diff --git a/buildflags.md b/buildflags.md index db80dcd..c569531 100644 --- a/buildflags.md +++ b/buildflags.md @@ -660,16 +660,11 @@ with such toolchains. The macros `%{extension_cflags}`, `%{extension_cxxflags}`, `%{extension_fflags}`, `%{extension_ldflags}` contain a subset of flags that have been adjusted for compatibility with alternative -toolchains, while still preserving some of the compile-time security -hardening that the standard Fedora build flags provide. +toolchains. -The current set of differences are: - -* No GCC plugins (such as annobin) are activated. -* No GCC spec files (`-specs=` arguments) are used. - -Additional flags may be removed in the future if they prove to be -incompatible with alternative toolchains. +Currently the -fexceptions and -fcf-protection flags are preserved +for binary compatibility with the languages the extensions are +built against. Extension builders should detect whether they are performing a regular RPM build (e.g., by looking for an `RPM_OPT_FLAGS` variable). In this diff --git a/macros b/macros index 1d571c5..d7dc4a6 100644 --- a/macros +++ b/macros @@ -113,13 +113,19 @@ # Internal-only. Do not use. Expand a variable and strip the flags # not suitable to extension builders. %__extension_strip_flags() %{lua: +--the only argument to this macro is the "name" of the flags we strip (e.g. cflags, ldflags, etc.) local name = rpm.expand("%{1}") -local value = " " .. rpm.expand("%{build_" .. name .. "}") -local specs_pattern = "%s+-specs=[^%s]+" -local lto_flags_pattern = rpm.expand("%{?_lto_cflags}"):gsub("[%-%.]", "%%%1") -local package_note_flags_pattern = "%-Wl,%S*package_note%S*" -local result = value:gsub(specs_pattern, " "):gsub(lto_flags_pattern, ""):gsub(package_note_flags_pattern, "") -print(result) +--store all the individual flags in a variable as a continuous string +local flags = rpm.expand("%{build_" .. name .. "}") +--create an empty table for the minimal set of flags we wanna preserve +local stripped_flags = { } +--iterate over the individual flags and store the ones we want in the table as unique keys +for flag in flags:gmatch("%S+") do + if flag:find("^%-fexceptions") or flag:find("^%-fcf%-protection") then + stripped_flags[flag] = true end + end +--print out the finalized set of flags for use by the extension builders +for k,_ in pairs(stripped_flags) do print(k .. " ") end } # Variants of CFLAGS, CXXFLAGS, FFLAGS, LDFLAGS for use within diff --git a/redhat-rpm-config.spec b/redhat-rpm-config.spec index 0ab5f91..848ef12 100644 --- a/redhat-rpm-config.spec +++ b/redhat-rpm-config.spec @@ -4,7 +4,7 @@ # 2) When making changes, increment the version (in baserelease) by 1. # rpmdev-bumpspec and other tools update the macro below, which is used # in Version: to get the desired effect. -%global baserelease 261 +%global baserelease 262 Summary: Red Hat specific rpm configuration files Name: redhat-rpm-config @@ -254,6 +254,10 @@ install -p -m 644 -t %{buildroot}%{_rpmluadir}/fedora/srpm forge.lua %doc buildflags.md %changelog +* Wed Aug 02 2023 Charalampos Stratakis - 262-1 +- Strip all extension builder flags except -fexceptions and -fcf-protection +- https://fedoraproject.org/wiki/Changes/Python_Extension_Flags_Reduction + * Fri Jul 7 2023 Florian Weimer - 261-1 - Fix warnings that appear during the build of the llvm package diff --git a/tests/extension-builder-flags/main.fmf b/tests/extension-builder-flags/main.fmf new file mode 100644 index 0000000..b7b7c54 --- /dev/null +++ b/tests/extension-builder-flags/main.fmf @@ -0,0 +1,5 @@ +summary: Test that the extension builder flags contain the proper flags +require: + - redhat-rpm-config +test: ./runtest.sh + diff --git a/tests/extension-builder-flags/runtest.sh b/tests/extension-builder-flags/runtest.sh new file mode 100755 index 0000000..a54cb09 --- /dev/null +++ b/tests/extension-builder-flags/runtest.sh @@ -0,0 +1,11 @@ +#!/bin/bash + +set -ex +# Verify that the extension builder flags are stripped of non-required flags. +# The flags may appear in random order due to being accessed through a lua +# associative array. +for f in %{extension_cflags} %{extension_cxxflags} %{extension_fflags}; do + [[ $(rpm --eval "$f") =~ ^[[:space:]]*(-fexceptions -fcf-protection|-fcf-protection -fexceptions)[[:space:]]*$ ]] +done +# The extension ldflag should always be empty +[[ -z $(rpm --eval "%extension_ldflags") ]]