----- Original Message -----
From: "Alexander Bokovoy" <abokovoy(a)redhat.com>
To: "Development discussions related to Fedora"
<devel(a)lists.fedoraproject.org>
Sent: Friday, March 26, 2021 10:06:28 PM
Subject: Re: Proposal to fail builds if RPATH is found in Fedora 35
On pe, 26 maalis 2021, Charalampos Stratakis wrote:
>Hi all.
>
>Some time ago there was a discussion from the Fedora Packaging
>Committee [0] about automatically disallowing the usage of RPATH in
>Fedora to bring it in-line with the packaging guidelines[1].
>Essentially a package MUST remove the RPATH entry from its binaries
>and/or .so files if it is detected by the check-rpaths script [2]
>coming from the rpm-build package.
>
>However, the script was never run during rpmbuild so it was on the
>discretion of the packager if they'd check for it or not. The intention
>is to enable the check through redhat-rpm-config during the the
>invocation of %__os_install_post. An opt-out mechanism will be
>provided for cases where it's absolutely necessary.
>
>After an analysis of all the x86_64 packages, 92 fail to build due to
>an RPATH issue detected by the check-rpaths script [3]. Full list is
>provided bellow.
>
>Everything will be implemented through a Fedora change and all the
>packagers that their package has been affected by the preliminary
>analysis will be contacted first.
The logic for banning RPATH in the packaging guidelines operates terms like
"usually smarter than" and "usually do not permit" but has very
little
to describe why this should be done.
Indeed and the guidelines will need to be updated to clarify that (and a motivation
section at the change proposal). Security is the main thing, as directories arbitrary set
by various upstreams won't be included in the search path, a minor speed bump could be
noticed as well for the same reason.
The main idea though is to make the rpath usage opt-in and have packagers clarify why
rpath should be used for their packages. I believe using an opt-in (yet to be defined)
macro in the SPEC with a comment explaining should be enough justification.
It also lacks clarity for the most common valid use of Rpath, namely, a
plugin support for an application.
For example, Samba has a number of internal libraries in
/usr/lib64/samba which have to be linked to by any plugin built for
Samba, even when it is provided by a different package. This situation
is not described in the packaging guidelines and practically ignored.
Thanks for this example, I'll investigate that specific usecase.
"Alternatives to Rpath" in this cases do not exist because
adding custom
configuration file into a system-wide dynamic linker configuration is
the last thing you should do for this use case at all.
It is interesting that the behavior of check-rpaths script also isn't
really outlawing any plugin's Rpath use either so you don't see Samba or
similar plugin-based applications in the list of affected packages.
To me it looks like the packaging guidelines are incomplete and
misleading and better be clarified with regards to Rpath use.
>
>Thoughts and feedback are welcome.
>
>[0]
https://pagure.io/packaging-committee/issue/886
>[1]
>https://docs.fedoraproject.org/en-US/packaging-guidelines/#_beware_of_rpath
>[2]
>https://github.com/rpm-software-management/rpm/blob/6b21e736a3e47071b33ff7c34e5cfb5447997e18/scripts/check-rpaths-worker
>[3]
https://copr.fedorainfracloud.org/coprs/cstratak/rpath/builds/
>
>List of packages affected so far:
>
>Maintainers by package:
>Io-language limb
>NLopt besser82
>SDL_image jwrdegoede limb moezroy
>WindowMaker sham1
>abc brouhaha jjames somlo
>audiofile ajax alexl caillon caolanm limb rhughes rstrode ssp
>binutils aoliva jakub jankratochvil law mcermak nickc
>cfitsio orion sergiopr
>community-mysql hhorak ljavorsk mmuzila mschorm
>compat-guile18 jskarvad limb mlichvar tkorbar
>condor bbockelm bcotton eerlands matt matyas stevetraylen
>tstclair ttheisen valtri
>conky-manager moceap
>czmq denisarnaud jpo
>eb moceap petersen
>esc jmagne
>ettercap limb
>fcl rmattes thofmann
>fortune-mod sheltren shlomif
>freeradius cipherboy nkondras rharwood
>glib2 alexl caillon caolanm mbarnes mclasen rhughes rstrode
>rtcm ssp
>gnokii limb robert snirkel
>gpgme fkluknav ignatenkobrain isimluk rdieter
>gpick luya
>gupnp-dlna kalev zeenix
>hdf orion sagitter
>jq hguemar lon
>k3guitune dtimms
>kdebase3 jreznik kkofler rdieter than
>kdegames3 kkofler rdieter than
>kdepim3 jreznik ovasik rdieter than
>kicad avigne coremodule lkundrak stevenfalco tnorth
>koffice-kivio kkofler rdieter
>komparator nbecker
>laszip devrim neteler smani
>levmar aalvarez brouhaha
>libXcm cicku kwizart
>libburn cwickert fkluknav hhorak pcahyna robert
>libcommuni atim
>libdkimpp dfateyev
>libdxfrw hobbes1069 spot
>libeXosip2 nucleo
>libisoburn fkluknav hhorak robert
>libkkc ueno
>libminc ignatenkobrain
>liboping fab lkundrak
>libosip2 nucleo
>libprelude fab totol
>librfid kushal
>lutok jmmv
>mcpp kmatsui mef
>mingw-qt5-qt3d epienbro smani
>mingw-qt5-qtbase epienbro smani
>mingw-qt5-qtdeclarative epienbro smani
>mingw-qt5-qttools epienbro smani
>mod_wsgi jdornak jkaluza jorton lmacken mrunge
>mongo-c-driver remi
>ncview deji orion
>nightview lkundrak
>openjade ovasik
>openscap evgenyz isimluk jcerny matyc mmarhefk pvrabec vpolasek
>wsato
>pam_mount lupinix steve till
>pam_yubico nb ohaessler wzzrd
>perl-SDL jwrdegoede
>pinentry branto jjelen rdieter
>plotmm orphan
>python2.7 churchyard cstratak torsava vstinner
>qucs avigne jskarvad
>qwtpolar volter
>rarian nonamedotc
>rb_libtorrent fale mooninite
>rrdtool jskarvad
>scap-workbench evgenyz jcerny matyc mbarabas mlysonek mmarhefk pvrabec
>wsato
>scipy cstratak jspaleta nforro orion tomspur ttomecek
>sofia-sip orphan
>sqlite2 spot
>stp amdunn jjames
>suitesparse deji jkastner mjakubicek nphilipp orion
>sylfilter aarem
>texlive-base spot
>tracker amigadave deji garnacho ignatenkobrain mcrha rishi
>tracker-miners garnacho kalev rishi
>usnic-tools honli
>vanessa_logger hubbitus
>verbiste cicku icon tartare
>woff2 erack tpopela
>xbsql spot
>xdotool ohaessler orion slankes
>xeus qulogic
>xmms spot
>yaz cicku guidograzioli
>zinnia liangsuilong pwu
>zvbi buc jwrdegoede mchehab
>
>Packages by maintainer:
>aalvarez levmar
>aarem sylfilter
>ajax audiofile
>alexl audiofile glib2
>amdunn stp
>amigadave tracker
>aoliva binutils
>atim libcommuni
>avigne kicad qucs
>bbockelm condor
>bcotton condor
>besser82 NLopt
>branto pinentry
>brouhaha abc levmar
>buc zvbi
>caillon audiofile glib2
>caolanm audiofile glib2
>churchyard python2.7
>cicku libXcm verbiste yaz
>cipherboy freeradius
>coremodule kicad
>cstratak python2.7 scipy
>cwickert libburn
>deji ncview suitesparse tracker
>denisarnaud czmq
>devrim laszip
>dfateyev libdkimpp
>dtimms k3guitune
>eerlands condor
>epienbro mingw-qt5-qt3d mingw-qt5-qtbase mingw-qt5-qtdeclarative
>mingw-qt5-qttools
>erack woff2
>evgenyz openscap scap-workbench
>fab liboping libprelude
>fale rb_libtorrent
>fkluknav gpgme libburn libisoburn
>garnacho tracker tracker-miners
>guidograzioli yaz
>hguemar jq
>hhorak community-mysql libburn libisoburn
>hobbes1069 libdxfrw
>honli usnic-tools
>hubbitus vanessa_logger
>icon verbiste
>ignatenkobrain gpgme libminc tracker
>isimluk gpgme openscap
>jakub binutils
>jankratochvil binutils
>jcerny openscap scap-workbench
>jdornak mod_wsgi
>jjames abc stp
>jjelen pinentry
>jkaluza mod_wsgi
>jkastner suitesparse
>jmagne esc
>jmmv lutok
>jorton mod_wsgi
>jpo czmq
>jreznik kdebase3 kdepim3
>jskarvad compat-guile18 qucs rrdtool
>jspaleta scipy
>jwrdegoede SDL_image perl-SDL zvbi
>kalev gupnp-dlna tracker-miners
>kkofler kdebase3 kdegames3 koffice-kivio
>kmatsui mcpp
>kushal librfid
>kwizart libXcm
>law binutils
>liangsuilong zinnia
>limb Io-language SDL_image audiofile compat-guile18 ettercap gnokii
>ljavorsk community-mysql
>lkundrak kicad liboping nightview
>lmacken mod_wsgi
>lon jq
>lupinix pam_mount
>luya gpick
>matt condor
>matyas condor
>matyc openscap scap-workbench
>mbarabas scap-workbench
>mbarnes glib2
>mcermak binutils
>mchehab zvbi
>mclasen glib2
>mcrha tracker
>mef mcpp
>mjakubicek suitesparse
>mlichvar compat-guile18
>mlysonek scap-workbench
>mmarhefk openscap scap-workbench
>mmuzila community-mysql
>moceap conky-manager eb
>moezroy SDL_image
>mooninite rb_libtorrent
>mrunge mod_wsgi
>mschorm community-mysql
>nb pam_yubico
>nbecker komparator
>neteler laszip
>nforro scipy
>nickc binutils
>nkondras freeradius
>nonamedotc rarian
>nphilipp suitesparse
>nucleo libeXosip2 libosip2
>ohaessler pam_yubico xdotool
>orion cfitsio hdf ncview scipy suitesparse xdotool
>orphan plotmm sofia-sip
>ovasik kdepim3 openjade
>pcahyna libburn
>petersen eb
>pvrabec openscap scap-workbench
>pwu zinnia
>qulogic xeus
>rdieter gpgme kdebase3 kdegames3 kdepim3 koffice-kivio pinentry
>remi mongo-c-driver
>rharwood freeradius
>rhughes audiofile glib2
>rishi tracker tracker-miners
>rmattes fcl
>robert gnokii libburn libisoburn
>rstrode audiofile glib2
>rtcm glib2
>sagitter hdf
>sergiopr cfitsio
>sham1 WindowMaker
>sheltren fortune-mod
>shlomif fortune-mod
>slankes xdotool
>smani laszip mingw-qt5-qt3d mingw-qt5-qtbase mingw-qt5-qtdeclarative
>mingw-qt5-qttools
>snirkel gnokii
>somlo abc
>spot libdxfrw sqlite2 texlive-base xbsql xmms
>ssp audiofile glib2
>steve pam_mount
>stevenfalco kicad
>stevetraylen condor
>tartare verbiste
>than kdebase3 kdegames3 kdepim3
>thofmann fcl
>till pam_mount
>tkorbar compat-guile18
>tnorth kicad
>tomspur scipy
>torsava python2.7
>totol libprelude
>tpopela woff2
>tstclair condor
>ttheisen condor
>ttomecek scipy
>ueno libkkc
>valtri condor
>volter qwtpolar
>vpolasek openscap
>vstinner python2.7
>wsato openscap scap-workbench
>wzzrd pam_yubico
>zeenix gupnp-dlna
>
>
>--
>Regards,
>
>Charalampos Stratakis
>Software Engineer
>Python Maintenance Team, Red Hat
>_______________________________________________
>devel mailing list -- devel(a)lists.fedoraproject.org
>To unsubscribe send an email to devel-leave(a)lists.fedoraproject.org
>Fedora Code of Conduct:
>https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>List Archives:
>https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
>Do not reply to spam on the list, report it:
>https://pagure.io/fedora-infrastructure
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
devel mailing list -- devel(a)lists.fedoraproject.org
To unsubscribe send an email to devel-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
--
Regards,
Charalampos Stratakis
Software Engineer
Python Maintenance Team, Red Hat