From 7331757cf12ee645e895e7e6e91d73ff66106e12 Mon Sep 17 00:00:00 2001
From: Charalampos Stratakis <cstratak@redhat.com>
Date: Thu, 18 May 2023 14:36:24 +0200
Subject: [PATCH] Strip all extension builder flags except -fexceptions and
 -fcf-protection

This preserves binary compatibility with the main interpreters
the extensions are built against while removing Fedora's flags
that are not required to be inherited on user built extensions.

This implements https://fedoraproject.org/wiki/Changes/Python_Extension_Flags_Reduction
---
 buildflags.md                            | 13 ++++---------
 macros                                   | 18 ++++++++++++------
 redhat-rpm-config.spec                   |  6 +++++-
 tests/extension-builder-flags/main.fmf   |  5 +++++
 tests/extension-builder-flags/runtest.sh | 11 +++++++++++
 5 files changed, 37 insertions(+), 16 deletions(-)
 create mode 100644 tests/extension-builder-flags/main.fmf
 create mode 100755 tests/extension-builder-flags/runtest.sh

diff --git a/buildflags.md b/buildflags.md
index db80dcd..c569531 100644
--- a/buildflags.md
+++ b/buildflags.md
@@ -660,16 +660,11 @@ with such toolchains.
 The macros `%{extension_cflags}`, `%{extension_cxxflags}`,
 `%{extension_fflags}`, `%{extension_ldflags}` contain a subset of
 flags that have been adjusted for compatibility with alternative
-toolchains, while still preserving some of the compile-time security
-hardening that the standard Fedora build flags provide.
+toolchains.
 
-The current set of differences are:
-
-* No GCC plugins (such as annobin) are activated.
-* No GCC spec files (`-specs=` arguments) are used.
-
-Additional flags may be removed in the future if they prove to be
-incompatible with alternative toolchains.
+Currently the -fexceptions and -fcf-protection flags are preserved
+for binary compatibility with the languages the extensions are
+built against.
 
 Extension builders should detect whether they are performing a regular
 RPM build (e.g., by looking for an `RPM_OPT_FLAGS` variable).  In this
diff --git a/macros b/macros
index 1d571c5..d7dc4a6 100644
--- a/macros
+++ b/macros
@@ -113,13 +113,19 @@
 # Internal-only.  Do not use.  Expand a variable and strip the flags
 # not suitable to extension builders.
 %__extension_strip_flags() %{lua:
+--the only argument to this macro is the "name" of the flags we strip (e.g. cflags, ldflags, etc.)
 local name = rpm.expand("%{1}")
-local value = " " .. rpm.expand("%{build_" .. name .. "}")
-local specs_pattern = "%s+-specs=[^%s]+"
-local lto_flags_pattern = rpm.expand("%{?_lto_cflags}"):gsub("[%-%.]", "%%%1")
-local package_note_flags_pattern = "%-Wl,%S*package_note%S*"
-local result = value:gsub(specs_pattern, " "):gsub(lto_flags_pattern, ""):gsub(package_note_flags_pattern, "")
-print(result)
+--store all the individual flags in a variable as a continuous string
+local flags = rpm.expand("%{build_" .. name .. "}")
+--create an empty table for the minimal set of flags we wanna preserve
+local stripped_flags = { }
+--iterate over the individual flags and store the ones we want in the table as unique keys
+for flag in flags:gmatch("%S+") do
+  if flag:find("^%-fexceptions") or flag:find("^%-fcf%-protection") then
+    stripped_flags[flag] = true end
+  end
+--print out the finalized set of flags for use by the extension builders
+for k,_ in pairs(stripped_flags) do print(k .. " ") end
 }
 
 # Variants of CFLAGS, CXXFLAGS, FFLAGS, LDFLAGS for use within
diff --git a/redhat-rpm-config.spec b/redhat-rpm-config.spec
index 0ab5f91..848ef12 100644
--- a/redhat-rpm-config.spec
+++ b/redhat-rpm-config.spec
@@ -4,7 +4,7 @@
 # 2) When making changes, increment the version (in baserelease) by 1.
 #    rpmdev-bumpspec and other tools update the macro below, which is used
 #    in Version: to get the desired effect.
-%global baserelease 261
+%global baserelease 262
 
 Summary: Red Hat specific rpm configuration files
 Name: redhat-rpm-config
@@ -254,6 +254,10 @@ install -p -m 644 -t %{buildroot}%{_rpmluadir}/fedora/srpm forge.lua
 %doc buildflags.md
 
 %changelog
+* Wed Aug 02 2023 Charalampos Stratakis <cstratak@redhat.com> - 262-1
+- Strip all extension builder flags except -fexceptions and -fcf-protection
+- https://fedoraproject.org/wiki/Changes/Python_Extension_Flags_Reduction
+
 * Fri Jul  7 2023 Florian Weimer <fweimer@redhat.com> - 261-1
 - Fix warnings that appear during the build of the llvm package
 
diff --git a/tests/extension-builder-flags/main.fmf b/tests/extension-builder-flags/main.fmf
new file mode 100644
index 0000000..b7b7c54
--- /dev/null
+++ b/tests/extension-builder-flags/main.fmf
@@ -0,0 +1,5 @@
+summary: Test that the extension builder flags contain the proper flags
+require:
+  - redhat-rpm-config
+test: ./runtest.sh
+
diff --git a/tests/extension-builder-flags/runtest.sh b/tests/extension-builder-flags/runtest.sh
new file mode 100755
index 0000000..a54cb09
--- /dev/null
+++ b/tests/extension-builder-flags/runtest.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+set -ex
+# Verify that the extension builder flags are stripped of non-required flags.
+# The flags may appear in random order due to being accessed through a lua
+# associative array.
+for f in %{extension_cflags} %{extension_cxxflags} %{extension_fflags}; do
+  [[ $(rpm --eval "$f") =~ ^[[:space:]]*(-fexceptions -fcf-protection|-fcf-protection -fexceptions)[[:space:]]*$ ]]
+done
+# The extension ldflag should always be empty
+[[ -z $(rpm --eval "%extension_ldflags") ]]