commit
c741012df0
@ -0,0 +1,13 @@
|
|||||||
|
#!/bin/sh -efu
|
||||||
|
# Force creating of DSO symlinks.
|
||||||
|
|
||||||
|
# If using normal root, avoid changing anything.
|
||||||
|
if [ -z "$RPM_BUILD_ROOT" -o "$RPM_BUILD_ROOT" = "/" ]; then
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Create an empty config file for ldconfig to shut up a warning
|
||||||
|
config=$(mktemp -p "$RPM_BUILD_ROOT")
|
||||||
|
/sbin/ldconfig -f $(basename "$config") -N -r "$RPM_BUILD_ROOT"
|
||||||
|
rm -f "$config"
|
||||||
|
# TODO: warn if it created new symlinks and guide people.
|
@ -0,0 +1,54 @@
|
|||||||
|
#!/usr/bin/bash -eu
|
||||||
|
|
||||||
|
|
||||||
|
if [ -z "$RPM_BUILD_ROOT" ] || [ "$RPM_BUILD_ROOT" = "/" ]; then
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
CLANG_FLAGS=$@
|
||||||
|
NCPUS=${RPM_BUILD_NCPUS:-1}
|
||||||
|
|
||||||
|
check_convert_bitcode () {
|
||||||
|
local file_name=$(realpath ${1})
|
||||||
|
local file_type=$(file ${file_name})
|
||||||
|
|
||||||
|
shift
|
||||||
|
CLANG_FLAGS="$@"
|
||||||
|
|
||||||
|
if [[ "${file_type}" == *"LLVM IR bitcode"* ]]; then
|
||||||
|
# Check the output of llvm-strings for the command line, which is in the LLVM bitcode because
|
||||||
|
# we pass -frecord-gcc-switches.
|
||||||
|
# Check for a line that has "-flto" after (or without) "-fno-lto".
|
||||||
|
llvm-strings ${file_name} | while read line ; do
|
||||||
|
flto=$(echo $line | grep -o -b -e -flto | tail -n 1 | cut -d : -f 1)
|
||||||
|
fnolto=$(echo $line | grep -o -b -e -fno-lto | tail -n 1 | cut -d : -f 1)
|
||||||
|
|
||||||
|
if test -n "$flto" && { test -z "$fnolto" || test "$flto" -gt "$fnolto"; } ; then
|
||||||
|
echo "Compiling LLVM bitcode file ${file_name}."
|
||||||
|
clang ${CLANG_FLAGS} -fno-lto -Wno-unused-command-line-argument \
|
||||||
|
-x ir ${file_name} -c -o ${file_name}
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
elif [[ "${file_type}" == *"current ar archive"* ]]; then
|
||||||
|
echo "Unpacking ar archive ${file_name} to check for LLVM bitcode components."
|
||||||
|
# create archive stage for objects
|
||||||
|
local archive_stage=$(mktemp -d)
|
||||||
|
local archive=${file_name}
|
||||||
|
pushd ${archive_stage}
|
||||||
|
ar x ${archive}
|
||||||
|
for archived_file in $(find -not -type d); do
|
||||||
|
check_convert_bitcode ${archived_file} ${CLANG_FLAGS}
|
||||||
|
echo "Repacking ${archived_file} into ${archive}."
|
||||||
|
ar r ${archive} ${archived_file}
|
||||||
|
done
|
||||||
|
popd
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
echo "Checking for LLVM bitcode artifacts"
|
||||||
|
export -f check_convert_bitcode
|
||||||
|
# Deduplicate by device:inode to avoid processing hardlinks in parallel.
|
||||||
|
find "$RPM_BUILD_ROOT" -type f -name "*.[ao]" -printf "%D:%i %p\n" | \
|
||||||
|
awk '!seen[$1]++' | cut -d" " -f2- | \
|
||||||
|
xargs -d"\n" -r -n1 -P$NCPUS sh -c "check_convert_bitcode \$@ $CLANG_FLAGS" ARG0
|
@ -0,0 +1,165 @@
|
|||||||
|
#!/bin/bash -eu
|
||||||
|
|
||||||
|
# If using normal root, avoid changing anything.
|
||||||
|
if [ -z "$RPM_BUILD_ROOT" -o "$RPM_BUILD_ROOT" = "/" ]; then
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
exclude_files=""
|
||||||
|
exclude_files_from=""
|
||||||
|
exclude_shebangs=""
|
||||||
|
exclude_shebangs_from=""
|
||||||
|
|
||||||
|
usage() {
|
||||||
|
local verbose=$1 && shift
|
||||||
|
local outfile=$1 && shift
|
||||||
|
local status=$1 && shift
|
||||||
|
|
||||||
|
(
|
||||||
|
echo 'usage: brp-mangle-shebangs [--files <regexp>] [--files-from <file>] [--shebangs <regexp>] [--shebangs-from <file>]'
|
||||||
|
if [ "${verbose}" == "yes" ]; then
|
||||||
|
echo ' --files: extended regexp of files to ignore'
|
||||||
|
echo ' --files-from: file containing a list of extended regexps of files to ignore'
|
||||||
|
echo ' --shebangs: extended regexp of shebangs to ignore'
|
||||||
|
echo ' --shebangs-from: file containing a list of extended regexps of shebangs to ignore'
|
||||||
|
fi
|
||||||
|
) >>${outfile}
|
||||||
|
exit ${status}
|
||||||
|
}
|
||||||
|
|
||||||
|
while [ $# -gt 0 ] ; do
|
||||||
|
case "$1" in
|
||||||
|
--files)
|
||||||
|
exclude_files="${2}"
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
--files=*)
|
||||||
|
exclude_files="${1##--files=}"
|
||||||
|
;;
|
||||||
|
--files-from)
|
||||||
|
exclude_files_from="${2}"
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
--files-from=*)
|
||||||
|
exclude_files_from="${1##--files-from=}"
|
||||||
|
;;
|
||||||
|
--shebangs)
|
||||||
|
exclude_shebangs="${2}"
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
--shebangs=*)
|
||||||
|
exclude_shebangs="${1##--shebangs=}"
|
||||||
|
;;
|
||||||
|
--shebangs-from)
|
||||||
|
exclude_shebangs_from="${2}"
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
--shebangs-from=*)
|
||||||
|
exclude_shebangs_from="${1##--shebangs-from=}"
|
||||||
|
;;
|
||||||
|
--help|--usage|"-?"|-h)
|
||||||
|
usage yes /dev/stdout 0
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
echo "Unknown option \"${1}\"" 1>&2
|
||||||
|
usage no /dev/stderr 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
shift
|
||||||
|
done
|
||||||
|
|
||||||
|
cd "$RPM_BUILD_ROOT"
|
||||||
|
|
||||||
|
# Large packages such as kernel can have thousands of executable files.
|
||||||
|
# We take care to not fork/exec thousands of "file"s and "grep"s,
|
||||||
|
# but run just two of them.
|
||||||
|
# (Take care to exclude filenames which would mangle "file" output).
|
||||||
|
find -executable -type f ! -path '*:*' ! -path $'*\n*' \
|
||||||
|
| file -N --mime-type -f - \
|
||||||
|
| grep -P ".+(?=: (text/|application/javascript))" \
|
||||||
|
| {
|
||||||
|
fail=0
|
||||||
|
while IFS= read -r line; do
|
||||||
|
f=${line%%:*}
|
||||||
|
|
||||||
|
# Remove the dot
|
||||||
|
path="${f#.}"
|
||||||
|
|
||||||
|
if [ -n "$exclude_files" ]; then
|
||||||
|
echo "$path" | grep -q -E "$exclude_files" && continue
|
||||||
|
fi
|
||||||
|
if [ -n "$exclude_files_from" ]; then
|
||||||
|
echo "$path" | grep -q -E -f "$exclude_files_from" && continue
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
if ! read shebang_line < "$f"; then
|
||||||
|
echo >&2 "*** WARNING: Cannot read the first line from $f, removing executable bit"
|
||||||
|
ts=$(stat -c %y "$f")
|
||||||
|
chmod -x "$f"
|
||||||
|
touch -d "$ts" "$f"
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
|
||||||
|
orig_shebang="${shebang_line#\#!}"
|
||||||
|
if [ "$orig_shebang" = "$shebang_line" ]; then
|
||||||
|
echo >&2 "*** WARNING: $f is executable but has no shebang, removing executable bit"
|
||||||
|
ts=$(stat -c %y "$f")
|
||||||
|
chmod -x "$f"
|
||||||
|
touch -d "$ts" "$f"
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Trim spaces
|
||||||
|
while shebang="${orig_shebang// / }"; [ "$shebang" != "$orig_shebang" ]; do
|
||||||
|
orig_shebang="$shebang"
|
||||||
|
done
|
||||||
|
# Treat "#! /path/to " as "#!/path/to"
|
||||||
|
orig_shebang="${orig_shebang# }"
|
||||||
|
|
||||||
|
shebang="$orig_shebang"
|
||||||
|
|
||||||
|
if [ -z "$shebang" ]; then
|
||||||
|
echo >&2 "*** WARNING: $f is executable but has empty shebang, removing executable bit"
|
||||||
|
ts=$(stat -c %y "$f")
|
||||||
|
chmod -x "$f"
|
||||||
|
touch -d "$ts" "$f"
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
if [ -n "${shebang##/*}" ]; then
|
||||||
|
echo >&2 "*** ERROR: $f has shebang which doesn't start with '/' ($shebang)"
|
||||||
|
fail=1
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
|
||||||
|
if ! { echo "$shebang" | grep -q -P "^/(?:usr/)?(?:bin|sbin)/"; }; then
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Replace "special" env shebang:
|
||||||
|
# /whatsoever/env /whatever/foo → /whatever/foo
|
||||||
|
shebang=$(echo "$shebang" | sed -r -e 's@^(.+)/env /(.+)$@/\2@')
|
||||||
|
# /whatsoever/env foo → /whatsoever/foo
|
||||||
|
shebang=$(echo "$shebang" | sed -r -e 's@^(.+/)env (.+)$@\1\2@')
|
||||||
|
|
||||||
|
# If the shebang now starts with /bin, change it to /usr/bin
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1581757
|
||||||
|
shebang=$(echo "$shebang" | sed -r -e 's@^/bin/@/usr/bin/@')
|
||||||
|
|
||||||
|
# Replace ambiguous python with python2
|
||||||
|
py_shebang=$(echo "$shebang" | sed -r -e 's@/usr/bin/python(\s|$)@/usr/bin/python2\1@')
|
||||||
|
|
||||||
|
if [ "$shebang" != "$py_shebang" ]; then
|
||||||
|
echo >&2 "*** ERROR: ambiguous python shebang in $path: #!$orig_shebang. Change it to python3 (or python2) explicitly."
|
||||||
|
fail=1
|
||||||
|
elif [ "#!$shebang" != "#!$orig_shebang" ]; then
|
||||||
|
echo "mangling shebang in $path from $orig_shebang to #!$shebang"
|
||||||
|
ts=$(stat -c %y "$f")
|
||||||
|
sed -i -e "1c #!$shebang" "$f"
|
||||||
|
touch -d "$ts" "$f"
|
||||||
|
fi
|
||||||
|
|
||||||
|
done
|
||||||
|
|
||||||
|
exit $fail
|
||||||
|
}
|
@ -0,0 +1,17 @@
|
|||||||
|
#!/usr/bin/sh
|
||||||
|
# If using normal root, avoid changing anything.
|
||||||
|
if [ -z "$RPM_BUILD_ROOT" ] || [ "$RPM_BUILD_ROOT" = "/" ]; then
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
STRIP=${1:-strip}
|
||||||
|
NCPUS=${RPM_BUILD_NCPUS:-1}
|
||||||
|
|
||||||
|
case `uname -a` in
|
||||||
|
Darwin*) exit 0 ;;
|
||||||
|
*) ;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
# Strip ELF binaries
|
||||||
|
find "$RPM_BUILD_ROOT" -type f -name '*.[ao]' \! -regex "$RPM_BUILD_ROOT/*usr/lib/debug.*" -print0 | \
|
||||||
|
eu-elfclassify --not-program --not-library --not-linux-kernel-module --stdin0 --print0 | xargs -0 -r -P$NCPUS -n32 sh -c "$STRIP -p -R .gnu.lto_* -R .gnu.debuglto_* -N __gnu_lto_v1 \"\$@\"" ARG0
|
@ -0,0 +1,743 @@
|
|||||||
|
This document contains documentation of the individual compiler flags
|
||||||
|
and how to use them.
|
||||||
|
|
||||||
|
[TOC]
|
||||||
|
|
||||||
|
# Using RPM build flags
|
||||||
|
|
||||||
|
The %set_build_flags macro sets the environment variables `CFLAGS`,
|
||||||
|
`CXXFLAGS`, `FFLAGS`, `FCFLAGS`, `VALAFLAGS`, `LDFLAGS` and `LT_SYS_LIBRARY_PATH` to
|
||||||
|
the value of their corresponding rpm macros. `%set_build_flags` is automatically
|
||||||
|
called prior to the `%build`, `%check`, and `%install` phases so these flags can be
|
||||||
|
used by makefiles and other build tools.
|
||||||
|
|
||||||
|
You can opt out of this behavior by doing:
|
||||||
|
|
||||||
|
%undefine _auto_set_build_flags
|
||||||
|
|
||||||
|
If you do opt out of this behavior, you can still manually use `%set_build_flags`
|
||||||
|
by adding it to the `%build` section of your spec file or by using one of the
|
||||||
|
build system helper macros like `%configure`, `%cmake`, and `%meson`.
|
||||||
|
|
||||||
|
For packages which use autoconf to set up the build environment, use
|
||||||
|
the `%configure` macro to obtain the full complement of flags, like
|
||||||
|
this:
|
||||||
|
|
||||||
|
%configure
|
||||||
|
|
||||||
|
This will invoke `./configure` with arguments (such as
|
||||||
|
`--prefix=/usr`) to adjust the paths to the packaging defaults. Prior
|
||||||
|
to that, some common problems in autotools scripts are automatically
|
||||||
|
patched across the source tree.
|
||||||
|
|
||||||
|
Individual build flags are also available through RPM macros:
|
||||||
|
|
||||||
|
* `%{build_cc}` for the command name of the C compiler.
|
||||||
|
* `%{build_cxx}` for the command name of the C++ compiler.
|
||||||
|
* `%{build_cpp}` for the command name of the C-compatible preprocessor.
|
||||||
|
* `%{build_cflags}` for the C compiler flags (also known as the
|
||||||
|
`CFLAGS` variable).
|
||||||
|
* `%{build_cxxflags}` for the C++ compiler flags (usually assigned to
|
||||||
|
the `CXXFLAGS` shell variable).
|
||||||
|
* `%{build_fflags}` for `FFLAGS` (the Fortran compiler flags, also
|
||||||
|
known as the `FCFLAGS` variable).
|
||||||
|
* `%{build_valaflags}` for `VALAFLAGS` (the Vala compiler flags)
|
||||||
|
* `%{build_ldflags}` for the linker (`ld`) flags, usually known as
|
||||||
|
`LDFLAGS`. Note that the contents quote linker arguments using
|
||||||
|
`-Wl`, so this variable is intended for use with the `gcc` compiler
|
||||||
|
driver. At the start of the `%build` section, the environment
|
||||||
|
variable `RPM_LD_FLAGS` is set to this value.
|
||||||
|
|
||||||
|
The C and C++ compiler flags are historically available as the
|
||||||
|
`%{optflags}` macro. These flags may not contain flags that work with
|
||||||
|
certain languagues or compiler front ends, so the language-specific
|
||||||
|
`%build_*` are more precise. At the start of the `%build` section,
|
||||||
|
the environment variable `RPM_OPT_FLAGS` is set to the `%{optflags}`
|
||||||
|
value; similar limitations apply.
|
||||||
|
|
||||||
|
The variable `LT_SYS_LIBRARY_PATH` is defined here to prevent the `libtool`
|
||||||
|
script (v2.4.6+) from hardcoding `%_libdir` into the binaries' `RPATH`.
|
||||||
|
|
||||||
|
These RPM macros do not alter shell environment variables.
|
||||||
|
|
||||||
|
For some other build tools separate mechanisms exist:
|
||||||
|
|
||||||
|
* CMake builds use the the `%cmake` macro from the `cmake-rpm-macros`
|
||||||
|
package.
|
||||||
|
|
||||||
|
Care must be taking not to compile the current selection of compiler
|
||||||
|
flags into any RPM package besides `redhat-rpm-config`, so that flag
|
||||||
|
changes are picked up automatically once `redhat-rpm-config` is
|
||||||
|
updated.
|
||||||
|
|
||||||
|
# Flag selection for the build type
|
||||||
|
|
||||||
|
The default flags are suitable for building applications.
|
||||||
|
|
||||||
|
For building shared objects, you must compile with `-fPIC` in
|
||||||
|
(`CFLAGS` or `CXXFLAGS`) and link with `-shared` (in `LDFLAGS`).
|
||||||
|
|
||||||
|
For other considerations involving shared objects, see:
|
||||||
|
|
||||||
|
* [Fedora Packaging Guidelines: Shared Libraries](https://docs.fedoraproject.org/en-US/packaging-guidelines/#_shared_libraries)
|
||||||
|
|
||||||
|
# Customizing compiler and other build flags
|
||||||
|
|
||||||
|
It is possible to set RPM macros to change some aspects of the
|
||||||
|
compiler flags. Changing these flags should be used as a last
|
||||||
|
recourse if other workarounds are not available.
|
||||||
|
|
||||||
|
### Toolchain selection
|
||||||
|
|
||||||
|
The default toolchain uses GCC, and the `%toolchain` macro is defined
|
||||||
|
as `gcc`.
|
||||||
|
|
||||||
|
It is enough to override `toolchain` macro and all relevant macro for C/C++
|
||||||
|
compilers will be switched. Either in the spec or in the command-line.
|
||||||
|
|
||||||
|
%global toolchain clang
|
||||||
|
|
||||||
|
or:
|
||||||
|
|
||||||
|
rpmbuild -D "toolchain clang" …
|
||||||
|
|
||||||
|
Inside a spec file it is also possible to determine which toolchain is in use
|
||||||
|
by testing the same macro. For example:
|
||||||
|
|
||||||
|
%if "%{toolchain}" == "gcc"
|
||||||
|
BuildRequires: gcc
|
||||||
|
%endif
|
||||||
|
|
||||||
|
or:
|
||||||
|
|
||||||
|
%if "%{toolchain}" == "clang"
|
||||||
|
BuildRequires: clang compiler-rt
|
||||||
|
%endif
|
||||||
|
|
||||||
|
### Controlling Type Safety
|
||||||
|
|
||||||
|
The macro `%build_type_safety_c` can be set to change the C type
|
||||||
|
safety level. The default level is 3, see below. It can be set to 0
|
||||||
|
to get historic levels of type safety. Changing the type safety level
|
||||||
|
may depend on correct `CFLAGS` propagation during the build. The
|
||||||
|
`%build_type_safety_c` macro needs to be set before `CFLAGS`-related
|
||||||
|
macros are expanded by RPM (that is, earlier in the file works
|
||||||
|
better).
|
||||||
|
|
||||||
|
Packages can set `%build_type_safety_c` to higher values to adopt
|
||||||
|
future distribution-wide type-safety increases early. When changing
|
||||||
|
the `%build_type_safety_c` level to increase it, spec file should use
|
||||||
|
a construct like this to avoid *lowering* a future default:
|
||||||
|
|
||||||
|
```
|
||||||
|
%if %build_type_safety_c < 4
|
||||||
|
%global build_type_safety_c 4
|
||||||
|
%endif
|
||||||
|
```
|
||||||
|
|
||||||
|
At level 0, all C constructs that GCC accepts for backwards
|
||||||
|
compatibility with obsolete language standards are accepted during
|
||||||
|
package builds. This is achieved by passing `-fpermissive` to GCC.
|
||||||
|
|
||||||
|
At level 1, the following additional error categories are enabled:
|
||||||
|
|
||||||
|
* `-Werror=implicit-int`: Reject declarations and definitions that
|
||||||
|
omit a type name where one is required. Examples are:
|
||||||
|
`extern int_variable;`, `extern int_returning_function (void);`,
|
||||||
|
and missing separate parameter type declarations in old-style
|
||||||
|
function definitions.
|
||||||
|
* `-Werror=implicit-function-declaration`: Reject calls to functions
|
||||||
|
to undeclared functions such as `function_not_defined_anywhere ()`.
|
||||||
|
Previously, such expressions where we compiled as if a declaration
|
||||||
|
`extern int function_not_defined_anywhere ();` (a prototype-less
|
||||||
|
function declaration) were in scope.
|
||||||
|
* `-Werror=return-mismatch`: Reject `return` statements with missing
|
||||||
|
or extra expressions, based on the declared return type of the
|
||||||
|
function.
|
||||||
|
* `-Wdeclaration-missing-parameter-type`: Reject function declarations
|
||||||
|
that contain unknown type names (which used to be treated as ignored
|
||||||
|
identifier names).
|
||||||
|
|
||||||
|
At level 2, the following error category is enabled in addition:
|
||||||
|
|
||||||
|
* `-Werror=int-conversion`: Reject the use of integer expressions
|
||||||
|
where a pointer type expected, and pointer expressions where an
|
||||||
|
integer type is expected. Without this option, GCC may produce an
|
||||||
|
executable, but often, there are failures at run time because not
|
||||||
|
the full 64 bits of pointers are preserved.
|
||||||
|
|
||||||
|
The additional level 3 error category is:
|
||||||
|
|
||||||
|
* `-Werror=incompatible-pointer-types`: An expression of one pointer
|
||||||
|
type is used where different pointer type is expected. (This does
|
||||||
|
not cover signed/unsigned mismatches in the pointer target type.)
|
||||||
|
|
||||||
|
Clang errors out on more obsolete and invalid C constructs than C, so
|
||||||
|
the type safety is higher by default than with the GCC toolchain.
|
||||||
|
|
||||||
|
### Disable autotools compatibility patching
|
||||||
|
|
||||||
|
By default, the invocation of the `%configure` macro replaces
|
||||||
|
`config.guess` files in the source tree with the system version. To
|
||||||
|
disable that, define this macro:
|
||||||
|
|
||||||
|
%global _configure_gnuconfig_hack 0
|
||||||
|
|
||||||
|
`%configure` also patches `ltmain.sh` scripts, so that linker flags
|
||||||
|
are set as well during libtool-. This can be switched off using:
|
||||||
|
|
||||||
|
%global _configure_libtool_hardening_hack 0
|
||||||
|
|
||||||
|
Further patching happens in LTO mode, see below.
|
||||||
|
|
||||||
|
### Other autotools compatibility settings
|
||||||
|
|
||||||
|
During `%configure`, `--runstatedir` is automatically passed to the
|
||||||
|
`configure` script if support for this option is detected. This
|
||||||
|
detection can fail if the package has multiple `configure` scripts
|
||||||
|
that invoke each other, and only some of them support `--runstatedir`.
|
||||||
|
To disable passing `--runstatedir`, use:
|
||||||
|
|
||||||
|
%undefine _configure_use_runstatedir
|
||||||
|
|
||||||
|
### Disabling Link-Time Optimization
|
||||||
|
|
||||||
|
By default, builds use link-time optimization. In this build mode,
|
||||||
|
object code is generated at the time of the final link, by combining
|
||||||
|
information from all available translation units, and taking into
|
||||||
|
account which symbols are exported.
|
||||||
|
|
||||||
|
To disable this optimization, include this in the spec file:
|
||||||
|
|
||||||
|
%global _lto_cflags %{nil}
|
||||||
|
|
||||||
|
If LTO is enabled, `%configure` applies some common required fixes to
|
||||||
|
`configure` scripts. To disable that, define the RPM macro
|
||||||
|
`_fix_broken_configure_for_lto` as `true` (sic; it has to be a shell
|
||||||
|
command).
|
||||||
|
|
||||||
|
### Lazy binding
|
||||||
|
|
||||||
|
If your package depends on the semantics of lazy binding (e.g., it has
|
||||||
|
plugins which load additional plugins to complete their dependencies,
|
||||||
|
before which some referenced functions are undefined), you should put
|
||||||
|
`-Wl,-z,lazy` at the end of the `LDFLAGS` setting when linking objects
|
||||||
|
which have such requirements. Under these circumstances, it is
|
||||||
|
unnecessary to disable hardened builds (and thus lose full ASLR for
|
||||||
|
executables), or link everything without `-Wl,z,now` (non-lazy
|
||||||
|
binding).
|
||||||
|
|
||||||
|
### Hardened builds
|
||||||
|
|
||||||
|
By default, the build flags enable fully hardened builds. To change
|
||||||
|
this, include this in the RPM spec file:
|
||||||
|
|
||||||
|
%undefine _hardened_build
|
||||||
|
|
||||||
|
This turns off certain hardening features, as described in detail
|
||||||
|
below. The main difference is that executables will be
|
||||||
|
position-dependent (no full ASLR) and use lazy binding.
|
||||||
|
|
||||||
|
### Source Fortification
|
||||||
|
|
||||||
|
By default, the build flags include `-Wp,-D_FORTIFY_SOURCE=3`: Source
|
||||||
|
fortification activates various hardening features in glibc:
|
||||||
|
|
||||||
|
* String functions such as `memcpy` attempt to detect buffer lengths
|
||||||
|
and terminate the process if a buffer overflow is detected.
|
||||||
|
* `printf` format strings may only contain the `%n` format specifier
|
||||||
|
if the format string resides in read-only memory.
|
||||||
|
* `open` and `openat` flags are checked for consistency with the
|
||||||
|
presence of a *mode* argument.
|
||||||
|
* Plus other minor hardening changes.
|
||||||
|
|
||||||
|
These changes can, on rare occasions, break valid programs. The source
|
||||||
|
fortification level can be overridden by adding this in the RPM spec file:
|
||||||
|
|
||||||
|
%define _fortify_level 2
|
||||||
|
|
||||||
|
to reduce source fortification level to 2 or:
|
||||||
|
|
||||||
|
%undefine _fortify_level
|
||||||
|
|
||||||
|
to disable fortification altogether.
|
||||||
|
|
||||||
|
### Annotated builds/watermarking
|
||||||
|
|
||||||
|
By default, the build flags cause a special output section to be
|
||||||
|
included in ELF files which describes certain aspects of the build.
|
||||||
|
To change this for all compiler invocations, include this in the RPM
|
||||||
|
spec file:
|
||||||
|
|
||||||
|
%undefine _annotated_build
|
||||||
|
|
||||||
|
Be warned that this turns off watermarking, making it impossible to do
|
||||||
|
full hardening coverage analysis for any binaries produced.
|
||||||
|
|
||||||
|
It is possible to disable annotations for individual compiler
|
||||||
|
invocations, using the `-fplugin-arg-annobin-disable` flag. However,
|
||||||
|
the annobin plugin must still be loaded for this flag to be
|
||||||
|
recognized, so it has to come after the hardening flags on the command
|
||||||
|
line (it has to be added at the end of `CFLAGS`, or specified after
|
||||||
|
the `CFLAGS` variable contents).
|
||||||
|
|
||||||
|
### Keeping dependencies on unused shared objects
|
||||||
|
|
||||||
|
By default, ELF shared objects which are listed on the linker command
|
||||||
|
line, but which have no referencing symbols in the preceding objects,
|
||||||
|
are not added to the output file during the final link.
|
||||||
|
|
||||||
|
In order to keep dependencies on shared objects even if none of
|
||||||
|
their symbols are used, include this in the RPM spec file:
|
||||||
|
|
||||||
|
%undefine _ld_as_needed
|
||||||
|
|
||||||
|
For example, this can be required if shared objects are used for their
|
||||||
|
side effects in ELF constructors, or for making them available to
|
||||||
|
dynamically loaded plugins.
|
||||||
|
|
||||||
|
### Switching to legacy relative relocations
|
||||||
|
|
||||||
|
By default, ELF objects use the architecture-independent `DT_RELR`
|
||||||
|
mechanism for relative relocations. To switch to the older,
|
||||||
|
architecture-specific relocation scheme, add this to the RPM spec file:
|
||||||
|
|
||||||
|
%undefine _ld_pack_relocs
|
||||||
|
|
||||||
|
This adds `-Wl,-z,pack-relative-relocs` to the linker flags (`LDFLAGS`).
|
||||||
|
|
||||||
|
### Specifying the build-id algorithm
|
||||||
|
|
||||||
|
If you want to specify a different build-id algorithm for your builds, you
|
||||||
|
can use the `%_build_id_flags` macro:
|
||||||
|
|
||||||
|
%_build_id_flags -Wl,--build-id=sha1
|
||||||
|
|
||||||
|
### Strict symbol checks in the link editor (ld)
|
||||||
|
|
||||||
|
Optionally, the link editor will refuse to link shared objects which
|
||||||
|
contain undefined symbols. Such symbols lack symbol versioning
|
||||||
|
information and can be bound to the wrong (compatibility) symbol
|
||||||
|
version at run time, and not the actual (default) symbol version which
|
||||||
|
would have been used if the symbol definition had been available at
|
||||||
|
static link time. Furthermore, at run time, the dynamic linker will
|
||||||
|
not have complete dependency information (in the form of DT_NEEDED
|
||||||
|
entries), which can lead to errors (crashes) if IFUNC resolvers are
|
||||||
|
executed before the shared object containing them is fully relocated.
|
||||||
|
|
||||||
|
To switch on these checks, define this macro in the RPM spec file:
|
||||||
|
|
||||||
|
%global _strict_symbol_defs_build 1
|
||||||
|
|
||||||
|
If this RPM spec option is active, link failures will occur if the
|
||||||
|
linker command line does not list all shared objects which are needed.
|
||||||
|
In this case, you need to add the missing DSOs (with linker arguments
|
||||||
|
such as `-lm`). As a result, the link editor will also generated the
|
||||||
|
necessary DT_NEEDED entries.
|
||||||
|
|
||||||
|
In some cases (such as when a DSO is loaded as a plugin and is
|
||||||
|
expected to bind to symbols in the main executable), undefined symbols
|
||||||
|
are expected. In this case, you can add
|
||||||
|
|
||||||
|
%undefine _strict_symbol_defs_build
|
||||||
|
|
||||||
|
to the RPM spec file to disable these strict checks. Alternatively,
|
||||||
|
you can pass `-z undefs` to ld (written as `-Wl,-z,undefs` on the gcc
|
||||||
|
command line). The latter needs binutils 2.29.1-12.fc28 or later.
|
||||||
|
|
||||||
|
### Legacy -fcommon
|
||||||
|
|
||||||
|
Since version 10, [gcc defaults to `-fno-common`](https://gcc.gnu.org/gcc-10/porting_to.html#common).
|
||||||
|
Builds may fail with `multiple definition of ...` errors.
|
||||||
|
|
||||||
|
As a short term workaround for such failure,
|
||||||
|
it is possible to add `-fcommon` to the flags by defining `%_legacy_common_support`.
|
||||||
|
|
||||||
|
%global _legacy_common_support 1
|
||||||
|
|
||||||
|
Properly fixing the failure is always preferred!
|
||||||
|
|
||||||
|
### Package note on ELF objects
|
||||||
|
|
||||||
|
A note that describes the package name, version, and architecture is
|
||||||
|
inserted via a linker script (`%_package_note_file`). The script is
|
||||||
|
generated when `%set_build_flags` is called. The linker option that
|
||||||
|
injects the linker script is added to `%{build_ldflags}` via the
|
||||||
|
`%{_package_note_flags}` macro.
|
||||||
|
|
||||||
|
To opt out of the use of this feature completely, the best way is to
|
||||||
|
undefine the first macro. Include this in the spec file:
|
||||||
|
|
||||||
|
%undefine _package_note_file
|
||||||
|
|
||||||
|
The other macros can be undefined too to replace parts of the functionality.
|
||||||
|
If `%_generate_package_note_file` is undefined, the linker script will not
|
||||||
|
be generated, but the link flags may still refer to it. This may be useful
|
||||||
|
if the default generation method is insufficient and a different mechanism
|
||||||
|
will be used to generate `%_package_note_file`. If `%_package_note_flags`
|
||||||
|
is undefined, the linker argument that injects the script will not be added
|
||||||
|
to `%build_ldfags`, but the linker script would still be generated.
|
||||||
|
|
||||||
|
### Frame pointers
|
||||||
|
|
||||||
|
Frame pointers will be included by default via the `%_include_frame_pointers`
|
||||||
|
macro. To opt out, the best way is to undefine the macro. Include this in the
|
||||||
|
spec file:
|
||||||
|
|
||||||
|
%undefine _include_frame_pointers
|
||||||
|
|
||||||
|
Note that opting out might still result in frame pointers being included on
|
||||||
|
architectures where they are part of the ABI (e.g. aarch64) depending on
|
||||||
|
compiler defaults.
|
||||||
|
|
||||||
|
### Post-build ELF object processing
|
||||||
|
|
||||||
|
By default, DWARF debugging information is separated from installed
|
||||||
|
ELF objects and put into `-debuginfo` subpackages. To disable most
|
||||||
|
debuginfo processing (and thus the generation of these subpackages),
|
||||||
|
define `_enable_debug_packages` as `0`.
|
||||||
|
|
||||||
|
Processing of debugging information is controlled using the
|
||||||
|
`find-debuginfo` tool from the `debugedit` package. Several aspects
|
||||||
|
of its operation can be controlled at the RPM level.
|
||||||
|
|
||||||
|
* Creation of `-debuginfo` subpackages is enabled by default.
|
||||||
|
To disable, undefine `_debuginfo_subpackages`.
|
||||||
|
* Likewise, `-debugsource` subpackages are automatically created.
|
||||||
|
To disable, undefine `_debugsource_subpackages`.
|
||||||
|
See [Separate Subpackage and Source Debuginfo](https://fedoraproject.org/wiki/Changes/SubpackageAndSourceDebuginfo)
|
||||||
|
for background information.
|
||||||
|
* `_build_id_links`, `_unique_build_ids`, `_unique_debug_names`,
|
||||||
|
`_unique_debug_srcs` control how debugging information and
|
||||||
|
corresponding source files are represented on disk.
|
||||||
|
See `/usr/lib/rpm/macros` for details. The defaults
|
||||||
|
enable parallel installation of `-debuginfo` packages for
|
||||||
|
different package versions, as described in
|
||||||
|
[Parallel Installable Debuginfo](https://fedoraproject.org/wiki/Changes/ParallelInstallableDebuginfo).
|
||||||
|
* By default, a compressed symbol table is preserved in the
|
||||||
|
`.gnu_debugdata` section. To disable that, undefine
|
||||||
|
`_include_minidebuginfo`.
|
||||||
|
* To speed up debuggers, a `.gdb_index` section is created. It can be
|
||||||
|
disabled by undefining `_include_gdb_index`.
|
||||||
|
* Missing build IDs result in a build failure. To ignore such
|
||||||
|
problems, undefine `_missing_build_ids_terminate_build`.
|
||||||
|
* During processing, build IDs are recomputed to match the binary
|
||||||
|
content. To skip this step, define `_no_recompute_build_ids` as `1`.
|
||||||
|
* By default, the options in `_find_debuginfo_dwz_opts` turn on `dwz`
|
||||||
|
(DWARF compression) processing. Undefine this macro to disable this
|
||||||
|
step.
|
||||||
|
* Additional options can be passed by defining the
|
||||||
|
`_find_debuginfo_opts` macro.
|
||||||
|
|
||||||
|
After separation of debugging information, additional transformations
|
||||||
|
are applied, most of them also related to debugging information.
|
||||||
|
These steps can be skipped by undefining the corresponding macros:
|
||||||
|
|
||||||
|
* `__brp_strip`: Removal of leftover debugging information. The tool
|
||||||
|
specified by the `__strip` macro is invoked with the `-g` option on
|
||||||
|
ELF object (`.o`) files.
|
||||||
|
* `__brp_strip_static_archive`: This is similar to `__brp_strip`, but
|
||||||
|
processes static `.a` archives instead.
|
||||||
|
* `__brp_strip_comment_note`: This step removes unallocated `.note`
|
||||||
|
sections, and `.comment` sections from ELF files.
|
||||||
|
* `__brp_strip_lto`: This step removes GCC LTO intermediate representation
|
||||||
|
in ELF sections starting with `.gnu.lto_` and `.gnu.debuglto_`. Skipping
|
||||||
|
this step is strongly discouraged because the tight coupling of LTO
|
||||||
|
data with the GCC version. The underlying tool is again determined by the
|
||||||
|
`__strip` macro.
|
||||||
|
* `__brp_llvm_compile_lto_elf`: This step replaces LLVM bitcode files
|
||||||
|
with object files, thereby removing LLVM bitcode from the installed
|
||||||
|
files. This transformation is applied to object files in static `.a`
|
||||||
|
archives, too.
|
||||||
|
* `__brp_ldconfig`: For each shared object on the library search path
|
||||||
|
whose soname does not match its file name, a symbolic link from the
|
||||||
|
soname to the file name is created. This way, these shared objects
|
||||||
|
are loadable immediately after installation, even if they are not yet
|
||||||
|
listed in the `/etc/ld.so.cache` file (because `ldconfig` has not been
|
||||||
|
invoked yet).
|
||||||
|
* `__brp_remove_la_files`: This step removes libtool-generated `.la`
|
||||||
|
files from the installed files.
|
||||||
|
|
||||||
|
# Individual compiler flags
|
||||||
|
|
||||||
|
Compiler flags end up in the environment variables `CFLAGS`,
|
||||||
|
`CXXFLAGS`, `FFLAGS`, and `FCFLAGS`.
|
||||||
|
|
||||||
|
The general (architecture-independent) build flags are:
|
||||||
|
|
||||||
|
* `-O2`: Turn on various GCC optimizations. See the
|
||||||
|
[GCC manual](https://gcc.gnu.org/onlinedocs/gcc/Optimize-Options.html#index-O2).
|
||||||
|
Optimization improves performance, the accuracy of warnings, and the
|
||||||
|
reach of toolchain-based hardening, but it makes debugging harder.
|
||||||
|
* `-g`: Generate debugging information (DWARF). In Fedora, this data
|
||||||
|
is separated into `-debuginfo` RPM packages whose installation is
|
||||||
|
optional, so debuging information does not increase the size of
|
||||||
|
installed binaries by default.
|
||||||
|
* `-pipe`: Run compiler and assembler in parallel and do not use a
|
||||||
|
temporary file for the assembler input. This can improve
|
||||||
|
compilation performance. (This does not affect code generation.)
|
||||||
|
* `-Wall`: Turn on various GCC warnings.
|
||||||
|
See the [GCC manual](https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html#index-Wall).
|
||||||
|
* `-Wno-complain-wrong-lang`: Do not warn about front end mismatches
|
||||||
|
(e.g, using `-Werror=format-security` with Fortran). Only included
|
||||||
|
in `%optflags`, and not the front-end-specific `%build_*` macros.
|
||||||
|
* `-Werror=format-security`: Turn on format string warnings and treat
|
||||||
|
them as errors.
|
||||||
|
See the [GCC manual](https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html#index-Wformat-security).
|
||||||
|
This can occasionally result in compilation errors. In that case,
|
||||||
|
the best option is to rewrite the source code so that only constant
|
||||||
|
format strings (string literals) are used.
|
||||||
|
* Other `-Werror=` options. See **Controlling C Type Safety**.
|
||||||
|
* `-U_FORTIFY_SOURCE, -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3`:
|
||||||
|
See the Source Fortification section above and the `%_fortify_level`
|
||||||
|
override.
|
||||||
|
* `-fexceptions`: Provide exception unwinding support for C programs.
|
||||||
|
See the [`-fexceptions` option in the GCC
|
||||||
|
manual](https://gcc.gnu.org/onlinedocs/gcc/Code-Gen-Options.html#index-fexceptions)
|
||||||
|
and the [`cleanup` variable
|
||||||
|
attribute](https://gcc.gnu.org/onlinedocs/gcc/Common-Variable-Attributes.html#index-cleanup-variable-attribute).
|
||||||
|
This also hardens cancellation handling in C programs because
|
||||||
|
it is not required to use an on-stack jump buffer to install
|
||||||
|
a cancellation handler with `pthread_cleanup_push`. It also makes
|
||||||
|
it possible to unwind the stack (using C++ `throw` or Rust panics)
|
||||||
|
from C callback functions if a C library supports non-local exits
|
||||||
|
from them (e.g., via `longjmp`).
|
||||||
|
* `-fasynchronous-unwind-tables`: Generate full unwind information
|
||||||
|
covering all program points. This is required for support of
|
||||||
|
asynchronous cancellation and proper unwinding from signal
|
||||||
|
handlers. It also makes performance and debugging tools more
|
||||||
|
useful because unwind information is available without having to
|
||||||
|
install (and load) debugging information. (Not enabled on armhfp
|
||||||
|
due to architectural differences in stack management.)
|
||||||
|
* `-Wp,-D_GLIBCXX_ASSERTIONS`: Enable lightweight assertions in the
|
||||||
|
C++ standard library, such as bounds checking for the subscription
|
||||||
|
operator on vectors. (This flag is added to both `CFLAGS` and
|
||||||
|
`CXXFLAGS`; C compilations will simply ignore it.)
|
||||||
|
* `-fstack-protector-strong`: Instrument functions to detect
|
||||||
|
stack-based buffer overflows before jumping to the return address on
|
||||||
|
the stack. The *strong* variant only performs the instrumentation
|
||||||
|
for functions whose stack frame contains addressable local
|
||||||
|
variables. (If the address of a variable is never taken, it is not
|
||||||
|
possible that a buffer overflow is caused by incorrect pointer
|
||||||
|
arithmetic involving a pointer to that variable.)
|
||||||
|
* `-fstack-clash-protection`: Turn on instrumentation to avoid
|
||||||
|
skipping the guard page in large stack frames. (Without this flag,
|
||||||
|
vulnerabilities can result where the stack overlaps with the heap,
|
||||||
|
or thread stacks spill into other regions of memory.) This flag is
|
||||||
|
fully ABI-compatible and has adds very little run-time overhead.
|
||||||
|
This flag is currently not available on armhfp (both `gcc` and `clang`
|
||||||
|
toolchains) and on aarch64 with the `clang` toolchain.
|
||||||
|
* `-flto=auto`: Enable link-time optimization (LTO), using `make` job server
|
||||||
|
integration for parallel processing. (`gcc` toolchain only)
|
||||||
|
* `-ffat-lto-objects`: Generate EFL object files which contain both
|
||||||
|
object code and LTO intermediate representation. (`gcc` toolchain only)
|
||||||
|
* `-flto`: Enable link-time optimization. (`clang` toolchain only)
|
||||||
|
* `-grecord-gcc-switches`: Include select GCC command line switches in
|
||||||
|
the DWARF debugging information. This is useful for detecting the
|
||||||
|
presence of certain build flags and general hardening coverage.
|
||||||
|
* `-fcommon`: This optional flag is used to build legacy software
|
||||||
|
which relies on C tentative definitions. It is disabled by default.
|
||||||
|
|
||||||
|
For hardened builds (which are enabled by default, see above for how
|
||||||
|
to disable them), the flag
|
||||||
|
`-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1` is added to the
|
||||||
|
command line. It adds the following flag to the command line:
|
||||||
|
|
||||||
|
* `-fPIE`: Compile for a position-independent executable (PIE),
|
||||||
|
enabling full address space layout randomization (ASLR). This is
|
||||||
|
similar to `-fPIC`, but avoids run-time indirections on certain
|
||||||
|
architectures, resulting in improved performance and slightly
|
||||||
|
smaller executables. However, compared to position-dependent code
|
||||||
|
(the default generated by GCC), there is still a measurable
|
||||||
|
performance impact.
|
||||||
|
|
||||||
|
If the command line also contains `-r` (producing a relocatable
|
||||||
|
object file), `-fpic` or `-fPIC`, this flag is automatically
|
||||||
|
dropped. (`-fPIE` can only be used for code which is linked into
|
||||||
|
the main program.) Code which goes into static libraries should be
|
||||||
|
compiled with `-fPIE`, except when this code is expected to be
|
||||||
|
linked into DSOs, when `-fPIC` must be used.
|
||||||
|
|
||||||
|
To be effective, `-fPIE` must be used with the `-pie` linker flag
|
||||||
|
when producing an executable, see below.
|
||||||
|
|
||||||
|
To support [binary watermarks for ELF
|
||||||
|
objects](https://fedoraproject.org/wiki/Toolchain/Watermark) using
|
||||||
|
annobin, the `-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1` flag is
|
||||||
|
added by default (with the `gcc` toolchain). This can be switched off
|
||||||
|
by undefining the `%_annotated_build` RPM macro (see above). Binary
|
||||||
|
watermarks are currently disabled on armhpf, and with the `clang`
|
||||||
|
toolchain.
|
||||||
|
|
||||||
|
If frame pointers are enabled by default (via `%_include_frame_pointers`),
|
||||||
|
the `-fno-omit-frame-pointer` will be added on all architectures except i686
|
||||||
|
and s390x. Additional flags will be added on specific architectures:
|
||||||
|
|
||||||
|
* `-mno-omit-leaf-frame-pointer` on x86_64 and aarch64
|
||||||
|
|
||||||
|
### Architecture-specific compiler flags
|
||||||
|
|
||||||
|
These compiler flags are enabled for all builds (hardened/annotated or
|
||||||
|
not), but their selection depends on the architecture:
|
||||||
|
|
||||||
|
* `-fcf-protection`: Instrument binaries to guard against
|
||||||
|
ROP/JOP exploitation techniques. Used on x86_64.
|
||||||
|
* `-mbranch-protection=standard`: Instrument binaries to guard against
|
||||||
|
ROP/JOP exploitation techniques. Used on aarch64.
|
||||||
|
* `-m64` and `-m32`: Some GCC builds support both 32-bit and 64-bit in
|
||||||
|
the same compilation. For such architectures, the RPM build process
|
||||||
|
explicitly selects the architecture variant by passing this compiler
|
||||||
|
flag.
|
||||||
|
|
||||||
|
In addition, `redhat-rpm-config` re-selects the built-in default
|
||||||
|
tuning in the `gcc` package. These settings are:
|
||||||
|
|
||||||
|
* **armhfp**: `-march=armv7-a -mfpu=vfpv3-d16 -mfloat-abi=hard`
|
||||||
|
selects an Arm subarchitecture based on the ARMv7-A architecture
|
||||||
|
with 16 64-bit floating point registers. `-mtune=cortex-8a` selects
|
||||||
|
tuning for the Cortex-A8 implementation (while preserving
|
||||||
|
compatibility with other ARMv7-A implementations).
|
||||||
|
`-mabi=aapcs-linux` switches to the AAPCS ABI for GNU/Linux.
|
||||||
|
* **i686**: `-march=i686` is used to select a minmum support CPU level
|
||||||
|
of i686 (corresponding to the Pentium Pro). SSE2 support is enabled
|
||||||
|
with `-msse2` (so only CPUs with SSE2 support can run the compiled
|
||||||
|
code; SSE2 was introduced first with the Pentium 4).
|
||||||
|
`-mtune=generic` activates tuning for a current blend of CPUs (under
|
||||||
|
the assumption that most users of i686 packages obtain them through
|
||||||
|
an x86_64 installation on current hardware). `-mfpmath=sse`
|
||||||
|
instructs GCC to use the SSE2 unit for floating point math to avoid
|
||||||
|
excess precision issues. `-mstackrealign` avoids relying on the
|
||||||
|
stack alignment guaranteed by the current version of the i386 ABI.
|
||||||
|
* **ppc64le**: `-mcpu=power8 -mtune=power8` selects a minimum
|
||||||
|
supported CPU level of POWER8 (the first CPU with ppc64le support)
|
||||||
|
and tunes for POWER8.
|
||||||
|
* **s390x**: `-march=zEC12 -mtune=z13` specifies a minimum supported
|
||||||
|
CPU level of zEC12, while optimizing for a subsequent CPU generation
|
||||||
|
(z13).
|
||||||
|
* **x86_64**: `-mtune=generic` selects tuning which is expected to
|
||||||
|
beneficial for a broad range of current CPUs. Distribution-specific
|
||||||
|
defaults for `-march=x86-64-v2` or `-march=x86-64-v3` may be
|
||||||
|
applied. The default can be overriden (for any distribution)
|
||||||
|
by specifying `--target x86_64_v2`, `--target x86_64_v3`,
|
||||||
|
`--target x86_64_v4` in the `rpmbuild` invocation.
|
||||||
|
With the GCC toolchain, TLS descriptors are enabled using
|
||||||
|
`-mtls-dialect=gnu2`.
|
||||||
|
* **aarch64** does not have any architecture-specific tuning.
|
||||||
|
|
||||||
|
### Vala-specific compiler flags
|
||||||
|
|
||||||
|
* `-g`: causes valac to emit `#line` directives in the generated C
|
||||||
|
source code. This improves backtrace generation by causing gdb to
|
||||||
|
point to Vala source file and line number instead of the generated C
|
||||||
|
source when possible.
|
||||||
|
|
||||||
|
# Individual linker flags
|
||||||
|
|
||||||
|
Linker flags end up in the environment variable `LDFLAGS`.
|
||||||
|
|
||||||
|
The linker flags listed below are injected. Note that they are
|
||||||
|
prefixed with `-Wl` because it is expected that these flags are passed
|
||||||
|
to the compiler driver `gcc`, and not directly to the link editor
|
||||||
|
`ld`.
|
||||||
|
|
||||||
|
* `-z relro`: Activate the *read-only after relocation* feature.
|
||||||
|
Constant data and relocations are placed on separate pages, and the
|
||||||
|
dynamic linker is instructed to revoke write permissions after
|
||||||
|
dynamic linking. Full protection of relocation data requires the
|
||||||
|
`-z now` flag (see below).
|
||||||
|
* `--as-needed`: In the final link, only generate ELF dependencies
|
||||||
|
for shared objects that actually provide symbols required by the link.
|
||||||
|
Shared objects which are not needed to fulfill symbol dependencies
|
||||||
|
are essentially ignored due to this flag.
|
||||||
|
* `-z pack-relative-relocs`: Use the portable `DT_RELR` scheme for
|
||||||
|
relative relocations, resulting in reduced startup time compared to
|
||||||
|
legacy architecture-specific relocations. (`-z pack-relative-relocs`
|
||||||
|
is currently disabled on aarch64 and s390x due to toolchain limitations.)
|
||||||
|
* `-z defs`: Refuse to link shared objects (DSOs) with undefined symbols
|
||||||
|
(optional, see above).
|
||||||
|
|
||||||
|
For hardened builds, some more linker options are added to the
|
||||||
|
compiler driver command line. These can be disabled by undefining the
|
||||||
|
`%_hardened_build` macro - see above.
|
||||||
|
|
||||||
|
* `-pie`: Produce a PIE binary. This is only activated for the main
|
||||||
|
executable, and only if it is dynamically linked. This requires
|
||||||
|
that all objects which are linked in the main executable have been
|
||||||
|
compiled with `-fPIE` or `-fPIC` (or `-fpie` or `-fpic`; see above).
|
||||||
|
By itself, `-pie` has only a slight performance impact because it
|
||||||
|
disables some link editor optimization, however the `-fPIE` compiler
|
||||||
|
flag has some overhead.
|
||||||
|
Note: this option is added via adding a spec file to the compiler
|
||||||
|
driver command line (`-specs=/usr/lib/rpm/redhat/redhat-hardened-ld`)
|
||||||
|
rather than using the `-Wl` mechanism mentioned above. As a result
|
||||||
|
this option is only enabled if the compiler driver is gcc.
|
||||||
|
* `-z now`: Disable lazy binding and turn on the `BIND_NOW` dynamic
|
||||||
|
linker feature. Lazy binding involves an array of function pointers
|
||||||
|
which is writable at run time (which could be overwritten as part of
|
||||||
|
security exploits, redirecting execution). Therefore, it is
|
||||||
|
preferable to turn of lazy binding, although it increases startup
|
||||||
|
time.
|
||||||
|
|
||||||
|
In addition hardened builds default to converting a couple of linker
|
||||||
|
warning messages into errors, because they represent potential
|
||||||
|
missed hardening opportunities, and warnings in the linker's output are
|
||||||
|
often ignored. This behaviour can be turned off by undefining the
|
||||||
|
`%_hardened_build` macro as mentioned above, or by undefining the
|
||||||
|
`%_hardened_linker_errors` macro. The linker options enabled by this
|
||||||
|
feature are:
|
||||||
|
|
||||||
|
* `--error-rwx-segments`: Generates an error if an output binary would
|
||||||
|
contain a loadable memory segment with read, write and execute
|
||||||
|
permissions. It will also generate an error if a thread local
|
||||||
|
storage (TLS) segment is created with execute permission. The
|
||||||
|
error can be disabled on an individual basis by adding the
|
||||||
|
`--no-warn-rwx-segments` option to the linker command line.
|
||||||
|
* `--error-execstack`: Generates an error if an output binary would
|
||||||
|
contain a stack that is held in memory with execute permission.
|
||||||
|
If a binary is being intentionally created with an executable stack
|
||||||
|
then the linker command line option `-z execstack` can be used to
|
||||||
|
indicate this.
|
||||||
|
|
||||||
|
Note: these options are added via a spec file on the compiler driver
|
||||||
|
command line (`-specs=/usr/lib/rpm/redhat/redhat-hardened-ld-errors`)
|
||||||
|
rather than using the `-Wl` mechanism mentioned above. As a result
|
||||||
|
these options are only enabled if the compiler driver is gcc. In
|
||||||
|
addition the spec file only adds the options if the `-fuse-ld=...`
|
||||||
|
option has not been enabled. This prevents the options from being
|
||||||
|
used when the gold or lld linkers are enabled.
|
||||||
|
|
||||||
|
# Support for extension builders
|
||||||
|
|
||||||
|
Some packages include extension builders that allow users to build
|
||||||
|
extension modules (which are usually written in C and C++) under the
|
||||||
|
control of a special-purpose build system. This is a common
|
||||||
|
functionality provided by scripting languages such as Python and Perl.
|
||||||
|
Traditionally, such extension builders captured the Fedora build flags
|
||||||
|
when these extension were built. However, these compiler flags are
|
||||||
|
adjusted for a specific Fedora release and toolchain version and
|
||||||
|
therefore do not work with a custom toolchain (e.g., different C/C++
|
||||||
|
compilers), and users might want to build their own extension modules
|
||||||
|
with such toolchains.
|
||||||
|
|
||||||
|
The macros `%{extension_cflags}`, `%{extension_cxxflags}`,
|
||||||
|
`%{extension_fflags}`, `%{extension_ldflags}` contain a subset of
|
||||||
|
flags that have been adjusted for compatibility with alternative
|
||||||
|
toolchains.
|
||||||
|
|
||||||
|
Currently the -fexceptions and -fcf-protection flags are preserved
|
||||||
|
for binary compatibility with the languages the extensions are
|
||||||
|
built against.
|
||||||
|
|
||||||
|
Extension builders should detect whether they are performing a regular
|
||||||
|
RPM build (e.g., by looking for an `RPM_OPT_FLAGS` variable). In this
|
||||||
|
case, they should use the *current* set of Fedora build flags (that
|
||||||
|
is, the output from `rpm --eval '%{build_cflags}'` and related
|
||||||
|
commands). Otherwise, when not performing an RPM build, they can
|
||||||
|
either use hard-coded extension builder flags (thus avoiding a
|
||||||
|
run-time dependency on `redhat-rpm-config`), or use the current
|
||||||
|
extension builder flags (with a run-time dependency on
|
||||||
|
`redhat-rpm-config`).
|
||||||
|
|
||||||
|
As a result, extension modules built for Fedora will use the official
|
||||||
|
Fedora build flags, while users will still be able to build their own
|
||||||
|
extension modules with custom toolchains.
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,66 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# dist.sh
|
||||||
|
# Author: Tom "spot" Callaway <tcallawa@redhat.com>
|
||||||
|
# License: GPL
|
||||||
|
# This is a script to output the value for the %{dist}
|
||||||
|
# tag. The dist tag takes the following format: .$type$num
|
||||||
|
# Where $type is one of: el, fc, rh
|
||||||
|
# (for RHEL, Fedora Core, and RHL, respectively)
|
||||||
|
# And $num is the version number of the distribution.
|
||||||
|
# NOTE: We can't detect Rawhide or Fedora Test builds properly.
|
||||||
|
# If we successfully detect the version number, we output the
|
||||||
|
# dist tag. Otherwise, we exit with no output.
|
||||||
|
|
||||||
|
RELEASEFILE=/etc/redhat-release
|
||||||
|
|
||||||
|
function check_num {
|
||||||
|
MAINVER=`cut -d "(" -f 1 < $RELEASEFILE | \
|
||||||
|
sed -e "s/[^0-9.]//g" -e "s/$//g" | cut -d "." -f 1`
|
||||||
|
|
||||||
|
echo $MAINVER | grep -q '[0-9]' && echo $MAINVER
|
||||||
|
}
|
||||||
|
|
||||||
|
function check_rhl {
|
||||||
|
grep -q "Red Hat Linux" $RELEASEFILE && ! grep -q "Advanced" $RELEASEFILE && echo $DISTNUM
|
||||||
|
}
|
||||||
|
|
||||||
|
function check_rhel {
|
||||||
|
grep -Eq "(Enterprise|Advanced|CentOS)" $RELEASEFILE && echo $DISTNUM
|
||||||
|
}
|
||||||
|
|
||||||
|
function check_fedora {
|
||||||
|
grep -q Fedora $RELEASEFILE && echo $DISTNUM
|
||||||
|
}
|
||||||
|
|
||||||
|
DISTNUM=`check_num`
|
||||||
|
DISTFC=`check_fedora`
|
||||||
|
DISTRHL=`check_rhl`
|
||||||
|
DISTRHEL=`check_rhel`
|
||||||
|
if [ -n "$DISTNUM" ]; then
|
||||||
|
if [ -n "$DISTFC" ]; then
|
||||||
|
DISTTYPE=fc
|
||||||
|
elif [ -n "$DISTRHEL" ]; then
|
||||||
|
DISTTYPE=el
|
||||||
|
elif [ -n "$DISTRHL" ]; then
|
||||||
|
DISTTYPE=rhl
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
[ -n "$DISTTYPE" -a -n "$DISTNUM" ] && DISTTAG=".${DISTTYPE}${DISTNUM}"
|
||||||
|
|
||||||
|
case "$1" in
|
||||||
|
--el) echo -n "$DISTRHEL" ;;
|
||||||
|
--fc) echo -n "$DISTFC" ;;
|
||||||
|
--rhl) echo -n "$DISTRHL" ;;
|
||||||
|
--distnum) echo -n "$DISTNUM" ;;
|
||||||
|
--disttype) echo -n "$DISTTYPE" ;;
|
||||||
|
--help)
|
||||||
|
printf "Usage: $0 [OPTIONS]\n"
|
||||||
|
printf " Default mode is --dist. Possible options:\n"
|
||||||
|
printf " --el\t\tfor RHEL version (if RHEL)\n"
|
||||||
|
printf " --fc\t\tfor Fedora version (if Fedora)\n"
|
||||||
|
printf " --rhl\t\tfor RHL version (if RHL)\n"
|
||||||
|
printf " --dist\t\tfor distribution tag\n"
|
||||||
|
printf " --distnum\tfor distribution number (major)\n"
|
||||||
|
printf " --disttype\tfor distribution type\n" ;;
|
||||||
|
*) echo -n "$DISTTAG" ;;
|
||||||
|
esac
|
@ -0,0 +1,50 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# This script reads filenames from STDIN and outputs any relevant provides
|
||||||
|
# information that needs to be included in the package.
|
||||||
|
|
||||||
|
if [ "$1" ]
|
||||||
|
then
|
||||||
|
package_name="$1"
|
||||||
|
fi
|
||||||
|
|
||||||
|
filelist=`sed "s/['\"]/\\\&/g"`
|
||||||
|
|
||||||
|
[ -x /usr/lib/rpm/rpmdeps -a -n "$filelist" ] &&
|
||||||
|
echo $filelist | tr '[:blank:]' \\n | /usr/lib/rpm/rpmdeps --provides
|
||||||
|
|
||||||
|
#
|
||||||
|
# --- any other extra find-provides scripts
|
||||||
|
for i in /usr/lib/rpm/redhat/find-provides.d/*.prov
|
||||||
|
do
|
||||||
|
[ -x $i ] &&
|
||||||
|
(echo $filelist | tr '[:blank:]' \\n | $i | sort -u)
|
||||||
|
done
|
||||||
|
|
||||||
|
#
|
||||||
|
# --- Kernel module imported symbols
|
||||||
|
#
|
||||||
|
# Since we don't (yet) get passed the name of the package being built, we
|
||||||
|
# cheat a little here by looking first for a kernel, then for a kmod.
|
||||||
|
#
|
||||||
|
|
||||||
|
is_kmod=1
|
||||||
|
for f in $filelist; do
|
||||||
|
if [ $(echo "$f" | sed -r -ne 's:^.*/lib/modules/(.*)/(.*).ko$:\2:p') ]
|
||||||
|
then
|
||||||
|
is_kernel=1;
|
||||||
|
fi
|
||||||
|
if [ $(echo "$f" | sed -r -ne 's:^.*/boot/(.*):\1:p') ]
|
||||||
|
then
|
||||||
|
unset is_kmod;
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ ! "$is_kernel" ] || [ "$package_name" == "kernel" ]
|
||||||
|
then
|
||||||
|
unset is_kmod
|
||||||
|
fi
|
||||||
|
|
||||||
|
[ -x /usr/lib/rpm/redhat/find-provides.ksyms ] && [ "$is_kmod" ] &&
|
||||||
|
printf "%s\n" "${filelist[@]}" | /usr/lib/rpm/redhat/find-provides.ksyms
|
||||||
|
|
||||||
|
exit 0
|
@ -0,0 +1,39 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# Auto-generate requirements for executables (both ELF and a.out) and library
|
||||||
|
# sonames, script interpreters, and perl modules.
|
||||||
|
#
|
||||||
|
|
||||||
|
ulimit -c 0
|
||||||
|
|
||||||
|
filelist=`sed "s/[]['\"*?{}]/\\\\\&/g"`
|
||||||
|
|
||||||
|
[ -x /usr/lib/rpm/rpmdeps -a -n "$filelist" ] && \
|
||||||
|
echo $filelist | tr '[:blank:]' \\n | /usr/lib/rpm/rpmdeps --requires
|
||||||
|
|
||||||
|
#
|
||||||
|
# --- Kernel module imported symbols
|
||||||
|
#
|
||||||
|
# Since we don't (yet) get passed the name of the package being built, we
|
||||||
|
# cheat a little here by looking first for a kernel, then for a kmod.
|
||||||
|
#
|
||||||
|
|
||||||
|
unset is_kmod
|
||||||
|
|
||||||
|
for f in $filelist; do
|
||||||
|
if [ $(echo "$f" | sed -r -ne 's:^.*/lib/modules/(.*)/(.*).ko$:\2:p') ]
|
||||||
|
then
|
||||||
|
is_kmod=1;
|
||||||
|
elif [ $(echo "$f" | sed -r -ne 's:^.*/boot/(.*):\1:p') ]
|
||||||
|
then
|
||||||
|
unset is_kmod;
|
||||||
|
break;
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
# Disabling for now while the Fedora kernel doesn't produce kABI deps.
|
||||||
|
#[ -x /usr/lib/rpm/redhat/find-requires.ksyms ] && [ "$is_kmod" ] &&
|
||||||
|
# printf "%s\n" "${filelist[@]}" | /usr/lib/rpm/redhat/find-requires.ksyms
|
||||||
|
|
||||||
|
exit 0
|
@ -0,0 +1,111 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# Copyright 2018 B. Persson, Bjorn@Rombobeorn.se
|
||||||
|
#
|
||||||
|
# This material is provided as is, with absolutely no warranty expressed
|
||||||
|
# or implied. Any use is at your own risk.
|
||||||
|
#
|
||||||
|
# Permission is hereby granted to use or copy this program
|
||||||
|
# for any purpose, provided the above notices are retained on all copies.
|
||||||
|
# Permission to modify the code and to distribute modified code is granted,
|
||||||
|
# provided the above notices are retained, and a notice that the code was
|
||||||
|
# modified is included with the above copyright notice.
|
||||||
|
|
||||||
|
|
||||||
|
function print_help {
|
||||||
|
cat <<'EOF'
|
||||||
|
Usage: gpgverify --keyring=<pathname> --signature=<pathname> --data=<pathname>
|
||||||
|
|
||||||
|
gpgverify is a wrapper around gpgv designed for easy and safe scripting. It
|
||||||
|
verifies a file against a detached OpenPGP signature and a keyring. The keyring
|
||||||
|
shall contain all the keys that are trusted to certify the authenticity of the
|
||||||
|
file, and must not contain any untrusted keys.
|
||||||
|
|
||||||
|
The differences, compared to invoking gpgv directly, are that gpgverify accepts
|
||||||
|
the keyring in either ASCII-armored or unarmored form, and that it will not
|
||||||
|
accidentally use a default keyring in addition to the specified one.
|
||||||
|
|
||||||
|
Parameters:
|
||||||
|
--keyring=<pathname> keyring with all the trusted keys and no others
|
||||||
|
--signature=<pathname> detached signature to verify
|
||||||
|
--data=<pathname> file to verify against the signature
|
||||||
|
EOF
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
fatal_error() {
|
||||||
|
message="$1" # an error message
|
||||||
|
status=$2 # a number to use as the exit code
|
||||||
|
echo "gpgverify: $message" >&2
|
||||||
|
exit $status
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
require_parameter() {
|
||||||
|
term="$1" # a term for a required parameter
|
||||||
|
value="$2" # Complain and terminate if this value is empty.
|
||||||
|
if test -z "${value}" ; then
|
||||||
|
fatal_error "No ${term} was provided." 2
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
check_status() {
|
||||||
|
action="$1" # a string that describes the action that was attempted
|
||||||
|
status=$2 # the exit code of the command
|
||||||
|
if test $status -ne 0 ; then
|
||||||
|
fatal_error "$action failed." $status
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# Parse the command line.
|
||||||
|
keyring=
|
||||||
|
signature=
|
||||||
|
data=
|
||||||
|
for parameter in "$@" ; do
|
||||||
|
case "${parameter}" in
|
||||||
|
(--help)
|
||||||
|
print_help
|
||||||
|
exit
|
||||||
|
;;
|
||||||
|
(--keyring=*)
|
||||||
|
keyring="${parameter#*=}"
|
||||||
|
;;
|
||||||
|
(--signature=*)
|
||||||
|
signature="${parameter#*=}"
|
||||||
|
;;
|
||||||
|
(--data=*)
|
||||||
|
data="${parameter#*=}"
|
||||||
|
;;
|
||||||
|
(*)
|
||||||
|
fatal_error "Unknown parameter: \"${parameter}\"" 2
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
require_parameter 'keyring' "${keyring}"
|
||||||
|
require_parameter 'signature' "${signature}"
|
||||||
|
require_parameter 'data file' "${data}"
|
||||||
|
|
||||||
|
# Make a temporary working directory.
|
||||||
|
workdir="$(mktemp --directory)"
|
||||||
|
check_status 'Making a temporary directory' $?
|
||||||
|
workring="${workdir}/keyring.gpg"
|
||||||
|
|
||||||
|
# Decode any ASCII armor on the keyring. This is harmless if the keyring isn't
|
||||||
|
# ASCII-armored.
|
||||||
|
gpg2 --homedir="${workdir}" --yes --output="${workring}" --dearmor "${keyring}"
|
||||||
|
check_status 'Decoding the keyring' $?
|
||||||
|
|
||||||
|
# Verify the signature using the decoded keyring.
|
||||||
|
gpgv2 --homedir="${workdir}" --keyring="${workring}" "${signature}" "${data}"
|
||||||
|
check_status 'Signature verification' $?
|
||||||
|
|
||||||
|
# (--homedir isn't actually necessary. --dearmor processes only the input file,
|
||||||
|
# and if --keyring is used and contains a slash, then gpgv2 uses only that
|
||||||
|
# keyring. Thus neither command will look for a default keyring, but --homedir
|
||||||
|
# makes extra double sure that no default keyring will be touched in case
|
||||||
|
# another version of GPG works differently.)
|
||||||
|
|
||||||
|
# Clean up. (This is not done in case of an error that may need inspection.)
|
||||||
|
rm --recursive --force ${workdir}
|
@ -0,0 +1,5 @@
|
|||||||
|
# Make libfoo.so symlinks require the soname-provide of the target library
|
||||||
|
%__libsymlink_requires %{_rpmconfigdir}/elfdeps --provides --soname-only
|
||||||
|
%__libsymlink_magic ^symbolic link to .*lib.*\.so\..*$
|
||||||
|
%__libsymlink_path ^.*\.so$
|
||||||
|
%__libsymlink_flags magic_and_path
|
@ -0,0 +1,479 @@
|
|||||||
|
# Per-platform rpm configuration file.
|
||||||
|
|
||||||
|
#==============================================================================
|
||||||
|
# ---- per-platform macros.
|
||||||
|
#
|
||||||
|
%_vendor redhat
|
||||||
|
%_os linux
|
||||||
|
%_target_platform %{_target_cpu}-%{_vendor}-%{_target_os}%{?_gnu}
|
||||||
|
|
||||||
|
#==============================================================================
|
||||||
|
# ---- configure macros. note that most of these are inherited
|
||||||
|
# from the defaults.
|
||||||
|
#
|
||||||
|
%_localstatedir /var
|
||||||
|
%_runstatedir /run
|
||||||
|
|
||||||
|
%_pkgdocdir %{_docdir}/%{name}
|
||||||
|
%_docdir_fmt %%{NAME}
|
||||||
|
|
||||||
|
%_fmoddir %{_libdir}/gfortran/modules
|
||||||
|
|
||||||
|
%source_date_epoch_from_changelog 1
|
||||||
|
%clamp_mtime_to_source_date_epoch %source_date_epoch_from_changelog
|
||||||
|
|
||||||
|
%_enable_debug_packages 1
|
||||||
|
%_include_minidebuginfo 1
|
||||||
|
%_include_gdb_index 1
|
||||||
|
%_debugsource_packages 1
|
||||||
|
%_debuginfo_subpackages 1
|
||||||
|
|
||||||
|
# GCC toolchain
|
||||||
|
%__cc_gcc gcc
|
||||||
|
%__cxx_gcc g++
|
||||||
|
%__cpp_gcc gcc -E
|
||||||
|
|
||||||
|
# Clang toolchain
|
||||||
|
%__cc_clang clang
|
||||||
|
%__cxx_clang clang++
|
||||||
|
%__cpp_clang clang-cpp
|
||||||
|
|
||||||
|
# Default to the GCC toolchain
|
||||||
|
%toolchain gcc
|
||||||
|
|
||||||
|
%__cc %{expand:%%{__cc_%{toolchain}}}
|
||||||
|
%__cxx %{expand:%%{__cxx_%{toolchain}}}
|
||||||
|
%__cpp %{expand:%%{__cpp_%{toolchain}}}
|
||||||
|
|
||||||
|
# Compiler macros to use for invoking compilers in spec files for packages that
|
||||||
|
# want to use the default compiler and don't care which compiler that is.
|
||||||
|
%build_cc %{__cc}
|
||||||
|
%build_cxx %{__cxx}
|
||||||
|
%build_cpp %{__cpp}
|
||||||
|
|
||||||
|
#==============================================================================
|
||||||
|
# ---- compiler flags.
|
||||||
|
|
||||||
|
# C compiler flags. This is traditionally called CFLAGS in makefiles.
|
||||||
|
# Historically also available as %%{optflags}, and %%build sets the
|
||||||
|
# environment variable RPM_OPT_FLAGS to this value.
|
||||||
|
%build_cflags %{__build_flags_lang_c} %{?_distro_extra_cflags}
|
||||||
|
|
||||||
|
# C++ compiler flags. This is traditionally called CXXFLAGS in makefiles.
|
||||||
|
%build_cxxflags %{__build_flags_lang_cxx} %{?_distro_extra_cxxflags}
|
||||||
|
|
||||||
|
# Fortran compiler flags. Makefiles use both FFLAGS and FCFLAGS as
|
||||||
|
# the corresponding variable names.
|
||||||
|
%build_fflags %{__build_flags_common} -I%{_fmoddir} %{?_distro_extra_fflags}
|
||||||
|
|
||||||
|
# Vala compiler flags. This is used to set VALAFLAGS.
|
||||||
|
%build_valaflags -g
|
||||||
|
|
||||||
|
# When clang is used as a linker driver, it does not auto-detect the LTO
|
||||||
|
# bytecode and neither does bfd, so we need to explicitly pass the -flto
|
||||||
|
# flag when linking.
|
||||||
|
%_clang_extra_ldflags %{?_lto_cflags}
|
||||||
|
|
||||||
|
# Link editor flags. This is usually called LDFLAGS in makefiles.
|
||||||
|
# (Some makefiles use LFLAGS instead.) The default value assumes that
|
||||||
|
# the flags, while intended for ld, are still passed through the gcc
|
||||||
|
# compiler driver. At the beginning of %%build, the environment
|
||||||
|
# variable RPM_LD_FLAGS to this value.
|
||||||
|
%build_ldflags -Wl,-z,relro %{_ld_as_needed_flags} %{_ld_symbols_flags} %{_ld_pack_relocs_flags} %{_hardened_ldflags} %{_annotation_ldflags} %[ "%{toolchain}" == "clang" ? "%{?_clang_extra_ldflags}" : "" ] %{_build_id_flags} %{?_package_note_flags} %{?_distro_extra_ldflags}
|
||||||
|
|
||||||
|
# Expands to shell code to set the compiler/linker environment
|
||||||
|
# variables CFLAGS, CXXFLAGS, FFLAGS, FCFLAGS, VALAFLAGS, LDFLAGS if they
|
||||||
|
# have not been set already. RPM_OPT_FLAGS and RPM_LD_FLAGS have already
|
||||||
|
# been set implicitly at the start of the %%build section.
|
||||||
|
# LT_SYS_LIBRARY_PATH is used by libtool script.
|
||||||
|
# RUSTFLAGS is only set when %%{build_rustflags} is available.
|
||||||
|
%set_build_flags \
|
||||||
|
CFLAGS="${CFLAGS:-%{build_cflags}}" ; export CFLAGS ; \
|
||||||
|
CXXFLAGS="${CXXFLAGS:-%{build_cxxflags}}" ; export CXXFLAGS ; \
|
||||||
|
FFLAGS="${FFLAGS:-%{build_fflags}}" ; export FFLAGS ; \
|
||||||
|
FCFLAGS="${FCFLAGS:-%{build_fflags}}" ; export FCFLAGS ; \
|
||||||
|
VALAFLAGS="${VALAFLAGS:-%{build_valaflags}}" ; export VALAFLAGS ;%{?build_rustflags:
|
||||||
|
RUSTFLAGS="${RUSTFLAGS:-%{build_rustflags}}" ; export RUSTFLAGS ;} \
|
||||||
|
LDFLAGS="${LDFLAGS:-%{build_ldflags}}" ; export LDFLAGS ; \
|
||||||
|
LT_SYS_LIBRARY_PATH="${LT_SYS_LIBRARY_PATH:-%_libdir:}" ; export LT_SYS_LIBRARY_PATH ; \
|
||||||
|
CC="${CC:-%{__cc}}" ; export CC ; \
|
||||||
|
CXX="${CXX:-%{__cxx}}" ; export CXX
|
||||||
|
|
||||||
|
# Automatically use set_build_flags macro for build, check, and
|
||||||
|
# install phases.
|
||||||
|
# Use "%undefine _auto_set_build_flags" to disable"
|
||||||
|
%_auto_set_build_flags 1
|
||||||
|
%__spec_build_pre %{___build_pre} \
|
||||||
|
%{?_auto_set_build_flags:%{set_build_flags}} \
|
||||||
|
%{?_generate_package_note_file}
|
||||||
|
|
||||||
|
%__spec_check_pre %{___build_pre} \
|
||||||
|
%{?_auto_set_build_flags:%{set_build_flags}} \
|
||||||
|
%{?_generate_package_note_file}
|
||||||
|
|
||||||
|
# Internal-only. Do not use. Expand a variable and strip the flags
|
||||||
|
# not suitable to extension builders.
|
||||||
|
%__extension_strip_flags() %{lua:
|
||||||
|
--the only argument to this macro is the "name" of the flags we strip (e.g. cflags, ldflags, etc.)
|
||||||
|
local name = rpm.expand("%{1}")
|
||||||
|
--store all the individual flags in a variable as a continuous string
|
||||||
|
local flags = rpm.expand("%{build_" .. name .. "}")
|
||||||
|
--create an empty table for the minimal set of flags we wanna preserve
|
||||||
|
local stripped_flags = { }
|
||||||
|
--iterate over the individual flags and store the ones we want in the table as unique keys
|
||||||
|
for flag in flags:gmatch("%S+") do
|
||||||
|
if flag:find("^%-fexceptions") or flag:find("^%-fcf%-protection") then
|
||||||
|
stripped_flags[flag] = true end
|
||||||
|
end
|
||||||
|
--print out the finalized set of flags for use by the extension builders
|
||||||
|
for k,_ in pairs(stripped_flags) do print(k .. " ") end
|
||||||
|
}
|
||||||
|
|
||||||
|
# Variants of CFLAGS, CXXFLAGS, FFLAGS, LDFLAGS for use within
|
||||||
|
# extension builders.
|
||||||
|
%extension_cflags %{__extension_strip_flags cflags}
|
||||||
|
%extension_cxxflags %{__extension_strip_flags cxxflags}
|
||||||
|
%extension_fflags %{__extension_strip_flags fflags}
|
||||||
|
%extension_ldflags %{__extension_strip_flags ldflags}
|
||||||
|
|
||||||
|
# Deprecated names. For backwards compatibility only.
|
||||||
|
%__global_cflags %{build_cflags}
|
||||||
|
%__global_cxxflags %{build_cxxflags}
|
||||||
|
%__global_fflags %{build_fflags}
|
||||||
|
%__global_fcflags %{build_fflags}
|
||||||
|
%__global_ldflags %{build_ldflags}
|
||||||
|
|
||||||
|
# Architecture-specific support. Internal. Do not use directly.
|
||||||
|
|
||||||
|
%__cflags_arch_x86_64_level %[0%{?rhel} == 9 ? "-v2" : ""]%[0%{?rhel} > 9 ? "-v3" : ""]
|
||||||
|
%__cflags_arch_x86_64 -march=x86-64%{?__cflags_arch_x86_64_level:%{__cflags_arch_x86_64_level}}
|
||||||
|
|
||||||
|
# -mtls-dialect=gnu2 is currently specific to GCC (#2263181).
|
||||||
|
%__cflags_arch_x86_64_common -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection %[ "%{toolchain}" == "gcc" ? "-mtls-dialect=gnu2 " : "" ]%{_frame_pointers_cflags} %{_frame_pointers_cflags_x86_64}
|
||||||
|
|
||||||
|
# Also used for s390.
|
||||||
|
%__cflags_arch_s390x %[0%{?rhel} >= 9 ? "-march=z14 -mtune=z15" : "-march=z13 -mtune=z14"]
|
||||||
|
|
||||||
|
%__cflags_arch_ppc64le %[0%{?rhel} >= 9 ? "-mcpu=power9 -mtune=power9" : "-mcpu=power8 -mtune=power8"]
|
||||||
|
|
||||||
|
#==============================================================================
|
||||||
|
# ---- configure and makeinstall.
|
||||||
|
#
|
||||||
|
%_configure_gnuconfig_hack 1
|
||||||
|
%_configure_libtool_hardening_hack 1
|
||||||
|
# If defined, _configure_disable_silent_rules will cause --disable-silent-rules
|
||||||
|
# to be added to the list of options passed to the configure script.
|
||||||
|
# Eventually we'll want to turn this on by default, but this gives packagers a
|
||||||
|
# way to turn it back off.
|
||||||
|
# %_configure_disable_silent_rules 1
|
||||||
|
|
||||||
|
# Pass --runstatedir to configure.
|
||||||
|
%_configure_use_runstatedir 1
|
||||||
|
|
||||||
|
# This fixes various easy resolved configure tests that are compromised by LTO.
|
||||||
|
#
|
||||||
|
# We use this within the standard %configure macro, but also make it available
|
||||||
|
# for packages which don't use %configure
|
||||||
|
#
|
||||||
|
# The first three are common ways to test for the existence of a function, so
|
||||||
|
# we ensure the reference to the function is preserved
|
||||||
|
#
|
||||||
|
# The fourth are constants used to then try to generate NaNs and other key
|
||||||
|
# floating point numbers. We then use those special FP numbers to try and
|
||||||
|
# raise a SIGFPE. By declaring x & y volatile we prevent the optimizers
|
||||||
|
# from removing the computation
|
||||||
|
#
|
||||||
|
# The fifth (and worst) addresses problems with autoconf/libtool's approach
|
||||||
|
# to extracting symbols from .o files and generating C code. In an LTO world
|
||||||
|
# types matter much more closely and you can't have an object in one context
|
||||||
|
# that is a function definition and a simple scalar variable in another.
|
||||||
|
# Thankfully HP-UX has always had that restriction and is supported by
|
||||||
|
# autoconf/libtool. The insane sed script replaces the "generic" code with
|
||||||
|
# the HP-UX version.
|
||||||
|
#
|
||||||
|
# If we do not make changes, we put the original file back. This avoids
|
||||||
|
# unnecessary rebuilds of things that may have dependencies on the configure
|
||||||
|
# files.
|
||||||
|
#
|
||||||
|
%_fix_broken_configure_for_lto \
|
||||||
|
for file in $(find . -type f -name configure -print); do \
|
||||||
|
%{__sed} -r --in-place=.backup 's/^char \\(\\*f\\) \\(\\) = /__attribute__ ((used)) char (*f) () = /g' $file; \
|
||||||
|
diff -u $file.backup $file && mv $file.backup $file \
|
||||||
|
%{__sed} -r --in-place=.backup 's/^char \\(\\*f\\) \\(\\);/__attribute__ ((used)) char (*f) ();/g' $file; \
|
||||||
|
diff -u $file.backup $file && mv $file.backup $file \
|
||||||
|
%{__sed} -r --in-place=.backup 's/^char \\$2 \\(\\);/__attribute__ ((used)) char \\$2 ();/g' $file; \
|
||||||
|
diff -u $file.backup $file && mv $file.backup $file \
|
||||||
|
%{__sed} --in-place=.backup '1{$!N;$!N};$!N;s/int x = 1;\\nint y = 0;\\nint z;\\nint nan;/volatile int x = 1; volatile int y = 0; volatile int z, nan;/;P;D' $file; \
|
||||||
|
diff -u $file.backup $file && mv $file.backup $file \
|
||||||
|
%{__sed} --in-place=.backup 's#^lt_cv_sys_global_symbol_to_cdecl=.*#lt_cv_sys_global_symbol_to_cdecl="sed -n -e '"'"'s/^T .* \\\\(.*\\\\)$/extern int \\\\1();/p'"'"' -e '"'"'s/^$symcode* .* \\\\(.*\\\\)$/extern char \\\\1;/p'"'"'"#' $file; \
|
||||||
|
diff -u $file.backup $file && mv $file.backup $file \
|
||||||
|
done
|
||||||
|
|
||||||
|
%configure \
|
||||||
|
%{set_build_flags}; \
|
||||||
|
[ "%{_lto_cflags}"x != x ] && %{_fix_broken_configure_for_lto}; \
|
||||||
|
[ "%_configure_gnuconfig_hack" = 1 ] && for i in $(find $(dirname %{_configure}) -name config.guess -o -name config.sub) ; do \
|
||||||
|
[ -f /usr/lib/rpm/redhat/$(basename $i) ] && %{__rm} -f $i && %{__cp} -fv /usr/lib/rpm/redhat/$(basename $i) $i ; \
|
||||||
|
done ; \
|
||||||
|
[ "%_configure_libtool_hardening_hack" = 1 ] && [ x != "x%{_hardened_ldflags}" ] && \
|
||||||
|
for i in $(find . -name ltmain.sh) ; do \
|
||||||
|
%{__sed} -i.backup -e 's~compiler_flags=$~compiler_flags="%{_hardened_ldflags}"~' $i \
|
||||||
|
done ; \
|
||||||
|
%{_configure} --build=%{_build} --host=%{_host} \\\
|
||||||
|
--program-prefix=%{?_program_prefix} \\\
|
||||||
|
--disable-dependency-tracking \\\
|
||||||
|
%{?_configure_disable_silent_rules:--disable-silent-rules} \\\
|
||||||
|
--prefix=%{_prefix} \\\
|
||||||
|
--exec-prefix=%{_exec_prefix} \\\
|
||||||
|
--bindir=%{_bindir} \\\
|
||||||
|
--sbindir=%{_sbindir} \\\
|
||||||
|
--sysconfdir=%{_sysconfdir} \\\
|
||||||
|
--datadir=%{_datadir} \\\
|
||||||
|
--includedir=%{_includedir} \\\
|
||||||
|
--libdir=%{_libdir} \\\
|
||||||
|
--libexecdir=%{_libexecdir} \\\
|
||||||
|
--localstatedir=%{_localstatedir} \\\
|
||||||
|
%{?_configure_use_runstatedir:$(grep -q "runstatedir=DIR" %{_configure} && echo '--runstatedir=%{_runstatedir}')} \\\
|
||||||
|
--sharedstatedir=%{_sharedstatedir} \\\
|
||||||
|
--mandir=%{_mandir} \\\
|
||||||
|
--infodir=%{_infodir}
|
||||||
|
|
||||||
|
#==============================================================================
|
||||||
|
# ---- Build policy macros.
|
||||||
|
#
|
||||||
|
#
|
||||||
|
#---------------------------------------------------------------------
|
||||||
|
# Expanded at beginning of %install scriptlet.
|
||||||
|
#
|
||||||
|
|
||||||
|
%__spec_install_pre %{___build_pre}\
|
||||||
|
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf "${RPM_BUILD_ROOT}"\
|
||||||
|
mkdir -p "`dirname "$RPM_BUILD_ROOT"`"\
|
||||||
|
mkdir "$RPM_BUILD_ROOT"\
|
||||||
|
%{?_auto_set_build_flags:%{set_build_flags}}\
|
||||||
|
%{nil}
|
||||||
|
|
||||||
|
#---------------------------------------------------------------------
|
||||||
|
# Expanded at end of %install scriptlet.
|
||||||
|
#
|
||||||
|
|
||||||
|
%__arch_install_post /usr/lib/rpm/check-buildroot
|
||||||
|
|
||||||
|
# Build root policy macros. Standard naming:
|
||||||
|
# convert all '-' in basename to '_', add two leading underscores.
|
||||||
|
%__brp_ldconfig /usr/lib/rpm/redhat/brp-ldconfig
|
||||||
|
%__brp_compress /usr/lib/rpm/brp-compress
|
||||||
|
%__brp_strip /usr/lib/rpm/brp-strip %{__strip}
|
||||||
|
%__brp_strip_lto /usr/lib/rpm/redhat/brp-strip-lto %{__strip}
|
||||||
|
%__brp_strip_comment_note /usr/lib/rpm/brp-strip-comment-note %{__strip} %{__objdump}
|
||||||
|
%__brp_strip_static_archive /usr/lib/rpm/brp-strip-static-archive %{__strip}
|
||||||
|
%__brp_check_rpaths /usr/lib/rpm/check-rpaths
|
||||||
|
# __brp_mangle_shebangs_exclude - shebangs to exclude
|
||||||
|
# __brp_mangle_shebangs_exclude_file - file from which to get shebangs to exclude
|
||||||
|
# __brp_mangle_shebangs_exclude_from - files to ignore
|
||||||
|
# __brp_mangle_shebangs_exclude_from_file - file from which to get files to ignore
|
||||||
|
%__brp_mangle_shebangs /usr/lib/rpm/redhat/brp-mangle-shebangs %{?__brp_mangle_shebangs_exclude:--shebangs "%{?__brp_mangle_shebangs_exclude}"} %{?__brp_mangle_shebangs_exclude_file:--shebangs-from "%{__brp_mangle_shebangs_exclude_file}"} %{?__brp_mangle_shebangs_exclude_from:--files "%{?__brp_mangle_shebangs_exclude_from}"} %{?__brp_mangle_shebangs_exclude_from_file:--files-from "%{__brp_mangle_shebangs_exclude_from_file}"}
|
||||||
|
|
||||||
|
%__brp_llvm_compile_lto_elf /usr/lib/rpm/redhat/brp-llvm-compile-lto-elf %{build_cflags} %{build_ldflags}
|
||||||
|
|
||||||
|
# note: %%__os_install_post_python is defined in python-srpm-macros and contains several policies
|
||||||
|
# redhat-rpm-config maintainers, don't remove it from %%__os_install_post unless coordinating the change with Python maintainers
|
||||||
|
# packagers, don't undefine the entire macro, see the individual macros in /usr/lib/rpm/macros.d/macros.python-srpm
|
||||||
|
|
||||||
|
%__os_install_post \
|
||||||
|
%{?__brp_ldconfig} \
|
||||||
|
%{?__brp_compress} \
|
||||||
|
%{!?__debug_package:\
|
||||||
|
%{?__brp_strip} \
|
||||||
|
%{?__brp_strip_comment_note} \
|
||||||
|
} \
|
||||||
|
%{?__brp_strip_lto} \
|
||||||
|
%{?__brp_strip_static_archive} \
|
||||||
|
%{?__brp_check_rpaths} \
|
||||||
|
%{?__brp_mangle_shebangs} \
|
||||||
|
%{?__brp_remove_la_files} \
|
||||||
|
%{__os_install_post_python} \
|
||||||
|
%{nil}
|
||||||
|
|
||||||
|
%__spec_install_post\
|
||||||
|
%[ "%{toolchain}" == "clang" ? "%{?__brp_llvm_compile_lto_elf}" : "%{nil}" ] \
|
||||||
|
%{?__debug_package:%{__debug_install_post}}\
|
||||||
|
%{__arch_install_post}\
|
||||||
|
%{__os_install_post}\
|
||||||
|
%{nil}
|
||||||
|
|
||||||
|
%install %{?_enable_debug_packages:%{?buildsubdir:%{debug_package}}}\
|
||||||
|
%%install\
|
||||||
|
%{nil}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Should missing buildids terminate a build?
|
||||||
|
%_missing_build_ids_terminate_build 1
|
||||||
|
|
||||||
|
# Use SHA-256 for FILEDIGESTS instead of default MD5
|
||||||
|
%_source_filedigest_algorithm 8
|
||||||
|
%_binary_filedigest_algorithm 8
|
||||||
|
|
||||||
|
# Use Zstandard compression for binary payloads
|
||||||
|
%_binary_payload w19.zstdio
|
||||||
|
|
||||||
|
#==============================================================================
|
||||||
|
# --- Compiler flags control.
|
||||||
|
#
|
||||||
|
# Please consult buildflags.md for parts that can be configured
|
||||||
|
# from RPM spec files.
|
||||||
|
|
||||||
|
%_hardening_gcc_cflags -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
|
||||||
|
%_hardening_clang_cflags --config=/usr/lib/rpm/redhat/redhat-hardened-clang.cfg
|
||||||
|
%_hardening_cflags %{expand:%%{_hardening_%{toolchain}_cflags}} -fstack-protector-strong
|
||||||
|
|
||||||
|
# Have the linker generate errors instead of warnings for binaries that
|
||||||
|
# contain memory regions with both write and execute permissions.
|
||||||
|
# https://fedoraproject.org/wiki/Changes/Linker_Error_On_Security_Issues
|
||||||
|
%_hardening_linker_errors %[ "%{toolchain}" == "gcc" ? "-specs=/usr/lib/rpm/redhat/redhat-hardened-ld-errors" : "" ]
|
||||||
|
%_hardened_linker_errors 1
|
||||||
|
|
||||||
|
# we don't escape symbols '~', '"', etc. so be careful when changing this
|
||||||
|
%_hardening_gcc_ldflags -specs=/usr/lib/rpm/redhat/redhat-hardened-ld
|
||||||
|
%_hardening_clang_ldflags --config=/usr/lib/rpm/redhat/redhat-hardened-clang-ld.cfg
|
||||||
|
%_hardening_ldflags -Wl,-z,now %{expand:%%{_hardening_%{toolchain}_ldflags}}
|
||||||
|
|
||||||
|
# Harden packages by default for Fedora 23+:
|
||||||
|
# https://fedorahosted.org/fesco/ticket/1384 (accepted on 2014-02-11)
|
||||||
|
# Use "%undefine _hardened_build" to disable.
|
||||||
|
%_hardened_build 1
|
||||||
|
%_hardened_cflags %{?_hardened_build:%{_hardening_cflags}}
|
||||||
|
%_hardened_ldflags %{?_hardened_build:%{_hardening_ldflags}}
|
||||||
|
|
||||||
|
# Add extra information to binary objects created by the compiler:
|
||||||
|
# https://pagure.io/fesco/issue/1780 (accepted on 2017-10-30)
|
||||||
|
# ...except on armv7hl, which has an issue whose root-cause isn't
|
||||||
|
# clear yet: https://bugzilla.redhat.com/show_bug.cgi?id=1951492
|
||||||
|
# Use "%undefine _annotated_build" to disable.
|
||||||
|
%_annotated_build 1
|
||||||
|
%_annobin_gcc_plugin -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1
|
||||||
|
# The annobin plugin is not built for clang yet
|
||||||
|
%_annobin_clang_plugin %dnl-fplugin=/usr/lib64/clang/`clang -dumpversion`/lib/annobin.so
|
||||||
|
%_annotation_plugin %{?_annotated_build:%{expand:%%{_annobin_%{toolchain}_plugin}}}
|
||||||
|
%_annotation_cflags %[ "%{_target_cpu}" == "armv7hl" ? "" : "%{_annotation_plugin}" ]
|
||||||
|
%_annotation_ldflags %{?_lto_cflags:%{_annotation_cflags}}
|
||||||
|
# Use the remove-section option to force the find-debuginfo script
|
||||||
|
# to move the annobin notes into the separate debuginfo file.
|
||||||
|
%_find_debuginfo_extra_opts %{?_annotated_build:--remove-section .gnu.build.attributes}
|
||||||
|
|
||||||
|
# Include frame pointer information by default, except on RHEL 10 and earlier
|
||||||
|
# On RHEL 11, we are enabling it for now, with the possibility of revoking it
|
||||||
|
# at a later date.
|
||||||
|
# https://fedoraproject.org/wiki/Changes/fno-omit-frame-pointer
|
||||||
|
# Use "%undefine _include_frame_pointers" to disable.
|
||||||
|
%_include_frame_pointers %{undefined rhel} || 0%{?rhel} >= 11
|
||||||
|
%_frame_pointers_cflags %{expr:0%{?_include_frame_pointers} ? "-fno-omit-frame-pointer" : ""}
|
||||||
|
%_frame_pointers_cflags_x86_64 %{expr:0%{?_include_frame_pointers} ? "-mno-omit-leaf-frame-pointer" : ""}
|
||||||
|
%_frame_pointers_cflags_aarch64 %{expr:0%{?_include_frame_pointers} ? "-mno-omit-leaf-frame-pointer" : ""}
|
||||||
|
%_frame_pointers_cflags_s390x %{expr:0%{?_include_frame_pointers} ? "-mbackchain" : ""}
|
||||||
|
|
||||||
|
# Fail linking if there are undefined symbols. Required for proper
|
||||||
|
# ELF symbol versioning support. Disabled by default.
|
||||||
|
# Use "%define _ld_strict_symbol_defs 1" to enable.
|
||||||
|
#%_ld_strict_symbol_defs 1
|
||||||
|
%_ld_symbols_flags %{?_ld_strict_symbol_defs:-Wl,-z,defs}
|
||||||
|
|
||||||
|
# https://fedoraproject.org/wiki/Changes/RemoveExcessiveLinking
|
||||||
|
# use "%undefine _ld_as_needed" to disable.
|
||||||
|
%_ld_as_needed 1
|
||||||
|
%_ld_as_needed_flags %{?_ld_as_needed:-Wl,--as-needed}
|
||||||
|
|
||||||
|
# aarch64 and s390x currently do not support packed relocations.
|
||||||
|
%_ld_pack_relocs %[ "%{_arch}" == "x86_64" || "%{_arch}" == "i386" || "%{_arch}" == "ppc64le" || "%{_arch}" == "aarch64" ]
|
||||||
|
%_ld_pack_relocs_flags %[0%{?_ld_pack_relocs} ? "-Wl,-z,pack-relative-relocs" : ""]
|
||||||
|
|
||||||
|
# LTO is the default in Fedora.
|
||||||
|
# "%define _lto_cflags %{nil}" to opt out
|
||||||
|
#
|
||||||
|
# We currently have -ffat-lto-objects turned on out of an abundance of
|
||||||
|
# caution. To remove it we need to do a check of the installed .o/.a files
|
||||||
|
# to verify they have real sections/symbols after LTO stripping. That
|
||||||
|
# way we can detect installing an unusable .o/.a file. This is on the TODO
|
||||||
|
# list for F34.
|
||||||
|
%_gcc_lto_cflags -flto=auto -ffat-lto-objects
|
||||||
|
%_clang_lto_cflags -flto=thin
|
||||||
|
%_lto_cflags %{expand:%%{_%{toolchain}_lto_cflags}}
|
||||||
|
|
||||||
|
# Default fortification level.
|
||||||
|
# "%define _fortify_level 2" to downgrade and
|
||||||
|
# "%define _fortify_level 0" or "%undefine _fortify_level" to disable
|
||||||
|
#
|
||||||
|
# We use a single -Wp here to enforce order so that ccache does not ever
|
||||||
|
# reorder them.
|
||||||
|
%_fortify_level 3
|
||||||
|
%_fortify_level_flags %[ 0%{?_fortify_level} > 0 ? "-Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=%{_fortify_level}" : "" ]
|
||||||
|
|
||||||
|
# This can be set to a positive integer to obtain increasing type
|
||||||
|
# safety levels for C. See buildflags.md.
|
||||||
|
%build_type_safety_c 3
|
||||||
|
|
||||||
|
# Some linkers default to a build-id algorithm that is not supported by rpmbuild,
|
||||||
|
# so we need to specify the right algorithm to use.
|
||||||
|
%_build_id_flags -Wl,--build-id=sha1
|
||||||
|
|
||||||
|
%_general_options -O2 %{?_lto_cflags} -fexceptions -g -grecord-gcc-switches -pipe
|
||||||
|
%_warning_options -Wall%[%__build_for_lang_any && "%toolchain" == "gcc" ? " -Wno-complain-wrong-lang" : ""]%[%__build_for_lang_c + %__build_for_lang_cxx ? " -Werror=format-security" : ""]%[%__build_for_lang_c && (%build_type_safety_c == 0) ? " -fpermissive" : ""]%[%__build_for_lang_c && (%build_type_safety_c == 1) ? " -Wno-error=int-conversion" : ""]%[%__build_for_lang_c && (%build_type_safety_c > 0 && %build_type_safety_c < 3) ? " -Wno-error=incompatible-pointer-types" : ""]
|
||||||
|
%_preprocessor_defines %{_fortify_level_flags} -Wp,-D_GLIBCXX_ASSERTIONS
|
||||||
|
|
||||||
|
# Common variables are no longer generated by default by gcc and clang
|
||||||
|
# If they are needed then add "%define _legacy_common_support 1" to the spec file.
|
||||||
|
%_legacy_options %{?_legacy_common_support: -fcommon}
|
||||||
|
|
||||||
|
%__global_compiler_flags %{_general_options} %{_warning_options} %{_preprocessor_defines} %{_hardened_cflags} %{_annotation_cflags} %{_legacy_options}
|
||||||
|
|
||||||
|
# Internal macros. Do not use directly. These variables can be rebound
|
||||||
|
# to suppress certain frontend-specific compiler flags (or in the case
|
||||||
|
# of __build_for_lang_any, frontend-agnostic flags). Dynamic scoping
|
||||||
|
# and shadowing redefinitions are used for the __build_for_* variables
|
||||||
|
# to remain largely compatible with existing spec files that have
|
||||||
|
# hard-coded assumptions which macros assume which other macros.
|
||||||
|
# The __build_flags_no_macro_warning construct suppresses a warning
|
||||||
|
# about unused RPM macros.
|
||||||
|
%__build_for_lang_c 1
|
||||||
|
%__build_for_lang_cxx 1
|
||||||
|
%__build_for_lang_any 1
|
||||||
|
%__build_flags_no_macro_warning %[%__build_for_lang_c + %__build_for_lang_cxx + %__build_for_lang_any ? "" : ""]
|
||||||
|
%__build_flags_common() %{expand:%define __build_for_lang_c 0}%{expand:%define __build_for_lang_cxx 0}%{expand:%define __build_for_lang_any 0}%{__build_flags_no_macro_warning}%{optflags}
|
||||||
|
%__build_flags_lang_c() %{expand:%define __build_for_lang_cxx 0}%{expand:%define __build_for_lang_any 0}%{__build_flags_no_macro_warning}%{optflags}
|
||||||
|
%__build_flags_lang_cxx() %{expand:%define __build_for_lang_c 0}%{expand:%define __build_for_lang_any 0}%{__build_flags_no_macro_warning}%{optflags}
|
||||||
|
|
||||||
|
# Automatically trim changelog entries after 2 years
|
||||||
|
%_changelog_trimage %{expr:2*365*24*60*60}
|
||||||
|
|
||||||
|
#==============================================================================
|
||||||
|
# ---- Generic auto req/prov filtering macros
|
||||||
|
#
|
||||||
|
# http://fedoraproject.org/wiki/PackagingDrafts/AutoProvidesAndRequiresFiltering
|
||||||
|
|
||||||
|
# prevent anything matching from being scanned for provides
|
||||||
|
%filter_provides_in(P) %{expand: \
|
||||||
|
%global __filter_prov_cmd %{?__filter_prov_cmd} %{__grep} -v %{-P} '%*' | \
|
||||||
|
}
|
||||||
|
|
||||||
|
# prevent anything matching from being scanned for requires
|
||||||
|
%filter_requires_in(P) %{expand: \
|
||||||
|
%global __filter_req_cmd %{?__filter_req_cmd} %{__grep} -v %{-P} '%*' | \
|
||||||
|
}
|
||||||
|
|
||||||
|
# filter anything matching out of the provides stream
|
||||||
|
%filter_from_provides() %{expand: \
|
||||||
|
%global __filter_from_prov %{?__filter_from_prov} | %{__sed} -e '%*' \
|
||||||
|
}
|
||||||
|
|
||||||
|
# filter anything matching out of the requires stream
|
||||||
|
%filter_from_requires() %{expand: \
|
||||||
|
%global __filter_from_req %{?__filter_from_req} | %{__sed} -e '%*' \
|
||||||
|
}
|
||||||
|
|
||||||
|
# actually set up the filtering bits
|
||||||
|
%filter_setup %{expand: \
|
||||||
|
%global _use_internal_dependency_generator 0 \
|
||||||
|
%global __deploop() while read FILE; do echo "${FILE}" | /usr/lib/rpm/rpmdeps -%{1}; done | /bin/sort -u \
|
||||||
|
%global __find_provides /bin/sh -c "%{?__filter_prov_cmd} %{__deploop P} %{?__filter_from_prov}" \
|
||||||
|
%global __find_requires /bin/sh -c "%{?__filter_req_cmd} %{__deploop R} %{?__filter_from_req}" \
|
||||||
|
}
|
@ -0,0 +1,103 @@
|
|||||||
|
# Macros to constrain resource use during the build process
|
||||||
|
|
||||||
|
# Changes _smp_build_ncpus depending on various factors
|
||||||
|
#
|
||||||
|
# -c cpus constrains the CPU count to "cpus"
|
||||||
|
# -m mem constrains the CPU count to the total amount of memory in the system
|
||||||
|
# (in megabytes) divided by "mem", rounded down
|
||||||
|
#
|
||||||
|
# If no options are passed, sets _smp_build_ncpus to 1.
|
||||||
|
# _smp_build_ncpus will never be raised, only lowered.
|
||||||
|
%constrain_build(c:m:) %{lua:
|
||||||
|
|
||||||
|
-- Check a value and clamp it to at least 1
|
||||||
|
local function check_and_clamp(v, string)
|
||||||
|
if v == nil then return nil end
|
||||||
|
|
||||||
|
i = math.tointeger(v)
|
||||||
|
if i == nil then
|
||||||
|
macros.error({"%%%0: invalid "..string.." value "..v})
|
||||||
|
return nil
|
||||||
|
end
|
||||||
|
|
||||||
|
local clamp = math.max(1, math.floor(i))
|
||||||
|
if i ~= clamp then
|
||||||
|
macros.error({"%%%0: invalid "..string.." value "..v})
|
||||||
|
return nil
|
||||||
|
end
|
||||||
|
return clamp
|
||||||
|
end
|
||||||
|
|
||||||
|
-- Parse meminfo to find the total amount of memory in the system
|
||||||
|
local function getmem()
|
||||||
|
local mem = 0
|
||||||
|
for l in io.lines('/proc/meminfo') do
|
||||||
|
if l:sub(1, 9) == "MemTotal:" then
|
||||||
|
mem = math.tointeger(string.match(l, "MemTotal:%s+(%d+)"))
|
||||||
|
break
|
||||||
|
end
|
||||||
|
end
|
||||||
|
return mem
|
||||||
|
end
|
||||||
|
|
||||||
|
local mem_limit = check_and_clamp(opt.m, "mem limit")
|
||||||
|
local cpu_limit = check_and_clamp(opt.c, "cpu limit")
|
||||||
|
local current_cpus = math.tointeger(macros._smp_build_ncpus)
|
||||||
|
local constrained_cpus = current_cpus
|
||||||
|
|
||||||
|
if (not cpu_limit and not mem_limit) then
|
||||||
|
cpu_limit = 1
|
||||||
|
end
|
||||||
|
|
||||||
|
if cpu_limit ~= nil then
|
||||||
|
constrained_cpus = math.min(cpu_limit, constrained_cpus)
|
||||||
|
end
|
||||||
|
if mem_limit ~= nil then
|
||||||
|
local mem_total = getmem(verbose)
|
||||||
|
local limit = math.max(1, mem_total // (mem_limit * 1024))
|
||||||
|
constrained_cpus = math.min(constrained_cpus, limit)
|
||||||
|
end
|
||||||
|
|
||||||
|
macros._smp_build_ncpus = constrained_cpus
|
||||||
|
}
|
||||||
|
|
||||||
|
# outputs build flag overrides to be used in conjunction with
|
||||||
|
# %%make_build, %%cmake_build etc.
|
||||||
|
#
|
||||||
|
# if no override is needed, this macro outputs nothing
|
||||||
|
#
|
||||||
|
# - m memory limit in MBs per core; default is 1024
|
||||||
|
#
|
||||||
|
# Usage:
|
||||||
|
# e.g. %make_build %{limit_build -m 2048}
|
||||||
|
# => /usr/bin/make -O -j16 V=1 VERBOSE=1
|
||||||
|
# %make_build %{limit_build -m 40960}
|
||||||
|
# => /usr/bin/make -O -j16 V=1 VERBOSE=1 -j1
|
||||||
|
#
|
||||||
|
%limit_build(m:) %{lua:
|
||||||
|
local mem_per_process=rpm.expand("%{-m*}")
|
||||||
|
if mem_per_process == "" then
|
||||||
|
mem_per_process = 1024
|
||||||
|
else
|
||||||
|
mem_per_process = tonumber(mem_per_process)
|
||||||
|
end
|
||||||
|
local mem_total = 0
|
||||||
|
for line in io.lines('/proc/meminfo') do
|
||||||
|
if line:sub(1, 9) == "MemTotal:" then
|
||||||
|
local tokens = {}
|
||||||
|
for token in line:gmatch("%w+") do
|
||||||
|
tokens[#tokens + 1] = token
|
||||||
|
end
|
||||||
|
mem_total = tonumber(tokens[2])
|
||||||
|
break
|
||||||
|
end
|
||||||
|
end
|
||||||
|
local max_jobs = mem_total // (mem_per_process * 1024)
|
||||||
|
if max_jobs < 1 then
|
||||||
|
max_jobs = 1
|
||||||
|
end
|
||||||
|
cur_max_jobs=tonumber(rpm.expand("%{_smp_build_ncpus}"))
|
||||||
|
if cur_max_jobs > max_jobs then
|
||||||
|
print("-j" .. max_jobs)
|
||||||
|
end
|
||||||
|
}
|
@ -0,0 +1,39 @@
|
|||||||
|
# Macros for reducing debug info size using dwz(1) utility.
|
||||||
|
|
||||||
|
# The two default values below should result in dwz taking at most
|
||||||
|
# 3GB of RAM or so on 64-bit hosts and 2.5GB on 32-bit hosts
|
||||||
|
# on the largest *.debug files (in mid 2012 those are
|
||||||
|
# libreoffice-debuginfo, debuginfos containing
|
||||||
|
# libxul.so.debug and libwebkitgtk-*.so.*.debug).
|
||||||
|
# This needs to be tuned based on the amount of available RAM
|
||||||
|
# on build boxes for each architecture as well as virtual address
|
||||||
|
# space limitations if dwz is 32-bit program. While it needs less
|
||||||
|
# memory than 64-bit program because pointers are smaller, it can
|
||||||
|
# never have more than 4GB-epsilon of RAM and on some architecture
|
||||||
|
# even less than that (e.g. 2GB).
|
||||||
|
|
||||||
|
# Number of debugging information entries (DIEs) above which
|
||||||
|
# dwz will stop considering file for multifile optimizations
|
||||||
|
# and enter a low memory mode, in which it will optimize
|
||||||
|
# in about half the memory needed otherwise.
|
||||||
|
%_dwz_low_mem_die_limit 10000000
|
||||||
|
# Number of DIEs above which dwz will stop processing
|
||||||
|
# a file altogether.
|
||||||
|
%_dwz_max_die_limit 50000000
|
||||||
|
|
||||||
|
# On x86_64 increase the higher limit to make libwebkit* optimizable.
|
||||||
|
# libwebkit* in mid 2012 contains roughly 87mil DIEs, and 64-bit
|
||||||
|
# dwz is able to optimize it from ~1.1GB to ~410MB using 5.2GB of RAM.
|
||||||
|
%_dwz_max_die_limit_x86_64 110000000
|
||||||
|
|
||||||
|
# On ARM, build boxes often have only 512MB of RAM and are very slow.
|
||||||
|
# Lower both the limits.
|
||||||
|
%_dwz_low_mem_die_limit_armv5tel 4000000
|
||||||
|
%_dwz_low_mem_die_limit_armv7hl 4000000
|
||||||
|
%_dwz_max_die_limit_armv5tel 10000000
|
||||||
|
%_dwz_max_die_limit_armv7hl 10000000
|
||||||
|
|
||||||
|
%_dwz_limit() %{expand:%%{?%{1}_%{_arch}}%%{!?%{1}_%{_arch}:%%%{1}}}
|
||||||
|
%_find_debuginfo_dwz_opts --run-dwz\\\
|
||||||
|
--dwz-low-mem-die-limit %{_dwz_limit _dwz_low_mem_die_limit}\\\
|
||||||
|
--dwz-max-die-limit %{_dwz_limit _dwz_max_die_limit}
|
@ -0,0 +1,2 @@
|
|||||||
|
# Arches that GAP runs on
|
||||||
|
%gap_arches aarch64 ppc64le s390x x86_64
|
@ -0,0 +1,2 @@
|
|||||||
|
# Arches that OpenJDK and dependent packages run on
|
||||||
|
%java_arches aarch64 ppc64le s390x x86_64
|
@ -0,0 +1,2 @@
|
|||||||
|
# arches that ldc builds on
|
||||||
|
%ldc_arches %{ix86} x86_64 %{arm} aarch64
|
@ -0,0 +1,9 @@
|
|||||||
|
#%ldconfig /sbin/ldconfig
|
||||||
|
%ldconfig_post(n:) %{?ldconfig:%post -p %ldconfig %{?*} %{-n:-n %{-n*}}\
|
||||||
|
%end}
|
||||||
|
%ldconfig_postun(n:) %{?ldconfig:%postun -p %ldconfig %{?*} %{-n:-n %{-n*}}\
|
||||||
|
%end}
|
||||||
|
%ldconfig_scriptlets(n:) %{?ldconfig:\
|
||||||
|
%ldconfig_post %{?*} %{-n:-n %{-n*}}\
|
||||||
|
%ldconfig_postun %{?*} %{-n:-n %{-n*}}\
|
||||||
|
}
|
@ -0,0 +1,5 @@
|
|||||||
|
# arches that mono builds on
|
||||||
|
%mono_arches %{ix86} x86_64 sparc sparcv9 ia64 %{arm} aarch64 alpha s390x ppc ppc64 ppc64le
|
||||||
|
|
||||||
|
%_monodir %{_prefix}/lib/mono
|
||||||
|
%_monogacdir %{_monodir}/gac
|
@ -0,0 +1,7 @@
|
|||||||
|
# nodejs_arches lists what arches Node.js and dependent packages run on.
|
||||||
|
#
|
||||||
|
# Enabling Node.js on other arches requires porting the V8 JavaScript JIT to
|
||||||
|
# those arches. Support for POWER and aarch64 arrived in nodejs v4. Support
|
||||||
|
# for s390x arrived in nodejs v6
|
||||||
|
|
||||||
|
%nodejs_arches %{ix86} x86_64 %{arm} aarch64 %{power64} s390x
|
@ -0,0 +1,16 @@
|
|||||||
|
%autorelease(e:s:pb:n) %{?-p:0.}%{lua:
|
||||||
|
release_number = tonumber(rpm.expand("%{?_rpmautospec_release_number}%{!?_rpmautospec_release_number:1}"));
|
||||||
|
base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
|
||||||
|
print(release_number + base_release_number - 1);
|
||||||
|
}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
|
||||||
|
%autochangelog %{lua:
|
||||||
|
locale = os.setlocale(nil)
|
||||||
|
os.setlocale("C.utf8")
|
||||||
|
date = os.date("%a %b %d %Y")
|
||||||
|
os.setlocale(locale)
|
||||||
|
packager = rpm.expand("%{?packager}%{!?packager:John Doe <packager@example.com>}")
|
||||||
|
evr = rpm.expand("%{?epoch:%{epoch}:}%{version}-%{release}")
|
||||||
|
print("* " .. date .. " " .. packager .. " - " .. evr .. "\\n")
|
||||||
|
print("- local build")
|
||||||
|
}
|
||||||
|
|
@ -0,0 +1,3 @@
|
|||||||
|
%bash_completions_dir %{_datadir}/bash-completion/completions
|
||||||
|
%zsh_completions_dir %{_datadir}/zsh/site-functions
|
||||||
|
%fish_completions_dir %{_datadir}/fish/vendor_completions.d
|
@ -0,0 +1,3 @@
|
|||||||
|
# valgrind_arches lists what arches Valgrind works on
|
||||||
|
|
||||||
|
%valgrind_arches %{ix86} x86_64 ppc ppc64 ppc64le s390x armv7hl aarch64
|
@ -0,0 +1,7 @@
|
|||||||
|
# ---- VPATH default settings
|
||||||
|
|
||||||
|
# directory where CMakeLists.txt/meson.build/etc. are placed
|
||||||
|
%_vpath_srcdir .
|
||||||
|
|
||||||
|
# directory (doesn't need to exist) where all generated build files will be placed
|
||||||
|
%_vpath_builddir %{_vendor}-%{_target_os}-build
|
@ -0,0 +1,3 @@
|
|||||||
|
*cc1_options:
|
||||||
|
+ %{!-fno-use-annobin:%{!iplugindir*:%:find-plugindir()} -fplugin=annobin}
|
||||||
|
|
@ -0,0 +1,199 @@
|
|||||||
|
#!/usr/bin/sh
|
||||||
|
# This is a script to select which GCC spec file fragment
|
||||||
|
# should be the destination of the redhat-annobin-cc1 symlink.
|
||||||
|
|
||||||
|
# Author: Nick Clifton <nickc@redhat.com>
|
||||||
|
# Copyright (c) 2021 Red Hat.
|
||||||
|
#
|
||||||
|
# This is free software; you can redistribute it and/or modify it
|
||||||
|
# under the terms of the GNU General Public License as published
|
||||||
|
# by the Free Software Foundation; either version 2, or (at your
|
||||||
|
# option) any later version.
|
||||||
|
|
||||||
|
# It is distributed in the hope that it will be useful, but
|
||||||
|
# WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# Usage:
|
||||||
|
# redhat-annobin-plugin-select [script-dir]
|
||||||
|
#
|
||||||
|
# If script-dir is not provided then /usr/lib/rpm/redhat is used
|
||||||
|
# as the location where all of the annobin plugin selection files
|
||||||
|
# can be found.
|
||||||
|
|
||||||
|
if test "x$1" = "x" ;
|
||||||
|
then
|
||||||
|
rrcdir=/usr/lib/rpm/redhat
|
||||||
|
else
|
||||||
|
rrcdir=$1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Set this variable to non-zero to enable the generation of debugging
|
||||||
|
# messages.
|
||||||
|
debug=0
|
||||||
|
|
||||||
|
# Decide which version of the annobin plugin for gcc should be used.
|
||||||
|
# There are two possible versions, one created by the annobin package and one
|
||||||
|
# created by the gcc package. The logic selects the gcc version unless both
|
||||||
|
# have been built by the same version of the compiler. In that case the
|
||||||
|
# annobin version is selected instead.
|
||||||
|
#
|
||||||
|
# The point of all this is that the annobin plugin is very sensitive to
|
||||||
|
# mismatches with the version of gcc that built it. If the plugin is built
|
||||||
|
# by version A of gcc, but then run on version B of gcc, it is possible for
|
||||||
|
# the plugin to misbehave, which then causes problems if gating tests examine
|
||||||
|
# the plugin's output. (This has happened more than once in RHEL...).
|
||||||
|
#
|
||||||
|
# So the plugin is built both by gcc and by the annobin package. This means
|
||||||
|
# that whenever gcc is updated a fresh plugin is built, and the logic below
|
||||||
|
# will select that version. But in order to allow annobin development to
|
||||||
|
# proceed independtently of gcc, the annobin package can also update its
|
||||||
|
# version of the plugin, and the logic will select this new version.
|
||||||
|
|
||||||
|
# This is where the annobin package stores the information on the version
|
||||||
|
# of gcc that built the annobin plugin.
|
||||||
|
aver=`gcc --print-file-name=plugin`/annobin-plugin-version-info
|
||||||
|
|
||||||
|
# This is where the gcc package stores its version information.
|
||||||
|
gver=`gcc --print-file-name=rpmver`
|
||||||
|
|
||||||
|
aplugin=`gcc --print-file-name=plugin`/annobin.so.0.0.0
|
||||||
|
gplugin=`gcc --print-file-name=plugin`/gcc-annobin.so.0.0.0
|
||||||
|
|
||||||
|
# This is the file that needs to be updated when either of those version
|
||||||
|
# files changes.
|
||||||
|
rac1=redhat-annobin-cc1
|
||||||
|
|
||||||
|
# This is the GCC spec file fragment that selects the gcc-built version of
|
||||||
|
# the annobin plugin
|
||||||
|
select_gcc=redhat-annobin-select-gcc-built-plugin
|
||||||
|
|
||||||
|
# This is the GCC spec file fragment that selects the annobin-built version
|
||||||
|
# of the annobin plugin
|
||||||
|
select_annobin=redhat-annobin-select-annobin-built-plugin
|
||||||
|
|
||||||
|
install_annobin_version=0
|
||||||
|
install_gcc_version=0
|
||||||
|
|
||||||
|
if [ -f $aplugin ]
|
||||||
|
then
|
||||||
|
if [ -f $gplugin ]
|
||||||
|
then
|
||||||
|
if [ $debug -eq 1 ]
|
||||||
|
then
|
||||||
|
echo " redhat-rpm-config: Both plugins exist, checking version information"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -f $gver ]
|
||||||
|
then
|
||||||
|
if [ -f $aver ]
|
||||||
|
then
|
||||||
|
if [ $debug -eq 1 ]
|
||||||
|
then
|
||||||
|
echo " redhat-rpm-config: Both plugin version files exist - comparing..."
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Get the first line from the version info files. This is just in
|
||||||
|
# vase there are extra lines in the files.
|
||||||
|
avers=`head --lines=1 $aver`
|
||||||
|
gvers=`head --lines=1 $gver`
|
||||||
|
|
||||||
|
if [ $debug -eq 1 ]
|
||||||
|
then
|
||||||
|
echo " redhat-rpm-config: Annobin plugin built by gcc $avers"
|
||||||
|
echo " redhat-rpm-config: GCC plugin built by gcc $gvers"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# If both plugins were built by the same version of gcc then select
|
||||||
|
# the one from the annobin package (in case it is built from newer
|
||||||
|
# sources). If the plugin builder versions differ, select the gcc
|
||||||
|
# built version instead. This assumes that the gcc built version
|
||||||
|
# always matches the installed gcc, which should be true.
|
||||||
|
if [ $avers = $gvers ]
|
||||||
|
then
|
||||||
|
if [ $debug -eq 1 ]
|
||||||
|
then
|
||||||
|
echo " redhat-rpm-config: Both plugins built by the same compiler - using annobin-built plugin"
|
||||||
|
fi
|
||||||
|
install_annobin_version=1
|
||||||
|
else
|
||||||
|
if [ $debug -eq 1 ]
|
||||||
|
then
|
||||||
|
echo " redhat-rpm-config: Versions differ - using gcc-built plugin"
|
||||||
|
fi
|
||||||
|
install_gcc_version=1
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
if [ $debug -eq 1 ]
|
||||||
|
then
|
||||||
|
echo " redhat-rpm-config: Annobin version file does not exist, using gcc-built plugin"
|
||||||
|
fi
|
||||||
|
install_gcc_version=1
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
if [ -f $aver ]
|
||||||
|
then
|
||||||
|
# FIXME: This is suspicious. If the installed GCC does not supports plugins
|
||||||
|
# then enabling the annobin plugin will not work.
|
||||||
|
if [ $debug -eq 1 ]
|
||||||
|
then
|
||||||
|
echo " redhat-rpm-config: GCC plugin version file does not exist, using annobin-built plugin"
|
||||||
|
fi
|
||||||
|
install_annobin_version=1
|
||||||
|
else
|
||||||
|
if [ $debug -eq 1 ]
|
||||||
|
then
|
||||||
|
echo " redhat-rpm-config: Neither version file exists - playing safe and using gcc-built plugin"
|
||||||
|
echo " redhat-rpm-config: Note: expected to find $aver and/or $gver"
|
||||||
|
fi
|
||||||
|
install_gcc_version=1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
if [ $debug -eq 1 ]
|
||||||
|
then
|
||||||
|
echo " redhat-rpm-config: Only the annobin plugin exists - using that"
|
||||||
|
fi
|
||||||
|
install_annobin_version=1
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
if [ -f $gplugin ]
|
||||||
|
then
|
||||||
|
if [ $debug -eq 1 ]
|
||||||
|
then
|
||||||
|
echo " redhat-rpm-config: Only the gcc plugin exists - using that"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
if [ $debug -eq 1 ]
|
||||||
|
then
|
||||||
|
echo " redhat-rpm-config: Neither plugin exists - playing safe and using gcc-built plugin"
|
||||||
|
echo " redhat-rpm-config: Note: expected to find $aplugin and/or $gplugin"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
install_gcc_version=1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ $install_annobin_version -eq 1 ]
|
||||||
|
then
|
||||||
|
if [ $debug -eq 1 ]
|
||||||
|
then
|
||||||
|
echo " redhat-rpm-config: Installing annobin version of $rac1"
|
||||||
|
fi
|
||||||
|
pushd $rrcdir > /dev/null
|
||||||
|
rm -f $rac1
|
||||||
|
ln -s $select_annobin "$rac1"
|
||||||
|
popd > /dev/null
|
||||||
|
|
||||||
|
else if [ $install_gcc_version -eq 1 ]
|
||||||
|
then
|
||||||
|
if [ $debug -eq 1 ]
|
||||||
|
then
|
||||||
|
echo " redhat-rpm-config: Installing gcc version of $rac1"
|
||||||
|
fi
|
||||||
|
pushd $rrcdir > /dev/null
|
||||||
|
rm -f $rac1
|
||||||
|
ln -s $select_gcc $rac1
|
||||||
|
popd > /dev/null
|
||||||
|
fi
|
||||||
|
fi
|
@ -0,0 +1,3 @@
|
|||||||
|
*cc1_options:
|
||||||
|
+ %{!-fno-use-annobin:%{!iplugindir*:%:find-plugindir()} -fplugin=annobin}
|
||||||
|
|
@ -0,0 +1,3 @@
|
|||||||
|
*cc1_options:
|
||||||
|
+ %{!-fno-use-annobin:%{!iplugindir*:%:find-plugindir()} -fplugin=gcc-annobin}
|
||||||
|
|
@ -0,0 +1,5 @@
|
|||||||
|
*cc1_options:
|
||||||
|
+ %{!r:%{!fpie:%{!fPIE:%{!fpic:%{!fPIC:%{!fno-pic:-fPIE}}}}}}
|
||||||
|
|
||||||
|
*cpp_options:
|
||||||
|
+ %{!r:%{!fpie:%{!fPIE:%{!fpic:%{!fPIC:%{!fno-pic:-fPIE}}}}}}
|
@ -0,0 +1 @@
|
|||||||
|
-pie
|
@ -0,0 +1 @@
|
|||||||
|
-fPIE
|
@ -0,0 +1,2 @@
|
|||||||
|
*self_spec:
|
||||||
|
+ %{!static:%{!shared:%{!r:-pie}}}
|
@ -0,0 +1,2 @@
|
|||||||
|
*self_spec:
|
||||||
|
+ %{!fuse-ld*:%{!r:-Wl,--error-rwx-segments -Wl,--error-execstack}}
|
@ -0,0 +1,31 @@
|
|||||||
|
include: /usr/lib/rpm/rpmrc
|
||||||
|
|
||||||
|
optflags: i386 %{__global_compiler_flags} -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection
|
||||||
|
optflags: i486 %{__global_compiler_flags} -m32 -march=i486 -fasynchronous-unwind-tables -fstack-clash-protection
|
||||||
|
optflags: i586 %{__global_compiler_flags} -m32 -march=i586 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection
|
||||||
|
optflags: i686 %{__global_compiler_flags} -m32 -march=i686 -mtune=generic -msse2 -mfpmath=sse -mstackrealign -fasynchronous-unwind-tables -fstack-clash-protection
|
||||||
|
optflags: athlon %{__global_compiler_flags} -m32 -march=athlon -fasynchronous-unwind-tables -fstack-clash-protection
|
||||||
|
optflags: x86_64 %{__global_compiler_flags} -m64 %{__cflags_arch_x86_64} %__cflags_arch_x86_64_common
|
||||||
|
optflags: x86_64_v2 %{__global_compiler_flags} -m64 -march=x86-64-v2 %__cflags_arch_x86_64_common
|
||||||
|
optflags: x86_64_v3 %{__global_compiler_flags} -m64 -march=x86-64-v3 %__cflags_arch_x86_64_common
|
||||||
|
optflags: x86_64_v4 %{__global_compiler_flags} -m64 -march=x86-64-v4 %__cflags_arch_x86_64_common
|
||||||
|
|
||||||
|
optflags: ppc64le %{__global_compiler_flags} -m64 %{__cflags_arch_ppc64le} -fasynchronous-unwind-tables -fstack-clash-protection
|
||||||
|
|
||||||
|
optflags: s390x %{__global_compiler_flags} -m64 %{__cflags_arch_s390x} -fasynchronous-unwind-tables -fstack-clash-protection
|
||||||
|
|
||||||
|
optflags: aarch64 %{__global_compiler_flags} -mbranch-protection=standard -fasynchronous-unwind-tables %[ "%{toolchain}" == "gcc" ? "-fstack-clash-protection" : "" ] %{_frame_pointers_cflags} %{_frame_pointers_cflags_aarch64}
|
||||||
|
|
||||||
|
optflags: riscv64 %{__global_compiler_flags} -fasynchronous-unwind-tables %{_frame_pointers_cflags}
|
||||||
|
|
||||||
|
# set build arch to fedora buildarches on hardware capable of running it
|
||||||
|
# saves having to do rpmbuild --target=
|
||||||
|
buildarchtranslate: athlon: i686
|
||||||
|
buildarchtranslate: geode: i686
|
||||||
|
buildarchtranslate: pentium4: i686
|
||||||
|
buildarchtranslate: pentium3: i686
|
||||||
|
buildarchtranslate: i686: i686
|
||||||
|
buildarchtranslate: i586: i586
|
||||||
|
|
||||||
|
buildarchtranslate: armv7hl: armv7hl
|
||||||
|
buildarchtranslate: armv7hnl: armv7hl
|
File diff suppressed because it is too large
Load Diff
Loading…
Reference in new issue