Add -Wl,--build-id=sha1 to the default LDFLAGS
This is already the default for ld.bfd, so this is effectively a no-op for most packages. However, lld defaults different build-id algorithm that the RPM build process does not support, so it needs this flag. This flag can be overriden by setting the %_build_id_flags macro, which packages could do if they wanted to use a more secure build-id algorithm.
This commit is contained in:
Tom Stellard
parent
faf5c36887
commit
95f28bd10b
|
|
@ -195,6 +195,13 @@ For example, this can be required if shared objects are used for their
|
|||
side effects in ELF constructors, or for making them available to
|
||||
dynamically loaded plugins.
|
||||
|
||||
### Specifying the build-id algorithm
|
||||
|
||||
If you want to specify a different build-id algorithm for your builds, you
|
||||
can use the %_build_id_flags macro:
|
||||
|
||||
%_build_id_flags -Wl,--build-id=sha1
|
||||
|
||||
### Strict symbol checks in the link editor (ld)
|
||||
|
||||
Optionally, the link editor will refuse to link shared objects which
|
||||
|
|
|
|||
6
macros
6
macros
|
|
@ -72,7 +72,7 @@
|
|||
# When clang is used as a linker driver, it does not auto-detect the LTO
|
||||
# bytecode and neither does bfd, so we need to explicitly pass the -flto
|
||||
# flag when linking.
|
||||
%build_ldflags -Wl,-z,relro %{_ld_as_needed_flags} %{_ld_symbols_flags} %{_hardened_ldflags} %{_annotation_ldflags} %[ "%{toolchain}" == "clang" ? "%{?_lto_cflags}" : "" ]
|
||||
%build_ldflags -Wl,-z,relro %{_ld_as_needed_flags} %{_ld_symbols_flags} %{_hardened_ldflags} %{_annotation_ldflags} %[ "%{toolchain}" == "clang" ? "%{?_lto_cflags}" : "" ] %{_build_id_flags}
|
||||
|
||||
# Expands to shell code to set the compiler/linker environment
|
||||
# variables CFLAGS, CXXFLAGS, FFLAGS, FCFLAGS, LDFLAGS if they have
|
||||
|
|
@ -325,6 +325,10 @@ print(result)
|
|||
%_clang_lto_cflags -flto
|
||||
%_lto_cflags %{expand:%%{_%{toolchain}_lto_cflags}}
|
||||
|
||||
# Some linkers default to a build-id algoritim that is not supported by rpmbuild,
|
||||
# so we need to specify the right algorithm to use.
|
||||
%_build_id_flags -Wl,--build-id=sha1
|
||||
|
||||
%_general_options -O2 %{?_lto_cflags} -fexceptions -g -grecord-gcc-switches -pipe
|
||||
%_warning_options -Wall -Werror=format-security
|
||||
%_preprocessor_defines -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@
|
|||
|
||||
Summary: Red Hat specific rpm configuration files
|
||||
Name: redhat-rpm-config
|
||||
Version: 206
|
||||
Version: 207
|
||||
Release: 1%{?dist}
|
||||
# No version specified.
|
||||
License: GPL+
|
||||
|
|
@ -190,6 +190,9 @@ install -p -m 644 -t %{buildroot}%{_rpmluadir}/fedora/srpm forge.lua
|
|||
%doc buildflags.md
|
||||
|
||||
%changelog
|
||||
* Tue Dec 14 2021 Tom Stellard <tstellar@redhat.com> - 207-1
|
||||
- Add -Wl,--build-id=sha1 to the default LDFLAGS
|
||||
|
||||
* Tue Dec 07 2021 Miro Hrončok <mhroncok@redhat.com> - 206-1
|
||||
- brp-mangle-shebangs: also mangle shebangs of JavaScript executables
|
||||
- Fixes: rhbz#1998924
|
||||
|
|
|
|||
Loading…
Reference in New Issue