From: Herton R. Krzesinski on
gitlab.com
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1721#note_8975...
I think David is backporting patches that need it now. However, @darcari if
you're using this approach, make sure the build is using the full LDFLAGS, and
what I mean by that it should use the flags given by
```%{?build_hostldflags}```, which comes from %build_ldflags macro. This is
what I have here on a rhel9 container (should be same on centos):
```
$ rpm --eval %build_ldflags
-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-
hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1
$ rpm --eval %build_cflags
-O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe
-Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2
-Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
-fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64
-march=x86-64-v2 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-
protection -fcf-protection
```
And you check that by adding V=1 to make command. Then you can see the gcc
flags and linker flags being given. If the build doesn't use full cflags and
ldflags (from those defined above), then we may get annocheck reports later
telling there is a problem (failing osci etc.). You'll not see it but us
maintainers can see it later...