +4,7 @@
 # 2) When making changes, increment the version (in baserelease) by 1.
 #    rpmdev-bumpspec and other tools update the macro below, which is used
 #    in Version: to get the desired effect.
-%global baserelease 261
+%global baserelease 262
 
 Summary: Red Hat specific rpm configuration files
 Name: redhat-rpm-config
@@ -254,6 +254,10 @@ install -p -m 644 -t %{buildroot}%{_rpmluadir}/fedora/srpm forge.lua
 %doc buildflags.md
 
 %changelog
+* Wed Aug 02 2023 Charalampos Stratakis <cstratak@redhat.com> - 262-1
+- Strip all extension builder flags except -fexceptions and -fcf-protection
+- https://fedoraproject.org/wiki/Changes/Python_Extension_Flags_Reduction
+
 * Fri Jul  7 2023 Florian Weimer <fweimer@redhat.com> - 261-1
 - Fix warnings that appear during the build of the llvm package
 

tests/extension-builder-flags/main.fmf

@@ -0,0 +1,5 @@
+summary: Test that the extension builder flags contain the proper flags
+require:
+  - redhat-rpm-config
+test: ./runtest.sh
+

tests/extension-builder-flags/runtest.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+set -ex
+# Verify that the extension builder flags are stripped of non-required flags.
+# The flags may appear in random order due to being accessed through a lua
+# associative array.
+for f in %{extension_cflags} %{extension_cxxflags} %{extension_fflags}; do
+  [[ $(rpm --eval "$f") =~ ^[[:space:]]*(-fexceptions -fcf-protection|-fcf-protection -fexceptions)[[:space:]]*$ ]]
+done
+# The extension ldflag should always be empty
+[[ -z $(rpm --eval "%extension_ldflags") ]]