Compare commits

..

No commits in common. 'c9' and 'i10cs' have entirely different histories.
c9 ... i10cs

@ -1,18 +0,0 @@
#!/bin/bash -e
# If using normal root, avoid changing anything.
if [ -z "$RPM_BUILD_ROOT" -o "$RPM_BUILD_ROOT" = "/" ]; then
exit 0
fi
# Defined as %py_reproducible_pyc_path macro and passed here as
# the first command-line argument
path_to_fix=$1
# First, check that the parser is available:
if [ ! -x /usr/bin/marshalparser ]; then
echo "ERROR: If %py_reproducible_pyc_path is defined, you have to also BuildRequire: /usr/bin/marshalparser !"
exit 1
fi
find "$path_to_fix" -type f -name "*.pyc" | xargs /usr/bin/marshalparser --fix --overwrite

@ -48,5 +48,7 @@ check_convert_bitcode () {
echo "Checking for LLVM bitcode artifacts" echo "Checking for LLVM bitcode artifacts"
export -f check_convert_bitcode export -f check_convert_bitcode
find "$RPM_BUILD_ROOT" -type f -name "*.[ao]" -print0 | \ # Deduplicate by device:inode to avoid processing hardlinks in parallel.
xargs -0 -r -n1 -P$NCPUS sh -c "check_convert_bitcode \$@ $CLANG_FLAGS" ARG0 find "$RPM_BUILD_ROOT" -type f -name "*.[ao]" -printf "%D:%i %p\n" | \
awk '!seen[$1]++' | cut -d" " -f2- | \
xargs -d"\n" -r -n1 -P$NCPUS sh -c "check_convert_bitcode \$@ $CLANG_FLAGS" ARG0

@ -1,141 +0,0 @@
#!/bin/bash
errors_terminate=$2
# Usage of %_python_bytecompile_extra is not allowed anymore
# See: https://fedoraproject.org/wiki/Changes/No_more_automagic_Python_bytecompilation_phase_3
# Therefore $1 ($default_python) is not needed and is invoked with "" by default.
# $default_python stays in the arguments for backward compatibility and $extra for the following check:
extra=$3
if [ 0$extra -eq 1 ]; then
echo -e "%_python_bytecompile_extra is discontinued, use %py_byte_compile instead.\nSee: https://fedoraproject.org/wiki/Changes/No_more_automagic_Python_bytecompilation_phase_3" >/dev/stderr
exit 1
fi
# If using normal root, avoid changing anything.
if [ -z "$RPM_BUILD_ROOT" -o "$RPM_BUILD_ROOT" = "/" ]; then
exit 0
fi
# Figure out how deep we need to descend. We could pick an insanely high
# number and hope it's enough, but somewhere, somebody's sure to run into it.
depth=`(find "$RPM_BUILD_ROOT" -type f -name "*.py" -print0 ; echo /) | \
xargs -0 -n 1 dirname | sed 's,[^/],,g' | sort -u | tail -n 1 | wc -c`
if [ -z "$depth" -o "$depth" -le "1" ]; then
exit 0
fi
# This function now implements Python byte-compilation in three different ways:
# Python >= 3.4 and < 3.9 uses a new module compileall2 - https://github.com/fedora-python/compileall2
# Python < 3.4 (inc. Python 2) uses compileall module from stdlib with some hacks
# When we drop support for Python 2, we'd be able to use all compileall2 features like:
# - -s and -p options to manipulate with a path baked into pyc files instead of $real_libdir
# - -o 0 -o 1 to produce multiple files in one run - each with a different optimization level - instead of $options
# - removed useless $depth - both compileall and compileall2 are limited by sys.getrecursionlimit()
# These changes will make this script much simpler
# In Python >= 3.9, compileall2 was merged back to standard library (compileall) so we can use it directly again.
function python_bytecompile()
{
local options=$1
local python_binary=$2
local exclude=$3
local python_libdir=$4
local depth=$5 # Not used for Python >= 3.4
local real_libdir=$6 # Not used for Python >= 3.4
python_version=$($python_binary -c "import sys; sys.stdout.write('{0.major}{0.minor}'.format(sys.version_info))")
#
# Python 3.9 and higher
#
if [ "$python_version" -ge 39 ]; then
[ ! -z $exclude ] && exclude="-x '$exclude'"
# -q disables verbose output
# -f forces the process to overwrite existing compiled files
# -x excludes paths defined by regex
# -e excludes symbolic links pointing outside the build root
# -x and -e together implements the same functionality as the Filter class below
# -s strips $RPM_BUILD_ROOT from the path
# -p prepends the leading slash to the path to make it absolute
$python_binary -B $options -m compileall -q -f $exclude -s $RPM_BUILD_ROOT -p / -e $RPM_BUILD_ROOT $python_libdir
#
# Python 3.4 and higher
#
elif [ "$python_version" -ge 34 ]; then
[ ! -z $exclude ] && exclude="-x '$exclude'"
# /usr/lib/rpm/redhat/ contains compileall2 Python module
# -q disables verbose output
# -f forces the process to overwrite existing compiled files
# -x excludes paths defined by regex
# -e excludes symbolic links pointing outside the build root
# -x and -e together implements the same functionality as the Filter class below
# -s strips $RPM_BUILD_ROOT from the path
# -p prepends the leading slash to the path to make it absolute
PYTHONPATH=/usr/lib/rpm/redhat/ $python_binary -B $options -m compileall2 -q -f $exclude -s $RPM_BUILD_ROOT -p / -e $RPM_BUILD_ROOT $python_libdir
else
#
# Python 3.3 and lower (incl. Python 2)
#
cat << EOF | $python_binary $options
import compileall, sys, os, re
python_libdir = "$python_libdir"
depth = $depth
real_libdir = "$real_libdir"
build_root = "$RPM_BUILD_ROOT"
exclude = r"$exclude"
class Filter:
def search(self, path):
ret = not os.path.realpath(path).startswith(build_root)
if exclude:
ret = ret or re.search(exclude, path)
return ret
sys.exit(not compileall.compile_dir(python_libdir, depth, real_libdir, force=1, rx=Filter(), quiet=1))
EOF
fi
}
# .pyc/.pyo files embed a "magic" value, identifying the ABI version of Python
# bytecode that they are for.
#
# The files below RPM_BUILD_ROOT could be targeting multiple versions of
# python (e.g. a single build that emits several subpackages e.g. a
# python26-foo subpackage, a python31-foo subpackage etc)
#
# Support this by assuming that below each /usr/lib/python$VERSION/, all
# .pyc/.pyo files are to be compiled for /usr/bin/python$VERSION.
#
# For example, below /usr/lib/python2.6/, we're targeting /usr/bin/python2.6
# and below /usr/lib/python3.1/, we're targeting /usr/bin/python3.1
# Disable Python hash seed randomization
# This should help with byte-compilation reproducibility: https://bugzilla.redhat.com/show_bug.cgi?id=1686078
export PYTHONHASHSEED=0
shopt -s nullglob
for python_libdir in `find "$RPM_BUILD_ROOT" -type d|grep -E "/(usr|app)/lib(64)?/python[0-9]\.[0-9]+$"`;
do
python_binary=$(basename $python_libdir)
real_libdir=${python_libdir/$RPM_BUILD_ROOT/}
echo "Bytecompiling .py files below $python_libdir using $python_binary"
# Generate normal (.pyc) byte-compiled files.
python_bytecompile "" "$python_binary" "" "$python_libdir" "$depth" "$real_libdir"
if [ $? -ne 0 -a 0$errors_terminate -ne 0 ]; then
# One or more of the files had a syntax error
exit 1
fi
# Generate optimized (.pyo) byte-compiled files.
python_bytecompile "-O" "$python_binary" "" "$python_libdir" "$depth" "$real_libdir"
if [ $? -ne 0 -a 0$errors_terminate -ne 0 ]; then
# One or more of the files had a syntax error
exit 1
fi
done

@ -5,49 +5,58 @@ and how to use them.
# Using RPM build flags # Using RPM build flags
For packages which use autoconf to set up the build environment, use The %set_build_flags macro sets the environment variables `CFLAGS`,
the `%configure` macro to obtain the full complement of flags, like `CXXFLAGS`, `FFLAGS`, `FCFLAGS`, `VALAFLAGS`, `LDFLAGS` and `LT_SYS_LIBRARY_PATH` to
this: the value of their corresponding rpm macros. `%set_build_flags` is automatically
called prior to the `%build`, `%check`, and `%install` phases so these flags can be
used by makefiles and other build tools.
%configure You can opt out of this behavior by doing:
This will invoke the `./configure` with arguments (such as %undefine _auto_set_build_flags
`--prefix=/usr`) to adjust the paths to the packaging defaults.
Prior to that, some common problems in autotools scripts are
automatically patched across the source tree.
As a side effect, this will set the environment variables `CFLAGS`, If you do opt out of this behavior, you can still manually use `%set_build_flags`
`CXXFLAGS`, `FFLAGS`, `FCFLAGS`, `LDFLAGS` and `LT_SYS_LIBRARY_PATH`, by adding it to the `%build` section of your spec file or by using one of the
so they can be used by makefiles and other build tools. (However, build system helper macros like `%configure`, `%cmake`, and `%meson`.
existing values for these variables are not overwritten.)
If your package does not use autoconf, you can still set the same For packages which use autoconf to set up the build environment, use
environment variables using the `%configure` macro to obtain the full complement of flags, like
this:
%set_build_flags %configure
early in the `%build` section. (Again, existing environment variables This will invoke `./configure` with arguments (such as
are not overwritten.) `%set_build_flags` does not perform autotools `--prefix=/usr`) to adjust the paths to the packaging defaults. Prior
script rewriting, unlike `%configure`. to that, some common problems in autotools scripts are automatically
patched across the source tree.
Individual build flags are also available through RPM macros: Individual build flags are also available through RPM macros:
* `%{build_cc}` for the command name of the C compiler.
* `%{build_cxx}` for the command name of the C++ compiler.
* `%{build_cpp}` for the command name of the C-compatible preprocessor.
* `%{build_cflags}` for the C compiler flags (also known as the * `%{build_cflags}` for the C compiler flags (also known as the
`CFLAGS` variable). Also historically available as `%{optflags}`. `CFLAGS` variable).
Furthermore, at the start of the `%build` section, the environment
variable `RPM_OPT_FLAGS` is set to this value.
* `%{build_cxxflags}` for the C++ compiler flags (usually assigned to * `%{build_cxxflags}` for the C++ compiler flags (usually assigned to
the `CXXFLAGS` shell variable). the `CXXFLAGS` shell variable).
* `%{build_fflags} for `FFLAGS` (the Fortran compiler flags, also * `%{build_fflags}` for `FFLAGS` (the Fortran compiler flags, also
known as the `FCFLAGS` variable). known as the `FCFLAGS` variable).
* `%{build_ldflags}` for the link editor (ld) flags, usually known as * `%{build_valaflags}` for `VALAFLAGS` (the Vala compiler flags)
`LDFLAGS`. Note that the contents quotes linker arguments using * `%{build_ldflags}` for the linker (`ld`) flags, usually known as
`LDFLAGS`. Note that the contents quote linker arguments using
`-Wl`, so this variable is intended for use with the `gcc` compiler `-Wl`, so this variable is intended for use with the `gcc` compiler
driver. At the start of the `%build` section, the environment driver. At the start of the `%build` section, the environment
variable `RPM_LD_FLAGS` is set to this value. variable `RPM_LD_FLAGS` is set to this value.
The C and C++ compiler flags are historically available as the
`%{optflags}` macro. These flags may not contain flags that work with
certain languagues or compiler front ends, so the language-specific
`%build_*` are more precise. At the start of the `%build` section,
the environment variable `RPM_OPT_FLAGS` is set to the `%{optflags}`
value; similar limitations apply.
The variable `LT_SYS_LIBRARY_PATH` is defined here to prevent the `libtool` The variable `LT_SYS_LIBRARY_PATH` is defined here to prevent the `libtool`
script (v2.4.6+) from hardcoding %_libdir into the binaries' RPATH. script (v2.4.6+) from hardcoding `%_libdir` into the binaries' `RPATH`.
These RPM macros do not alter shell environment variables. These RPM macros do not alter shell environment variables.
@ -105,6 +114,67 @@ or:
BuildRequires: clang compiler-rt BuildRequires: clang compiler-rt
%endif %endif
### Controlling Type Safety
The macro `%build_type_safety_c` can be set to change the C type
safety level. The default level is 3, see below. It can be set to 0
to get historic levels of type safety. Changing the type safety level
may depend on correct `CFLAGS` propagation during the build. The
`%build_type_safety_c` macro needs to be set before `CFLAGS`-related
macros are expanded by RPM (that is, earlier in the file works
better).
Packages can set `%build_type_safety_c` to higher values to adopt
future distribution-wide type-safety increases early. When changing
the `%build_type_safety_c` level to increase it, spec file should use
a construct like this to avoid *lowering* a future default:
```
%if %build_type_safety_c < 4
%global build_type_safety_c 4
%endif
```
At level 0, all C constructs that GCC accepts for backwards
compatibility with obsolete language standards are accepted during
package builds. This is achieved by passing `-fpermissive` to GCC.
At level 1, the following additional error categories are enabled:
* `-Werror=implicit-int`: Reject declarations and definitions that
omit a type name where one is required. Examples are:
`extern int_variable;`, `extern int_returning_function (void);`,
and missing separate parameter type declarations in old-style
function definitions.
* `-Werror=implicit-function-declaration`: Reject calls to functions
to undeclared functions such as `function_not_defined_anywhere ()`.
Previously, such expressions where we compiled as if a declaration
`extern int function_not_defined_anywhere ();` (a prototype-less
function declaration) were in scope.
* `-Werror=return-mismatch`: Reject `return` statements with missing
or extra expressions, based on the declared return type of the
function.
* `-Wdeclaration-missing-parameter-type`: Reject function declarations
that contain unknown type names (which used to be treated as ignored
identifier names).
At level 2, the following error category is enabled in addition:
* `-Werror=int-conversion`: Reject the use of integer expressions
where a pointer type expected, and pointer expressions where an
integer type is expected. Without this option, GCC may produce an
executable, but often, there are failures at run time because not
the full 64 bits of pointers are preserved.
The additional level 3 error category is:
* `-Werror=incompatible-pointer-types`: An expression of one pointer
type is used where different pointer type is expected. (This does
not cover signed/unsigned mismatches in the pointer target type.)
Clang errors out on more obsolete and invalid C constructs than C, so
the type safety is higher by default than with the GCC toolchain.
### Disable autotools compatibility patching ### Disable autotools compatibility patching
By default, the invocation of the `%configure` macro replaces By default, the invocation of the `%configure` macro replaces
@ -120,6 +190,16 @@ are set as well during libtool-. This can be switched off using:
Further patching happens in LTO mode, see below. Further patching happens in LTO mode, see below.
### Other autotools compatibility settings
During `%configure`, `--runstatedir` is automatically passed to the
`configure` script if support for this option is detected. This
detection can fail if the package has multiple `configure` scripts
that invoke each other, and only some of them support `--runstatedir`.
To disable passing `--runstatedir`, use:
%undefine _configure_use_runstatedir
### Disabling Link-Time Optimization ### Disabling Link-Time Optimization
By default, builds use link-time optimization. In this build mode, By default, builds use link-time optimization. In this build mode,
@ -129,7 +209,7 @@ account which symbols are exported.
To disable this optimization, include this in the spec file: To disable this optimization, include this in the spec file:
%define _lto_cflags %{nil} %global _lto_cflags %{nil}
If LTO is enabled, `%configure` applies some common required fixes to If LTO is enabled, `%configure` applies some common required fixes to
`configure` scripts. To disable that, define the RPM macro `configure` scripts. To disable that, define the RPM macro
@ -158,6 +238,30 @@ This turns off certain hardening features, as described in detail
below. The main difference is that executables will be below. The main difference is that executables will be
position-dependent (no full ASLR) and use lazy binding. position-dependent (no full ASLR) and use lazy binding.
### Source Fortification
By default, the build flags include `-Wp,-D_FORTIFY_SOURCE=3`: Source
fortification activates various hardening features in glibc:
* String functions such as `memcpy` attempt to detect buffer lengths
and terminate the process if a buffer overflow is detected.
* `printf` format strings may only contain the `%n` format specifier
if the format string resides in read-only memory.
* `open` and `openat` flags are checked for consistency with the
presence of a *mode* argument.
* Plus other minor hardening changes.
These changes can, on rare occasions, break valid programs. The source
fortification level can be overridden by adding this in the RPM spec file:
%define _fortify_level 2
to reduce source fortification level to 2 or:
%undefine _fortify_level
to disable fortification altogether.
### Annotated builds/watermarking ### Annotated builds/watermarking
By default, the build flags cause a special output section to be By default, the build flags cause a special output section to be
@ -192,6 +296,23 @@ For example, this can be required if shared objects are used for their
side effects in ELF constructors, or for making them available to side effects in ELF constructors, or for making them available to
dynamically loaded plugins. dynamically loaded plugins.
### Switching to legacy relative relocations
By default, ELF objects use the architecture-independent `DT_RELR`
mechanism for relative relocations. To switch to the older,
architecture-specific relocation scheme, add this to the RPM spec file:
%undefine _ld_pack_relocs
This adds `-Wl,-z,pack-relative-relocs` to the linker flags (`LDFLAGS`).
### Specifying the build-id algorithm
If you want to specify a different build-id algorithm for your builds, you
can use the `%_build_id_flags` macro:
%_build_id_flags -Wl,--build-id=sha1
### Strict symbol checks in the link editor (ld) ### Strict symbol checks in the link editor (ld)
Optionally, the link editor will refuse to link shared objects which Optionally, the link editor will refuse to link shared objects which
@ -206,7 +327,7 @@ executed before the shared object containing them is fully relocated.
To switch on these checks, define this macro in the RPM spec file: To switch on these checks, define this macro in the RPM spec file:
%define _strict_symbol_defs_build 1 %global _strict_symbol_defs_build 1
If this RPM spec option is active, link failures will occur if the If this RPM spec option is active, link failures will occur if the
linker command line does not list all shared objects which are needed. linker command line does not list all shared objects which are needed.
@ -232,10 +353,43 @@ Builds may fail with `multiple definition of ...` errors.
As a short term workaround for such failure, As a short term workaround for such failure,
it is possible to add `-fcommon` to the flags by defining `%_legacy_common_support`. it is possible to add `-fcommon` to the flags by defining `%_legacy_common_support`.
%define _legacy_common_support 1 %global _legacy_common_support 1
Properly fixing the failure is always preferred! Properly fixing the failure is always preferred!
### Package note on ELF objects
A note that describes the package name, version, and architecture is
inserted via a linker script (`%_package_note_file`). The script is
generated when `%set_build_flags` is called. The linker option that
injects the linker script is added to `%{build_ldflags}` via the
`%{_package_note_flags}` macro.
To opt out of the use of this feature completely, the best way is to
undefine the first macro. Include this in the spec file:
%undefine _package_note_file
The other macros can be undefined too to replace parts of the functionality.
If `%_generate_package_note_file` is undefined, the linker script will not
be generated, but the link flags may still refer to it. This may be useful
if the default generation method is insufficient and a different mechanism
will be used to generate `%_package_note_file`. If `%_package_note_flags`
is undefined, the linker argument that injects the script will not be added
to `%build_ldfags`, but the linker script would still be generated.
### Frame pointers
Frame pointers will be included by default via the `%_include_frame_pointers`
macro. To opt out, the best way is to undefine the macro. Include this in the
spec file:
%undefine _include_frame_pointers
Note that opting out might still result in frame pointers being included on
architectures where they are part of the ABI (e.g. aarch64) depending on
compiler defaults.
### Post-build ELF object processing ### Post-build ELF object processing
By default, DWARF debugging information is separated from installed By default, DWARF debugging information is separated from installed
@ -301,6 +455,8 @@ These steps can be skipped by undefining the corresponding macros:
are loadable immediately after installation, even if they are not yet are loadable immediately after installation, even if they are not yet
listed in the `/etc/ld.so.cache` file (because `ldconfig` has not been listed in the `/etc/ld.so.cache` file (because `ldconfig` has not been
invoked yet). invoked yet).
* `__brp_remove_la_files`: This step removes libtool-generated `.la`
files from the installed files.
# Individual compiler flags # Individual compiler flags
@ -309,7 +465,8 @@ Compiler flags end up in the environment variables `CFLAGS`,
The general (architecture-independent) build flags are: The general (architecture-independent) build flags are:
* `-O2`: Turn on various GCC optimizations. See the [GCC manual](https://gcc.gnu.org/onlinedocs/gcc/Optimize-Options.html#index-O2). * `-O2`: Turn on various GCC optimizations. See the
[GCC manual](https://gcc.gnu.org/onlinedocs/gcc/Optimize-Options.html#index-O2).
Optimization improves performance, the accuracy of warnings, and the Optimization improves performance, the accuracy of warnings, and the
reach of toolchain-based hardening, but it makes debugging harder. reach of toolchain-based hardening, but it makes debugging harder.
* `-g`: Generate debugging information (DWARF). In Fedora, this data * `-g`: Generate debugging information (DWARF). In Fedora, this data
@ -321,22 +478,19 @@ The general (architecture-independent) build flags are:
compilation performance. (This does not affect code generation.) compilation performance. (This does not affect code generation.)
* `-Wall`: Turn on various GCC warnings. * `-Wall`: Turn on various GCC warnings.
See the [GCC manual](https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html#index-Wall). See the [GCC manual](https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html#index-Wall).
* `-Wno-complain-wrong-lang`: Do not warn about front end mismatches
(e.g, using `-Werror=format-security` with Fortran). Only included
in `%optflags`, and not the front-end-specific `%build_*` macros.
* `-Werror=format-security`: Turn on format string warnings and treat * `-Werror=format-security`: Turn on format string warnings and treat
them as errors. them as errors.
See the [GCC manual](https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html#index-Wformat-security). See the [GCC manual](https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html#index-Wformat-security).
This can occasionally result in compilation errors. In this case, This can occasionally result in compilation errors. In that case,
the best option is to rewrite the source code so that only constant the best option is to rewrite the source code so that only constant
format strings (string literals) are used. format strings (string literals) are used.
* `-Wp,-D_FORTIFY_SOURCE=2`: Source fortification activates various * Other `-Werror=` options. See **Controlling C Type Safety**.
hardening features in glibc: * `-U_FORTIFY_SOURCE, -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3`:
* String functions such as `memcpy` attempt to detect buffer lengths See the Source Fortification section above and the `%_fortify_level`
and terminate the process if a buffer overflow is detected. override.
* `printf` format strings may only contain the `%n` format specifier
if the format string resides in read-only memory.
* `open` and `openat` flags are checked for consistency with the
presence of a *mode* argument.
* Plus other minor hardening changes.
(These changes can occasionally break valid programs.)
* `-fexceptions`: Provide exception unwinding support for C programs. * `-fexceptions`: Provide exception unwinding support for C programs.
See the [`-fexceptions` option in the GCC See the [`-fexceptions` option in the GCC
manual](https://gcc.gnu.org/onlinedocs/gcc/Code-Gen-Options.html#index-fexceptions) manual](https://gcc.gnu.org/onlinedocs/gcc/Code-Gen-Options.html#index-fexceptions)
@ -353,7 +507,8 @@ The general (architecture-independent) build flags are:
asynchronous cancellation and proper unwinding from signal asynchronous cancellation and proper unwinding from signal
handlers. It also makes performance and debugging tools more handlers. It also makes performance and debugging tools more
useful because unwind information is available without having to useful because unwind information is available without having to
install (and load) debugging information. install (and load) debugging information. (Not enabled on armhfp
due to architectural differences in stack management.)
* `-Wp,-D_GLIBCXX_ASSERTIONS`: Enable lightweight assertions in the * `-Wp,-D_GLIBCXX_ASSERTIONS`: Enable lightweight assertions in the
C++ standard library, such as bounds checking for the subscription C++ standard library, such as bounds checking for the subscription
operator on vectors. (This flag is added to both `CFLAGS` and operator on vectors. (This flag is added to both `CFLAGS` and
@ -370,7 +525,8 @@ The general (architecture-independent) build flags are:
vulnerabilities can result where the stack overlaps with the heap, vulnerabilities can result where the stack overlaps with the heap,
or thread stacks spill into other regions of memory.) This flag is or thread stacks spill into other regions of memory.) This flag is
fully ABI-compatible and has adds very little run-time overhead. fully ABI-compatible and has adds very little run-time overhead.
This flag is currently not available on aarch64 with the `clang` toolchain. This flag is currently not available on armhfp (both `gcc` and `clang`
toolchains) and on aarch64 with the `clang` toolchain.
* `-flto=auto`: Enable link-time optimization (LTO), using `make` job server * `-flto=auto`: Enable link-time optimization (LTO), using `make` job server
integration for parallel processing. (`gcc` toolchain only) integration for parallel processing. (`gcc` toolchain only)
* `-ffat-lto-objects`: Generate EFL object files which contain both * `-ffat-lto-objects`: Generate EFL object files which contain both
@ -410,7 +566,14 @@ objects](https://fedoraproject.org/wiki/Toolchain/Watermark) using
annobin, the `-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1` flag is annobin, the `-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1` flag is
added by default (with the `gcc` toolchain). This can be switched off added by default (with the `gcc` toolchain). This can be switched off
by undefining the `%_annotated_build` RPM macro (see above). Binary by undefining the `%_annotated_build` RPM macro (see above). Binary
watermarks are currently disabled with the `clang` toolchain. watermarks are currently disabled on armhpf, and with the `clang`
toolchain.
If frame pointers are enabled by default (via `%_include_frame_pointers`),
the `-fno-omit-frame-pointer` will be added on all architectures except i686
and s390x. Additional flags will be added on specific architectures:
* `-mno-omit-leaf-frame-pointer` on x86_64 and aarch64
### Architecture-specific compiler flags ### Architecture-specific compiler flags
@ -418,7 +581,9 @@ These compiler flags are enabled for all builds (hardened/annotated or
not), but their selection depends on the architecture: not), but their selection depends on the architecture:
* `-fcf-protection`: Instrument binaries to guard against * `-fcf-protection`: Instrument binaries to guard against
ROP/JOP attacks. Used on i686 and x86_64. ROP/JOP exploitation techniques. Used on x86_64.
* `-mbranch-protection=standard`: Instrument binaries to guard against
ROP/JOP exploitation techniques. Used on aarch64.
* `-m64` and `-m32`: Some GCC builds support both 32-bit and 64-bit in * `-m64` and `-m32`: Some GCC builds support both 32-bit and 64-bit in
the same compilation. For such architectures, the RPM build process the same compilation. For such architectures, the RPM build process
explicitly selects the architecture variant by passing this compiler explicitly selects the architecture variant by passing this compiler
@ -427,28 +592,42 @@ not), but their selection depends on the architecture:
In addition, `redhat-rpm-config` re-selects the built-in default In addition, `redhat-rpm-config` re-selects the built-in default
tuning in the `gcc` package. These settings are: tuning in the `gcc` package. These settings are:
* **armhfp**: `-march=armv7-a -mfpu=vfpv3-d16 -mfloat-abi=hard`
selects an Arm subarchitecture based on the ARMv7-A architecture
with 16 64-bit floating point registers. `-mtune=cortex-8a` selects
tuning for the Cortex-A8 implementation (while preserving
compatibility with other ARMv7-A implementations).
`-mabi=aapcs-linux` switches to the AAPCS ABI for GNU/Linux.
* **i686**: `-march=i686` is used to select a minmum support CPU level * **i686**: `-march=i686` is used to select a minmum support CPU level
of i686 (corresponding to the Pentium Pro). SSE2 support is of i686 (corresponding to the Pentium Pro). SSE2 support is enabled
enabled with `-msse2` (so only CPUs with SSE2 support can run the with `-msse2` (so only CPUs with SSE2 support can run the compiled
compiled code; SSE2 was introduced first with the Pentium 4). code; SSE2 was introduced first with the Pentium 4).
`-mtune=generic` activates tuning for a current blend of CPUs `-mtune=generic` activates tuning for a current blend of CPUs (under
(under the assumption that most users of i686 packages obtain them the assumption that most users of i686 packages obtain them through
through an x86_64 installation on current hardware). an x86_64 installation on current hardware). `-mfpmath=sse`
`-mfpmath=sse` instructs GCC to use the SSE2 unit for floating instructs GCC to use the SSE2 unit for floating point math to avoid
point math to avoid excess precision issues. `-mstackrealign` excess precision issues. `-mstackrealign` avoids relying on the
avoids relying on the stack alignment guaranteed by the current stack alignment guaranteed by the current version of the i386 ABI.
version of the i386 ABI. * **ppc64le**: `-mcpu=power9 -mtune=power10` selects a minimum
* **ppc64le**: `-mcpu=power9 -mtune=power9` selects a minimum supported supported CPU level of POWER9 and tunes for POWER10.
CPU level of POWER9.
* **s390x**: `-march=z14 -mtune=z15` specifies a minimum supported CPU * **s390x**: `-march=z14 -mtune=z15` specifies a minimum supported CPU
level of z14, while optimizing for a subsequent CPU generation level of z14, while optimizing for a subsequent CPU generation
(z15). (z15).
* **x86_64**: `-march=x86-64-v2 -mtune=generic` builds for the * **x86_64**: `-march=x86-64-v3 -mtune=generic` builds for the
[x86-64-v2 micro-architecture level](https://gitlab.com/x86-psABIs/x86-64-ABI/-/blob/master/x86-64-ABI/low-level-sys-info.tex) [x86-64-v3 micro-architecture level](https://gitlab.com/x86-psABIs/x86-64-ABI/-/blob/master/x86-64-ABI/low-level-sys-info.tex)
and selects tuning which is expected to beneficial for a broad range and selects tuning which is expected to beneficial for a broad range
of current CPUs. of current CPUs.
With the GCC toolchain, TLS descriptors are enabled using
`-mtls-dialect=gnu2`.
* **aarch64** does not have any architecture-specific tuning. * **aarch64** does not have any architecture-specific tuning.
### Vala-specific compiler flags
* `-g`: causes valac to emit `#line` directives in the generated C
source code. This improves backtrace generation by causing gdb to
point to Vala source file and line number instead of the generated C
source when possible.
# Individual linker flags # Individual linker flags
Linker flags end up in the environment variable `LDFLAGS`. Linker flags end up in the environment variable `LDFLAGS`.
@ -467,14 +646,16 @@ to the compiler driver `gcc`, and not directly to the link editor
for shared objects that actually provide symbols required by the link. for shared objects that actually provide symbols required by the link.
Shared objects which are not needed to fulfill symbol dependencies Shared objects which are not needed to fulfill symbol dependencies
are essentially ignored due to this flag. are essentially ignored due to this flag.
* `-z pack-relative-relocs`: Use the portable `DT_RELR` scheme for
relative relocations, resulting in reduced startup time compared to
legacy architecture-specific relocations. (`-z pack-relative-relocs`
is currently disabled on aarch64 and s390x due to toolchain limitations.)
* `-z defs`: Refuse to link shared objects (DSOs) with undefined symbols * `-z defs`: Refuse to link shared objects (DSOs) with undefined symbols
(optional, see above). (optional, see above).
For hardened builds, the For hardened builds, some more linker options are added to the
`-specs=/usr/lib/rpm/redhat/redhat-hardened-ld` flag is added to the compiler driver command line. These can be disabled by undefining the
compiler driver command line. (This can be disabled by undefining the `%_hardened_build` macro - see above.
`%_hardened_build` macro; see above) This activates the following
linker flags:
* `-pie`: Produce a PIE binary. This is only activated for the main * `-pie`: Produce a PIE binary. This is only activated for the main
executable, and only if it is dynamically linked. This requires executable, and only if it is dynamically linked. This requires
@ -483,6 +664,10 @@ linker flags:
By itself, `-pie` has only a slight performance impact because it By itself, `-pie` has only a slight performance impact because it
disables some link editor optimization, however the `-fPIE` compiler disables some link editor optimization, however the `-fPIE` compiler
flag has some overhead. flag has some overhead.
Note: this option is added via adding a spec file to the compiler
driver command line (`-specs=/usr/lib/rpm/redhat/redhat-hardened-ld`)
rather than using the `-Wl` mechanism mentioned above. As a result
this option is only enabled if the compiler driver is gcc.
* `-z now`: Disable lazy binding and turn on the `BIND_NOW` dynamic * `-z now`: Disable lazy binding and turn on the `BIND_NOW` dynamic
linker feature. Lazy binding involves an array of function pointers linker feature. Lazy binding involves an array of function pointers
which is writable at run time (which could be overwritten as part of which is writable at run time (which could be overwritten as part of
@ -490,6 +675,34 @@ linker flags:
preferable to turn of lazy binding, although it increases startup preferable to turn of lazy binding, although it increases startup
time. time.
In addition hardened builds default to converting a couple of linker
warning messages into errors, because they represent potential
missed hardening opportunities, and warnings in the linker's output are
often ignored. This behaviour can be turned off by undefining the
`%_hardened_build` macro as mentioned above, or by undefining the
`%_hardened_linker_errors` macro. The linker options enabled by this
feature are:
* `--error-rwx-segments`: Generates an error if an output binary would
contain a loadable memory segment with read, write and execute
permissions. It will also generate an error if a thread local
storage (TLS) segment is created with execute permission. The
error can be disabled on an individual basis by adding the
`--no-warn-rwx-segments` option to the linker command line.
* `--error-execstack`: Generates an error if an output binary would
contain a stack that is held in memory with execute permission.
If a binary is being intentionally created with an executable stack
then the linker command line option `-z execstack` can be used to
indicate this.
Note: these options are added via a spec file on the compiler driver
command line (`-specs=/usr/lib/rpm/redhat/redhat-hardened-ld-errors`)
rather than using the `-Wl` mechanism mentioned above. As a result
these options are only enabled if the compiler driver is gcc. In
addition the spec file only adds the options if the `-fuse-ld=...`
option has not been enabled. This prevents the options from being
used when the gold or lld linkers are enabled.
# Support for extension builders # Support for extension builders
Some packages include extension builders that allow users to build Some packages include extension builders that allow users to build
@ -506,16 +719,11 @@ with such toolchains.
The macros `%{extension_cflags}`, `%{extension_cxxflags}`, The macros `%{extension_cflags}`, `%{extension_cxxflags}`,
`%{extension_fflags}`, `%{extension_ldflags}` contain a subset of `%{extension_fflags}`, `%{extension_ldflags}` contain a subset of
flags that have been adjusted for compatibility with alternative flags that have been adjusted for compatibility with alternative
toolchains, while still preserving some of the compile-time security toolchains.
hardening that the standard Fedora build flags provide.
The current set of differences are:
* No GCC plugins (such as annobin) are activated.
* No GCC spec files (`-specs=` arguments) are used.
Additional flags may be removed in the future if they prove to be Currently the -fexceptions and -fcf-protection flags are preserved
incompatible with alternative toolchains. for binary compatibility with the languages the extensions are
built against.
Extension builders should detect whether they are performing a regular Extension builders should detect whether they are performing a regular
RPM build (e.g., by looking for an `RPM_OPT_FLAGS` variable). In this RPM build (e.g., by looking for an `RPM_OPT_FLAGS` variable). In this

1614
SOURCES/config.guess vendored

File diff suppressed because it is too large Load Diff

2318
SOURCES/config.sub vendored

File diff suppressed because it is too large Load Diff

@ -25,7 +25,7 @@ function check_rhl {
} }
function check_rhel { function check_rhel {
egrep -q "(Enterprise|Advanced|CentOS)" $RELEASEFILE && echo $DISTNUM grep -Eq "(Enterprise|Advanced|CentOS)" $RELEASEFILE && echo $DISTNUM
} }
function check_fedora { function check_fedora {

@ -30,7 +30,7 @@ done
is_kmod=1 is_kmod=1
for f in $filelist; do for f in $filelist; do
if [ $(echo "$f" | sed -r -ne 's:^.*/lib/modules/(.*)/(.*)\.ko(\.gz|\.bz2|\.xz)?$:\2:p') ] if [ $(echo "$f" | sed -r -ne 's:^.*/lib/modules/(.*)/(.*).ko$:\2:p') ]
then then
is_kernel=1; is_kernel=1;
fi fi

@ -22,7 +22,7 @@ filelist=`sed "s/[]['\"*?{}]/\\\\\&/g"`
unset is_kmod unset is_kmod
for f in $filelist; do for f in $filelist; do
if [ $(echo "$f" | sed -r -ne 's:^.*/lib/modules/(.*)/(.*)\.ko(\.gz|\.bz2|\.xz)?$:\2:p') ] if [ $(echo "$f" | sed -r -ne 's:^.*/lib/modules/(.*)/(.*).ko$:\2:p') ]
then then
is_kmod=1; is_kmod=1;
elif [ $(echo "$f" | sed -r -ne 's:^.*/boot/(.*):\1:p') ] elif [ $(echo "$f" | sed -r -ne 's:^.*/boot/(.*):\1:p') ]

@ -1,312 +0,0 @@
-- Lua code used by macros.forge and derivatives
-- Computes the suffix of a version string, removing vprefix if it matches
-- For example with vprefix 1.2.3: 1.2.3.rc2 → .rc2 but 1.2.30 → 1.2.30 not 0
local function getversionsuffix(vstring,vprefix)
if (string.sub(vstring, 1, #vprefix) == vprefix) and
(not string.match(string.sub(vstring, #vprefix + 1), "^%.?%d")) then
return string.sub(vstring, #vprefix + 1)
else
return vstring
end
end
-- Check if an identified url is sane
local function checkforgeurl(url, id, silent)
local checkedurl = nil
local checkedid = nil
local urlpatterns = {
gitlab = {
pattern = 'https://[^/]+/[^/]+/[^/#?]+',
description = 'https://(…[-.])gitlab[-.]…/owner/repo'},
pagure = {
pattern = 'https://[^/]+/[^/#?]+',
description = 'https://pagure.io/repo'},
pagure_ns = {
pattern = 'https://[^/]+/[^/]+/[^/#?]+',
description = 'https://pagure.io/namespace/repo'},
pagure_fork = {
pattern = 'https://[^/]+/fork/[^/]+/[^/#?]+',
description = 'https://pagure.io/fork/owner/repo'},
pagure_ns_fork = {
pattern = 'https://[^/]+/fork/[^/]+/[^/]+/[^/#?]+',
description = 'https://pagure.io/fork/owner/namespace/repo'},
["gitea.com"] = {
pattern = 'https://[^/]+/[^/]+/[^/#?]+',
description = 'https://gitea.com/owner/repo'},
github = {
pattern = 'https://[^/]+/[^/]+/[^/#?]+',
description = 'https://(…[-.])github[-.]…/owner/repo'},
["code.googlesource.com"] = {
pattern = 'https://code.googlesource.com/[^#?]*[^/#?]+',
description = 'https://code.googlesource.com/…/repo'},
["bitbucket.org"] = {
pattern = 'https://[^/]+/[^/]+/[^/#?]+',
description = 'https://bitbucket.org/owner/repo'}}
if (urlpatterns[id] ~= nil) then
checkedurl = string.match(url,urlpatterns[id]["pattern"])
if (checkedurl == nil) then
if not silent then
rpm.expand("%{error:" .. id .. " URLs must match " .. urlpatterns[id]["description"] .. " !}")
end
else
checkedid = id
end
end
return checkedurl, checkedid
end
-- Check if an url matches a known forge
local function idforge(url, silent)
local forgeurl = nil
local forge = nil
if (url ~= "") then
forge = string.match(url, "^[^:]+://([^/]+)/")
if (forge == nil) then
if not silent then
rpm.expand("%{error:URLs must include a protocol such as https:// and a path starting with / !}")
end
else
if (forge == "pagure.io") then
if string.match(url, "[^:]+://pagure.io/fork/[^/]+/[^/]+/[^/]+") then
forge = "pagure_ns_fork"
elseif string.match(url, "[^:]+://pagure.io/fork/[^/]+/[^/]+") then
forge = "pagure_fork"
elseif string.match(url, "[^:]+://pagure.io/[^/]+/[^/]+") then
forge = "pagure_ns"
elseif string.match(url, "[^:]+://pagure.io/[^/]+") then
forge = "pagure"
end
elseif (string.match(forge, "^gitlab[%.-]") or string.match(forge, "[%.-]gitlab[%.]")) then
forge = "gitlab"
elseif (string.match(forge, "^github[%.-]") or string.match(forge, "[%.-]github[%.]")) then
forge = "github"
end
forgeurl, forge = checkforgeurl(url, forge, silent)
end
end
return forgeurl, forge
end
-- The forgemeta macro main processing function
-- See the documentation in the macros.forge file for argument description
-- Also called directly by gometa
local function meta(suffix, verbose, informative, silent)
local fedora = require "fedora.common"
local ismain = (suffix == "") or (suffix == "0")
if ismain then
fedora.zalias({"forgeurl", "forgesource", "forgesetupargs",
"archivename", "archiveext", "archiveurl",
"topdir", "extractdir", "repo", "owner", "namespace",
"scm", "tag", "commit", "shortcommit", "branch", "version",
"date", "distprefix"}, verbose)
end
local variables = {
default = {
scm = "git",
archiveext = "tar.bz2",
repo = '%{lua:print(string.match(rpm.expand("%{forgeurl' .. suffix .. '}"), "^[^:]+://[^/]+/[^/]+/([^/?#]+)"))}',
archivename = "%{repo" .. suffix .. "}-%{ref" .. suffix .. "}",
topdir = "%{archivename" .. suffix .. "}" },
gitlab = {
archiveurl = "%{forgeurl" .. suffix .. "}/-/archive/%{ref" .. suffix .. "}/%{archivename" .. suffix .. "}.%{archiveext" .. suffix .. "}" },
pagure = {
archiveext = "tar.gz",
repo = '%{lua:print(string.match(rpm.expand("%{forgeurl' .. suffix .. '}"), "^[^:]+://[^/]+/([^/?#]+)"))}',
archiveurl = "%{forgeurl" .. suffix .. "}/archive/%{ref" .. suffix .. "}/%{archivename" .. suffix .. "}.%{archiveext" .. suffix .. "}" },
pagure_ns = {
archiveext = "tar.gz",
namespace = '%{lua:print(string.match(rpm.expand("%{forgeurl' .. suffix .. '}"), "^[^:]+://[^/]+/([^/]+)/[^/?#]+"))}',
repo = '%{lua:print(string.match(rpm.expand("%{forgeurl' .. suffix .. '}"), "^[^:]+://[^/]+/[^/]+/([^/?#]+)"))}',
archivename = "%{namespace" .. suffix .. "}-%{repo" .. suffix .. "}-%{ref" .. suffix .. "}",
archiveurl = "%{forgeurl" .. suffix .. "}/archive/%{ref" .. suffix .. "}/%{archivename" .. suffix .. "}.%{archiveext" .. suffix .. "}" },
pagure_fork = {
archiveext = "tar.gz",
owner = '%{lua:print(string.match(rpm.expand("%{forgeurl' .. suffix .. '}"), "https://[^/]+/fork/([^/]+)/[^/?#]+"))}',
repo = '%{lua:print(string.match(rpm.expand("%{forgeurl' .. suffix .. '}"), "https://[^/]+/fork/[^/]+/([^/?#]+)"))}',
archivename = "%{owner" .. suffix .. "}-%{repo" .. suffix .. "}-%{ref" .. suffix .. "}",
archiveurl = "%{forgeurl" .. suffix .. "}/archive/%{ref" .. suffix .. "}/%{archivename" .. suffix .. "}.%{archiveext" .. suffix .. "}" },
pagure_ns_fork = {
owner = '%{lua:print(string.match(rpm.expand("%{forgeurl' .. suffix .. '}"), "https://[^/]+/fork/([^/]+)/[^/]+/[^/?#]+"))}',
namespace = '%{lua:print(string.match(rpm.expand("%{forgeurl' .. suffix .. '}"), "https://[^/]+/fork/[^/]+/([^/]+)/[^/?#]+")}',
repo = '%{lua:print(string.match(rpm.expand("%{forgeurl' .. suffix .. '}"), "https://[^/]+/fork/[^/]+/[^/]+/([^/?#]+)")}',
archivename = "%{owner" .. suffix .. "}-%{namespace" .. suffix .. "}-%{repo" .. suffix .. "}-%{ref" .. suffix .. "}",
archiveurl = "%{forgeurl" .. suffix .. "}/archive/%{ref" .. suffix .. "}/%{archivename" .. suffix .. "}.%{archiveext" .. suffix .. "}" },
["gitea.com"] = {
archiveext = "tar.gz",
archivename = "%{fileref" .. suffix .. "}",
archiveurl = "%{forgeurl" .. suffix .. "}/archive/%{ref" .. suffix .. "}.%{archiveext" .. suffix .. "}",
topdir = "%{repo}" },
github = {
archiveext = "tar.gz",
archivename = "%{repo" .. suffix .. "}-%{fileref" .. suffix .. "}",
archiveurl = "%{forgeurl" .. suffix .. "}/archive/%{ref" .. suffix .. "}/%{archivename" .. suffix .. "}.%{archiveext" .. suffix .. "}" },
["code.googlesource.com"] = {
archiveext = "tar.gz",
repo = '%{lua:print(string.match(rpm.expand("%{forgeurl' .. suffix .. '}"), "^[^:]+://.+/([^/?#]+)"))}',
archiveurl = "%{forgeurl" .. suffix .. "}/+archive/%{ref" .. suffix .. "}.%{archiveext" .. suffix .. "}",
topdir = "" },
["bitbucket.org"] = {
shortcommit = '%{lua:print(string.sub(rpm.expand("%{commit' .. suffix .. '}"), 1, 12))}',
owner = '%{lua:print(string.match(rpm.expand("%{forgeurl' .. suffix .. '}"), "^[^:]+://[^/]+/([^/?#]+)"))}',
archivename = "%{owner" .. suffix .. "}-%{repo" .. suffix .. "}-%{shortcommit" .. suffix .. "}",
archiveurl = "%{forgeurl" .. suffix .. "}/get/%{ref" .. suffix .. "}.%{archiveext" .. suffix .. "}" } }
-- Packaging a moving branch is quite a bad idea, but since at least Gitlab
-- will treat branches and tags the same way better support branches explicitly
-- than have packagers hijack %{tag} to download branch states
local spec = {}
for _, v in ipairs({'forgeurl','tag','commit','branch','version'}) do
spec[v] = rpm.expand("%{?" .. v .. suffix .. "}")
end
-- Compute the reference of the object to fetch
local isrelease = false
if (spec["tag"] ~= "") then ref = "%{?tag" .. suffix .. "}"
elseif (spec["commit"] ~= "") then ref = "%{?commit" .. suffix .. "}"
elseif (spec["branch"] ~= "") then ref = "%{?branch" .. suffix .. "}"
else ref = "%{?version" .. suffix .. "}"
isrelease = true
end
if (rpm.expand(ref) == "") then
if (suffix == "") then
rpm.expand("%{error:You need to define Version:, %{commit} or %{tag} before the macro invocation !}")
else
rpm.expand("%{error:You need to define %{version" .. suffix .. "}, %{commit" .. suffix .. "} or %{tag" .. suffix .. "} before the macro invocation !}")
end
end
local forgeurl = spec["forgeurl"]
-- For backwards compatibility only
local expliciturl = rpm.expand("%{?-u*}")
if (expliciturl ~= "") then
rpm.expand("%{warn:-u use in %%forgemeta is deprecated, use -z instead to select a separate set of rpm variables!}")
forgeurl = expliciturl
end
local forge
forgeurl, forge = idforge(forgeurl, silent)
if (forge ~= nil) then
fedora.explicitset("forgeurl" .. suffix, forgeurl, verbose)
-- Custom processing of quirky forges that can not be handled with simple variables
if (forge == "github") then
-- Workaround the way GitHub injects "v"s before some version strings (but not all!)
-- To package one of the minority of sane GitHub projects that do not munge their version
-- strings set tag to %{version} in your spec
local fileref = ref
if (ref == "%{?version" .. suffix .. "}") then
ref = "v" .. ref
elseif (fileref ~= "%{?commit" .. suffix .. "}") and
string.match(rpm.expand(fileref), "^v[%d]") then
fileref = string.gsub(rpm.expand(fileref), "^v", "")
elseif (string.match(rpm.expand(fileref), "/")) then
fileref = string.gsub(rpm.expand(fileref), "/", "-")
end
fedora.safeset("fileref" .. suffix, fileref, verbose)
elseif (forge == "gitea.com") then
-- Workaround the way gitea mangles /s in ref names
local fileref = ref
fileref = string.gsub(rpm.expand(fileref), "/", "-")
fedora.safeset("fileref" .. suffix, fileref, verbose)
elseif (forge == "code.googlesource.com") then
if (ref == "%{?version" .. suffix .. "}") then
ref = "v" .. ref
end
elseif (forge == "bitbucket.org") then
if (spec["commit"] == "") then
rpm.expand("%{error:All BitBucket URLs require commit value knowledge: you need to define %{commit}!}")
end
end
fedora.safeset("ref" .. suffix, ref, verbose)
-- Mass setting of the remaining variables
for k,v in pairs(variables[forge]) do
fedora.safeset(k .. suffix, variables[forge][k], verbose)
end
for k,v in pairs(variables["default"]) do
if (variables[forge][k] == nil) then
fedora.safeset(k .. suffix, variables["default"][k], verbose)
end
end
end
-- Generic rules
for _, v in ipairs({'archiveurl','archivename','archiveext','topdir'}) do
spec[v] = rpm.expand("%{?" .. v .. suffix .. "}")
end
-- Source URL processing (computing the forgesource spec variable)
local forgesource = "%{archiveurl" .. suffix .. "}"
if (string.match(spec["archiveurl"], "/([^/]+)$") ~= spec["archivename"] .. "." .. spec["archiveext"]) then
forgesource = "%{?archiveurl" .. suffix .. "}#/%{?archivename" .. suffix .. "}.%{archiveext" .. suffix .. "}"
end
fedora.safeset("forgesource" .. suffix, forgesource, verbose)
-- Setup processing (computing the forgesetup and extractdir variables)
local forgesetupargs = "-n %{extractdir" .. suffix .. "}"
local extractdir = "%{topdir" .. suffix .. "}"
if (spec["topdir"] == "") then
forgesetupargs = "-c " .. forgesetupargs
extractdir = "%{archivename" .. suffix .. "}"
end
if not ismain then
if (spec["topdir"] ~= "") then
forgesetupargs = "-T -D -b " .. suffix .. " " .. forgesetupargs
else
forgesetupargs = "-T -D -a " .. suffix .. " " .. forgesetupargs
end
end
fedora.safeset("forgesetupargs" .. suffix, forgesetupargs, verbose)
fedora.safeset("extractdir" .. suffix, extractdir, verbose)
-- dist processing (computing the correct prefix for snapshots)
local distprefix = ""
if not isrelease then
distprefix = string.lower(rpm.expand(ref))
if (ref == "%{?commit" .. suffix .. "}") then
distprefix = string.sub(distprefix, 1, 7)
elseif (ref ~= "%{?branch" .. suffix .. "}") then
distprefix = string.gsub(distprefix, "[%p%s]+", ".")
distprefix = string.gsub(distprefix, "^" .. string.lower(rpm.expand("%{?repo}")) .. "%.?", "")
local v = string.gsub(rpm.expand("%{version}"), "[%p%s]+", ".")
for _, p in ipairs({'','v','v.','version','version.','tags.v', 'tags.v.'}) do
distprefix = getversionsuffix(distprefix, p .. v)
end
distprefix = string.gsub(distprefix, "^%.", "")
end
if (distprefix ~= "") then
distprefix = "%{scm" .. suffix .. "}" .. distprefix
date = rpm.expand("%{?date" .. suffix .. "}")
if (date ~= "") then
distprefix = date .. distprefix
else
distprefix = "%([ -r %{_sourcedir}/%{archivename" .. suffix .. "}.%{archiveext" .. suffix .. "} ] && date +%Y%m%d -u -r %{_sourcedir}/%{archivename" .. suffix .. "}.%{archiveext" .. suffix .. "})" .. distprefix
end
distprefix = "." .. distprefix
end
end
if (spec["version"] ~= "") and
(spec["version"] ~= "0") and
(spec["version"] ~= rpm.expand("%{?version}")) then
distprefix = ".%{version" .. suffix .. "}" .. distprefix
end
if (rpm.expand(distprefix) ~= "") then
if not ismain then
distprefix = string.gsub(distprefix, "^%.", ".s")
end
fedora.safeset ("distprefix" .. suffix, distprefix, verbose)
end
if ismain then
fedora.zalias({"forgeurl", "forgesource", "forgesetupargs",
"archivename", "archiveext", "archiveurl",
"topdir", "extractdir", "repo", "owner", "namespace",
"scm", "shortcommit", "distprefix"}, verbose)
end
-- Final spec variable summary if the macro was called with -i
if informative then
rpm.expand("%{echo:Packaging variables read or set by %%forgemeta}")
fedora.echovars({"forgeurl", "forgesource", "forgesetupargs",
"archivename", "archiveext", "archiveurl",
"topdir", "extractdir", "repo", "owner", "namespace",
"scm", "tag", "commit", "shortcommit", "branch", "version",
"date", "distprefix"}, suffix)
fedora.echovars({"dist"},"")
rpm.expand("%{echo: (snapshot date is either manually supplied or computed once %%{_sourcedir}/%%{archivename" .. suffix .. "}.%%{archiveext" .. suffix .. "} is available)}")
end
end
return {
meta = meta,
}

@ -5,7 +5,7 @@
# This material is provided as is, with absolutely no warranty expressed # This material is provided as is, with absolutely no warranty expressed
# or implied. Any use is at your own risk. # or implied. Any use is at your own risk.
# #
# Permission is hereby granted to use or copy this shellscript # Permission is hereby granted to use or copy this program
# for any purpose, provided the above notices are retained on all copies. # for any purpose, provided the above notices are retained on all copies.
# Permission to modify the code and to distribute modified code is granted, # Permission to modify the code and to distribute modified code is granted,
# provided the above notices are retained, and a notice that the code was # provided the above notices are retained, and a notice that the code was

@ -12,6 +12,7 @@
# from the defaults. # from the defaults.
# #
%_localstatedir /var %_localstatedir /var
%_runstatedir /run
%_pkgdocdir %{_docdir}/%{name} %_pkgdocdir %{_docdir}/%{name}
%_docdir_fmt %%{NAME} %_docdir_fmt %%{NAME}
@ -19,6 +20,7 @@
%_fmoddir %{_libdir}/gfortran/modules %_fmoddir %{_libdir}/gfortran/modules
%source_date_epoch_from_changelog 1 %source_date_epoch_from_changelog 1
%clamp_mtime_to_source_date_epoch %source_date_epoch_from_changelog
%_enable_debug_packages 1 %_enable_debug_packages 1
%_include_minidebuginfo 1 %_include_minidebuginfo 1
@ -43,55 +45,88 @@
%__cxx %{expand:%%{__cxx_%{toolchain}}} %__cxx %{expand:%%{__cxx_%{toolchain}}}
%__cpp %{expand:%%{__cpp_%{toolchain}}} %__cpp %{expand:%%{__cpp_%{toolchain}}}
# Compiler macros to use for invoking compilers in spec files for packages that
# want to use the default compiler and don't care which compiler that is.
%build_cc %{__cc}
%build_cxx %{__cxx}
%build_cpp %{__cpp}
#============================================================================== #==============================================================================
# ---- compiler flags. # ---- compiler flags.
# C compiler flags. This is traditionally called CFLAGS in makefiles. # C compiler flags. This is traditionally called CFLAGS in makefiles.
# Historically also available as %%{optflags}, and %%build sets the # Historically also available as %%{optflags}, and %%build sets the
# environment variable RPM_OPT_FLAGS to this value. # environment variable RPM_OPT_FLAGS to this value.
%build_cflags %{optflags} %build_cflags %{__build_flags_lang_c} %{?_distro_extra_cflags}
# C++ compiler flags. This is traditionally called CXXFLAGS in makefiles. # C++ compiler flags. This is traditionally called CXXFLAGS in makefiles.
%build_cxxflags %{optflags} %build_cxxflags %{__build_flags_lang_cxx} %{?_distro_extra_cxxflags}
# Fortran compiler flags. Makefiles use both FFLAGS and FCFLAGS as # Fortran compiler flags. Makefiles use both FFLAGS and FCFLAGS as
# the corresponding variable names. # the corresponding variable names.
%build_fflags %{optflags} -I%{_fmoddir} %build_fflags %{__build_flags_common} -I%{_fmoddir} %{?_distro_extra_fflags}
# Vala compiler flags. This is used to set VALAFLAGS.
%build_valaflags -g
# When clang is used as a linker driver, it does not auto-detect the LTO
# bytecode and neither does bfd, so we need to explicitly pass the -flto
# flag when linking.
%_clang_extra_ldflags %{?_lto_cflags}
# Link editor flags. This is usually called LDFLAGS in makefiles. # Link editor flags. This is usually called LDFLAGS in makefiles.
# (Some makefiles use LFLAGS instead.) The default value assumes that # (Some makefiles use LFLAGS instead.) The default value assumes that
# the flags, while intended for ld, are still passed through the gcc # the flags, while intended for ld, are still passed through the gcc
# compiler driver. At the beginning of %%build, the environment # compiler driver. At the beginning of %%build, the environment
# variable RPM_LD_FLAGS to this value. # variable RPM_LD_FLAGS to this value.
# When clang is used as a linker driver, it does not auto-detect the LTO %build_ldflags -Wl,-z,relro %{_ld_as_needed_flags} %{_ld_symbols_flags} %{_ld_pack_relocs_flags} %{_hardened_ldflags} %{_annotation_ldflags} %[ "%{toolchain}" == "clang" ? "%{?_clang_extra_ldflags}" : "" ] %{_build_id_flags} %{?_package_note_flags} %{?_distro_extra_ldflags}
# bytecode and neither does bfd, so we need to explicitly pass the -flto
# flag when linking.
%build_ldflags -Wl,-z,relro %{_ld_as_needed_flags} %{_ld_symbols_flags} %{_hardened_ldflags} %{_annotation_ldflags} %[ "%{toolchain}" == "clang" ? "%{?_lto_cflags}" : "" ]
# Expands to shell code to set the compiler/linker environment # Expands to shell code to set the compiler/linker environment
# variables CFLAGS, CXXFLAGS, FFLAGS, FCFLAGS, LDFLAGS if they have # variables CFLAGS, CXXFLAGS, FFLAGS, FCFLAGS, VALAFLAGS, LDFLAGS if they
# not been set already. RPM_OPT_FLAGS and RPM_LD_FLAGS have already # have not been set already. RPM_OPT_FLAGS and RPM_LD_FLAGS have already
# been set implicitly at the start of the %%build section. # been set implicitly at the start of the %%build section.
# LT_SYS_LIBRARY_PATH is used by libtool script. # LT_SYS_LIBRARY_PATH is used by libtool script.
# RUSTFLAGS is only set when %%{build_rustflags} is available.
%set_build_flags \ %set_build_flags \
CFLAGS="${CFLAGS:-%{build_cflags}}" ; export CFLAGS ; \ CFLAGS="${CFLAGS:-%{build_cflags}}" ; export CFLAGS ; \
CXXFLAGS="${CXXFLAGS:-%{build_cxxflags}}" ; export CXXFLAGS ; \ CXXFLAGS="${CXXFLAGS:-%{build_cxxflags}}" ; export CXXFLAGS ; \
FFLAGS="${FFLAGS:-%{build_fflags}}" ; export FFLAGS ; \ FFLAGS="${FFLAGS:-%{build_fflags}}" ; export FFLAGS ; \
FCFLAGS="${FCFLAGS:-%{build_fflags}}" ; export FCFLAGS ; \ FCFLAGS="${FCFLAGS:-%{build_fflags}}" ; export FCFLAGS ; \
VALAFLAGS="${VALAFLAGS:-%{build_valaflags}}" ; export VALAFLAGS ;%{?build_rustflags:
RUSTFLAGS="${RUSTFLAGS:-%{build_rustflags}}" ; export RUSTFLAGS ;} \
LDFLAGS="${LDFLAGS:-%{build_ldflags}}" ; export LDFLAGS ; \ LDFLAGS="${LDFLAGS:-%{build_ldflags}}" ; export LDFLAGS ; \
LT_SYS_LIBRARY_PATH="${LT_SYS_LIBRARY_PATH:-%_libdir:}" ; export LT_SYS_LIBRARY_PATH ; \ LT_SYS_LIBRARY_PATH="${LT_SYS_LIBRARY_PATH:-%_libdir:}" ; export LT_SYS_LIBRARY_PATH ; \
CC="${CC:-%{__cc}}" ; export CC ; \ CC="${CC:-%{__cc}}" ; export CC ; \
CXX="${CXX:-%{__cxx}}" ; export CXX CXX="${CXX:-%{__cxx}}" ; export CXX
# Automatically use set_build_flags macro for build, check, and
# install phases.
# Use "%undefine _auto_set_build_flags" to disable"
%_auto_set_build_flags 1
%__spec_build_pre %{___build_pre} \
%{?_auto_set_build_flags:%{set_build_flags}} \
%{?_generate_package_note_file}
%__spec_check_pre %{___build_pre} \
%{?_auto_set_build_flags:%{set_build_flags}} \
%{?_generate_package_note_file}
# Internal-only. Do not use. Expand a variable and strip the flags # Internal-only. Do not use. Expand a variable and strip the flags
# not suitable to extension builders. # not suitable to extension builders.
%__extension_strip_flags() %{lua: %__extension_strip_flags() %{lua:
--the only argument to this macro is the "name" of the flags we strip (e.g. cflags, ldflags, etc.)
local name = rpm.expand("%{1}") local name = rpm.expand("%{1}")
local value = " " .. rpm.expand("%{build_" .. name .. "}") --store all the individual flags in a variable as a continuous string
local specs_pattern = "%s+-specs=[^%s]+" local flags = rpm.expand("%{build_" .. name .. "}")
local lto_flags_pattern = rpm.expand("%{?_lto_cflags}"):gsub("[%-%.]", "%%%1") --create an empty table for the minimal set of flags we wanna preserve
local result = value:gsub(specs_pattern, " "):gsub(lto_flags_pattern, "") local stripped_flags = { }
print(result) --iterate over the individual flags and store the ones we want in the table as unique keys
for flag in flags:gmatch("%S+") do
if flag:find("^%-fexceptions") or flag:find("^%-fcf%-protection") then
stripped_flags[flag] = true end
end
--print out the finalized set of flags for use by the extension builders
for k,_ in pairs(stripped_flags) do print(k .. " ") end
} }
# Variants of CFLAGS, CXXFLAGS, FFLAGS, LDFLAGS for use within # Variants of CFLAGS, CXXFLAGS, FFLAGS, LDFLAGS for use within
@ -110,13 +145,17 @@ print(result)
# Architecture-specific support. Internal. Do not use directly. # Architecture-specific support. Internal. Do not use directly.
%__cflags_arch_x86_64 %[0%{?rhel} >= 9 ? "-march=x86-64-v2" : ""] %__cflags_arch_x86_64_level %[0%{?rhel} == 9 ? "-v2" : ""]%[0%{?rhel} > 9 ? "-v3" : ""]
%__cflags_arch_x86_64 -march=x86-64%{?__cflags_arch_x86_64_level:%{__cflags_arch_x86_64_level}}
# -mtls-dialect=gnu2 is currently specific to GCC (#2263181).
%__cflags_arch_x86_64_common -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection %[ "%{toolchain}" == "gcc" ? "-mtls-dialect=gnu2 " : "" ]%{_frame_pointers_cflags} %{_frame_pointers_cflags_x86_64}
# Also used for s390. # Also used for s390.
%__cflags_arch_s390x %[0%{?rhel} >= 9 ? "-march=z14 -mtune=z15" : "-march=zEC12 -mtune=z13"] %__cflags_arch_s390x %[0%{?rhel} >= 9 ? "-march=z14 -mtune=z15" : "-march=z13 -mtune=z14"]
# Also used for ppc64le. %_ppc64le_tune_level %[0%{?rhel} >= 10 ? "-mtune=power10" : "-mtune=power9"]
%__cflags_arch_ppc64le %[0%{?rhel} >= 9 ? "-mcpu=power9 -mtune=power9" : "-mcpu=power8 -mtune=power8"] %__cflags_arch_ppc64le %[0%{?rhel} >= 9 ? "-mcpu=power9 %{_ppc64le_tune_level}" : "-mcpu=power8 -mtune=power8" ]
#============================================================================== #==============================================================================
# ---- configure and makeinstall. # ---- configure and makeinstall.
@ -129,6 +168,9 @@ print(result)
# way to turn it back off. # way to turn it back off.
# %_configure_disable_silent_rules 1 # %_configure_disable_silent_rules 1
# Pass --runstatedir to configure.
%_configure_use_runstatedir 1
# This fixes various easy resolved configure tests that are compromised by LTO. # This fixes various easy resolved configure tests that are compromised by LTO.
# #
# We use this within the standard %configure macro, but also make it available # We use this within the standard %configure macro, but also make it available
@ -192,6 +234,7 @@ print(result)
--libdir=%{_libdir} \\\ --libdir=%{_libdir} \\\
--libexecdir=%{_libexecdir} \\\ --libexecdir=%{_libexecdir} \\\
--localstatedir=%{_localstatedir} \\\ --localstatedir=%{_localstatedir} \\\
%{?_configure_use_runstatedir:$(grep -q "runstatedir=DIR" %{_configure} && echo '--runstatedir=%{_runstatedir}')} \\\
--sharedstatedir=%{_sharedstatedir} \\\ --sharedstatedir=%{_sharedstatedir} \\\
--mandir=%{_mandir} \\\ --mandir=%{_mandir} \\\
--infodir=%{_infodir} --infodir=%{_infodir}
@ -206,8 +249,9 @@ print(result)
%__spec_install_pre %{___build_pre}\ %__spec_install_pre %{___build_pre}\
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf "${RPM_BUILD_ROOT}"\ [ "$RPM_BUILD_ROOT" != "/" ] && rm -rf "${RPM_BUILD_ROOT}"\
mkdir -p `dirname "$RPM_BUILD_ROOT"`\ mkdir -p "`dirname "$RPM_BUILD_ROOT"`"\
mkdir "$RPM_BUILD_ROOT"\ mkdir "$RPM_BUILD_ROOT"\
%{?_auto_set_build_flags:%{set_build_flags}}\
%{nil} %{nil}
#--------------------------------------------------------------------- #---------------------------------------------------------------------
@ -224,9 +268,7 @@ print(result)
%__brp_strip_lto /usr/lib/rpm/redhat/brp-strip-lto %{__strip} %__brp_strip_lto /usr/lib/rpm/redhat/brp-strip-lto %{__strip}
%__brp_strip_comment_note /usr/lib/rpm/brp-strip-comment-note %{__strip} %{__objdump} %__brp_strip_comment_note /usr/lib/rpm/brp-strip-comment-note %{__strip} %{__objdump}
%__brp_strip_static_archive /usr/lib/rpm/brp-strip-static-archive %{__strip} %__brp_strip_static_archive /usr/lib/rpm/brp-strip-static-archive %{__strip}
%__brp_python_bytecompile /usr/lib/rpm/redhat/brp-python-bytecompile "" "%{?_python_bytecompile_errors_terminate_build}" "%{?_python_bytecompile_extra}" %__brp_check_rpaths /usr/lib/rpm/check-rpaths
%__brp_fix_pyc_reproducibility /usr/lib/rpm/redhat/brp-fix-pyc-reproducibility
%__brp_python_hardlink /usr/lib/rpm/brp-python-hardlink
# __brp_mangle_shebangs_exclude - shebangs to exclude # __brp_mangle_shebangs_exclude - shebangs to exclude
# __brp_mangle_shebangs_exclude_file - file from which to get shebangs to exclude # __brp_mangle_shebangs_exclude_file - file from which to get shebangs to exclude
# __brp_mangle_shebangs_exclude_from - files to ignore # __brp_mangle_shebangs_exclude_from - files to ignore
@ -235,6 +277,10 @@ print(result)
%__brp_llvm_compile_lto_elf /usr/lib/rpm/redhat/brp-llvm-compile-lto-elf %{build_cflags} %{build_ldflags} %__brp_llvm_compile_lto_elf /usr/lib/rpm/redhat/brp-llvm-compile-lto-elf %{build_cflags} %{build_ldflags}
# note: %%__os_install_post_python is defined in python-srpm-macros and contains several policies
# redhat-rpm-config maintainers, don't remove it from %%__os_install_post unless coordinating the change with Python maintainers
# packagers, don't undefine the entire macro, see the individual macros in /usr/lib/rpm/macros.d/macros.python-srpm
%__os_install_post \ %__os_install_post \
%{?__brp_ldconfig} \ %{?__brp_ldconfig} \
%{?__brp_compress} \ %{?__brp_compress} \
@ -244,10 +290,10 @@ print(result)
} \ } \
%{?__brp_strip_lto} \ %{?__brp_strip_lto} \
%{?__brp_strip_static_archive} \ %{?__brp_strip_static_archive} \
%{?py_auto_byte_compile:%{?__brp_python_bytecompile}} \ %{?__brp_check_rpaths} \
%{?py_reproducible_pyc_path:%{?__brp_fix_pyc_reproducibility} "%{py_reproducible_pyc_path}"} \
%{?__brp_python_hardlink} \
%{?__brp_mangle_shebangs} \ %{?__brp_mangle_shebangs} \
%{?__brp_remove_la_files} \
%{__os_install_post_python} \
%{nil} %{nil}
%__spec_install_post\ %__spec_install_post\
@ -265,16 +311,6 @@ print(result)
# Should missing buildids terminate a build? # Should missing buildids terminate a build?
%_missing_build_ids_terminate_build 1 %_missing_build_ids_terminate_build 1
#
## Automatically compile python files
%py_auto_byte_compile 1
#
## Should python bytecompilation errors terminate a build?
%_python_bytecompile_errors_terminate_build 1
## Should python bytecompilation compile outisde python specific directories?
%_python_bytecompile_extra 0
# Use SHA-256 for FILEDIGESTS instead of default MD5 # Use SHA-256 for FILEDIGESTS instead of default MD5
%_source_filedigest_algorithm 8 %_source_filedigest_algorithm 8
%_binary_filedigest_algorithm 8 %_binary_filedigest_algorithm 8
@ -282,11 +318,26 @@ print(result)
# Use Zstandard compression for binary payloads # Use Zstandard compression for binary payloads
%_binary_payload w19.zstdio %_binary_payload w19.zstdio
#==============================================================================
# --- Compiler flags control.
#
# Please consult buildflags.md for parts that can be configured
# from RPM spec files.
%_hardening_gcc_cflags -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 %_hardening_gcc_cflags -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
%_hardening_clang_cflags --config /usr/lib/rpm/redhat/redhat-hardened-clang.cfg %_hardening_clang_cflags --config=/usr/lib/rpm/redhat/redhat-hardened-clang.cfg
%_hardening_cflags %{expand:%%{_hardening_%{toolchain}_cflags}} -fstack-protector-strong %_hardening_cflags %{expand:%%{_hardening_%{toolchain}_cflags}} -fstack-protector-strong
# Have the linker generate errors instead of warnings for binaries that
# contain memory regions with both write and execute permissions.
# https://fedoraproject.org/wiki/Changes/Linker_Error_On_Security_Issues
%_hardening_linker_errors %[ "%{toolchain}" == "gcc" ? "-specs=/usr/lib/rpm/redhat/redhat-hardened-ld-errors" : "" ]
%_hardened_linker_errors 1
# we don't escape symbols '~', '"', etc. so be careful when changing this # we don't escape symbols '~', '"', etc. so be careful when changing this
%_hardening_ldflags -Wl,-z,now %[ "%{toolchain}" == "gcc" ? "-specs=/usr/lib/rpm/redhat/redhat-hardened-ld" : "" ] %_hardening_gcc_ldflags -specs=/usr/lib/rpm/redhat/redhat-hardened-ld
%_hardening_clang_ldflags --config=/usr/lib/rpm/redhat/redhat-hardened-clang-ld.cfg
%_hardening_ldflags -Wl,-z,now %{expand:%%{_hardening_%{toolchain}_ldflags}}
# Harden packages by default for Fedora 23+: # Harden packages by default for Fedora 23+:
# https://fedorahosted.org/fesco/ticket/1384 (accepted on 2014-02-11) # https://fedorahosted.org/fesco/ticket/1384 (accepted on 2014-02-11)
@ -297,16 +348,30 @@ print(result)
# Add extra information to binary objects created by the compiler: # Add extra information to binary objects created by the compiler:
# https://pagure.io/fesco/issue/1780 (accepted on 2017-10-30) # https://pagure.io/fesco/issue/1780 (accepted on 2017-10-30)
# ...except on armv7hl, which has an issue whose root-cause isn't
# clear yet: https://bugzilla.redhat.com/show_bug.cgi?id=1951492
# Use "%undefine _annotated_build" to disable. # Use "%undefine _annotated_build" to disable.
%_annotated_build 1 %_annotated_build 1
%_annobin_gcc_plugin -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 %_annobin_gcc_plugin -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1
# The annobin plugin is not built for clang yet # The annobin plugin is not built for clang yet
%_annobin_clang_plugin %dnl-fplugin=/usr/lib64/clang/`clang -dumpversion`/lib/annobin.so %_annobin_clang_plugin %dnl-fplugin=/usr/lib64/clang/`clang -dumpversion`/lib/annobin.so
%_annotation_cflags %{?_annotated_build:%{expand:%%{_annobin_%{toolchain}_plugin}}} %_annotation_plugin %{?_annotated_build:%{expand:%%{_annobin_%{toolchain}_plugin}}}
%_annotation_cflags %[ "%{_target_cpu}" == "armv7hl" ? "" : "%{_annotation_plugin}" ]
%_annotation_ldflags %{?_lto_cflags:%{_annotation_cflags}} %_annotation_ldflags %{?_lto_cflags:%{_annotation_cflags}}
# Use the remove-section option to force the find-debuginfo script # Use the remove-section option to force the find-debuginfo script
# to move the annobin notes into the separate debuginfo file. # to move the annobin notes into the separate debuginfo file.
%_find_debuginfo_vendor_opts %{?_annotated_build:--remove-section .gnu.build.attributes} %_find_debuginfo_extra_opts %{?_annotated_build:--remove-section .gnu.build.attributes}
# Include frame pointer information by default, except on RHEL 10 and earlier
# On RHEL 11, we are enabling it for now, with the possibility of revoking it
# at a later date.
# https://fedoraproject.org/wiki/Changes/fno-omit-frame-pointer
# Use "%undefine _include_frame_pointers" to disable.
%_include_frame_pointers %{undefined rhel} || 0%{?rhel} >= 11
%_frame_pointers_cflags %{expr:0%{?_include_frame_pointers} ? "-fno-omit-frame-pointer" : ""}
%_frame_pointers_cflags_x86_64 %{expr:0%{?_include_frame_pointers} ? "-mno-omit-leaf-frame-pointer" : ""}
%_frame_pointers_cflags_aarch64 %{expr:0%{?_include_frame_pointers} ? "-mno-omit-leaf-frame-pointer" : ""}
%_frame_pointers_cflags_s390x %{expr:0%{?_include_frame_pointers} ? "-mbackchain" : ""}
# Fail linking if there are undefined symbols. Required for proper # Fail linking if there are undefined symbols. Required for proper
# ELF symbol versioning support. Disabled by default. # ELF symbol versioning support. Disabled by default.
@ -319,6 +384,10 @@ print(result)
%_ld_as_needed 1 %_ld_as_needed 1
%_ld_as_needed_flags %{?_ld_as_needed:-Wl,--as-needed} %_ld_as_needed_flags %{?_ld_as_needed:-Wl,--as-needed}
# aarch64 and s390x currently do not support packed relocations.
%_ld_pack_relocs %[ "%{_arch}" == "x86_64" || "%{_arch}" == "i386" || "%{_arch}" == "ppc64le" || "%{_arch}" == "aarch64" ]
%_ld_pack_relocs_flags %[0%{?_ld_pack_relocs} ? "-Wl,-z,pack-relative-relocs" : ""]
# LTO is the default in Fedora. # LTO is the default in Fedora.
# "%define _lto_cflags %{nil}" to opt out # "%define _lto_cflags %{nil}" to opt out
# #
@ -331,9 +400,26 @@ print(result)
%_clang_lto_cflags -flto=thin %_clang_lto_cflags -flto=thin
%_lto_cflags %{expand:%%{_%{toolchain}_lto_cflags}} %_lto_cflags %{expand:%%{_%{toolchain}_lto_cflags}}
# Default fortification level.
# "%define _fortify_level 2" to downgrade and
# "%define _fortify_level 0" or "%undefine _fortify_level" to disable
#
# We use a single -Wp here to enforce order so that ccache does not ever
# reorder them.
%_fortify_level 3
%_fortify_level_flags %[ 0%{?_fortify_level} > 0 ? "-Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=%{_fortify_level}" : "" ]
# This can be set to a positive integer to obtain increasing type
# safety levels for C. See buildflags.md.
%build_type_safety_c 3
# Some linkers default to a build-id algorithm that is not supported by rpmbuild,
# so we need to specify the right algorithm to use.
%_build_id_flags -Wl,--build-id=sha1
%_general_options -O2 %{?_lto_cflags} -fexceptions -g -grecord-gcc-switches -pipe %_general_options -O2 %{?_lto_cflags} -fexceptions -g -grecord-gcc-switches -pipe
%_warning_options -Wall -Werror=format-security %_warning_options -Wall%[%__build_for_lang_any && "%toolchain" == "gcc" ? " -Wno-complain-wrong-lang" : ""]%[%__build_for_lang_c + %__build_for_lang_cxx ? " -Werror=format-security" : ""]%[%__build_for_lang_c && (%build_type_safety_c == 0) ? " -fpermissive" : ""]%[%__build_for_lang_c && (%build_type_safety_c == 1) ? " -Wno-error=int-conversion" : ""]%[%__build_for_lang_c && (%build_type_safety_c > 0 && %build_type_safety_c < 3) ? " -Wno-error=incompatible-pointer-types" : ""]
%_preprocessor_defines -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS %_preprocessor_defines %{_fortify_level_flags} -Wp,-D_GLIBCXX_ASSERTIONS
# Common variables are no longer generated by default by gcc and clang # Common variables are no longer generated by default by gcc and clang
# If they are needed then add "%define _legacy_common_support 1" to the spec file. # If they are needed then add "%define _legacy_common_support 1" to the spec file.
@ -341,8 +427,24 @@ print(result)
%__global_compiler_flags %{_general_options} %{_warning_options} %{_preprocessor_defines} %{_hardened_cflags} %{_annotation_cflags} %{_legacy_options} %__global_compiler_flags %{_general_options} %{_warning_options} %{_preprocessor_defines} %{_hardened_cflags} %{_annotation_cflags} %{_legacy_options}
# Internal macros. Do not use directly. These variables can be rebound
# to suppress certain frontend-specific compiler flags (or in the case
# of __build_for_lang_any, frontend-agnostic flags). Dynamic scoping
# and shadowing redefinitions are used for the __build_for_* variables
# to remain largely compatible with existing spec files that have
# hard-coded assumptions which macros assume which other macros.
# The __build_flags_no_macro_warning construct suppresses a warning
# about unused RPM macros.
%__build_for_lang_c 1
%__build_for_lang_cxx 1
%__build_for_lang_any 1
%__build_flags_no_macro_warning %[%__build_for_lang_c + %__build_for_lang_cxx + %__build_for_lang_any ? "" : ""]
%__build_flags_common() %{expand:%define __build_for_lang_c 0}%{expand:%define __build_for_lang_cxx 0}%{expand:%define __build_for_lang_any 0}%{__build_flags_no_macro_warning}%{optflags}
%__build_flags_lang_c() %{expand:%define __build_for_lang_cxx 0}%{expand:%define __build_for_lang_any 0}%{__build_flags_no_macro_warning}%{optflags}
%__build_flags_lang_cxx() %{expand:%define __build_for_lang_c 0}%{expand:%define __build_for_lang_any 0}%{__build_flags_no_macro_warning}%{optflags}
# Automatically trim changelog entries after 2 years # Automatically trim changelog entries after 2 years
%_changelog_trimtime %{lua:print(os.time() - 2 * 365 * 86400)} %_changelog_trimage %{expr:2*365*24*60*60}
#============================================================================== #==============================================================================
# ---- Generic auto req/prov filtering macros # ---- Generic auto req/prov filtering macros

@ -0,0 +1,103 @@
# Macros to constrain resource use during the build process
# Changes _smp_build_ncpus depending on various factors
#
# -c cpus constrains the CPU count to "cpus"
# -m mem constrains the CPU count to the total amount of memory in the system
# (in megabytes) divided by "mem", rounded down
#
# If no options are passed, sets _smp_build_ncpus to 1.
# _smp_build_ncpus will never be raised, only lowered.
%constrain_build(c:m:) %{lua:
-- Check a value and clamp it to at least 1
local function check_and_clamp(v, string)
if v == nil then return nil end
i = math.tointeger(v)
if i == nil then
macros.error({"%%%0: invalid "..string.." value "..v})
return nil
end
local clamp = math.max(1, math.floor(i))
if i ~= clamp then
macros.error({"%%%0: invalid "..string.." value "..v})
return nil
end
return clamp
end
-- Parse meminfo to find the total amount of memory in the system
local function getmem()
local mem = 0
for l in io.lines('/proc/meminfo') do
if l:sub(1, 9) == "MemTotal:" then
mem = math.tointeger(string.match(l, "MemTotal:%s+(%d+)"))
break
end
end
return mem
end
local mem_limit = check_and_clamp(opt.m, "mem limit")
local cpu_limit = check_and_clamp(opt.c, "cpu limit")
local current_cpus = math.tointeger(macros._smp_build_ncpus)
local constrained_cpus = current_cpus
if (not cpu_limit and not mem_limit) then
cpu_limit = 1
end
if cpu_limit ~= nil then
constrained_cpus = math.min(cpu_limit, constrained_cpus)
end
if mem_limit ~= nil then
local mem_total = getmem(verbose)
local limit = math.max(1, mem_total // (mem_limit * 1024))
constrained_cpus = math.min(constrained_cpus, limit)
end
macros._smp_build_ncpus = constrained_cpus
}
# outputs build flag overrides to be used in conjunction with
# %%make_build, %%cmake_build etc.
#
# if no override is needed, this macro outputs nothing
#
# - m memory limit in MBs per core; default is 1024
#
# Usage:
# e.g. %make_build %{limit_build -m 2048}
# => /usr/bin/make -O -j16 V=1 VERBOSE=1
# %make_build %{limit_build -m 40960}
# => /usr/bin/make -O -j16 V=1 VERBOSE=1 -j1
#
%limit_build(m:) %{lua:
local mem_per_process=rpm.expand("%{-m*}")
if mem_per_process == "" then
mem_per_process = 1024
else
mem_per_process = tonumber(mem_per_process)
end
local mem_total = 0
for line in io.lines('/proc/meminfo') do
if line:sub(1, 9) == "MemTotal:" then
local tokens = {}
for token in line:gmatch("%w+") do
tokens[#tokens + 1] = token
end
mem_total = tonumber(tokens[2])
break
end
end
local max_jobs = mem_total // (mem_per_process * 1024)
if max_jobs < 1 then
max_jobs = 1
end
cur_max_jobs=tonumber(rpm.expand("%{_smp_build_ncpus}"))
if cur_max_jobs > max_jobs then
print("-j" .. max_jobs)
end
}

@ -1,70 +0,0 @@
# Computes forge-related variables for use in the rest of the spec file
# Control variables, flags and arguments:
# %{forgeurl<number>} the project url on the target forge
# %{tag<number>} the packaged tag, OR
# %{commit<number>} the packaged commit, OR
# %{version<number>} the packaged version
# %{version}/%{version0} are set via:
# Version:
# because git is lacking a built-in version
# reference, %{version<number>} will be translated
# into %{tag<number>} using unreliable heuristics;
# set %{tag<number>} directly if those fail
# %{date<number>} the packaged timestamp
# … %forgemeta will compute a huge number of variables:
# — the packager can override it by setting some of
# those before the %forgemeta call
# use the -i flag to list those variables
# -z <number> only process the zth block of definitions
# "" for the no-suffix block
# -i list the resulting variable values
# -s silently ignore problems in %{forgeurl<number>}
# -v be verbose
# -a process all sources in one go, instead of using
# separate -z calls
%forgemeta(z:isva) %{lua:
local fedora = require "fedora.common"
local forge = require "fedora.srpm.forge"
local verbose = rpm.expand("%{-v}") ~= ""
local informative = rpm.expand("%{-i}") ~= ""
local silent = rpm.expand("%{-s}") ~= ""
local processall = (rpm.expand("%{-a}") ~= "") and (rpm.expand("%{-z}") == "")
if processall then
for _,s in pairs(fedora.getsuffixes("forgeurl")) do
forge.meta(s,verbose,informative,silent)
end
else
forge.meta(rpm.expand("%{-z*}"),verbose,informative,silent)
end
}
# Unpacks sources computed by %forgemeta
# Control variables, flags and arguments:
# %{forgesource<number>} the source archive that will be processed
# %{forgesetupargs<number>} %setup arguments
# -z <number> only process the zth block of definitions
# "" for the no-suffix block
# -v be verbose
# -a process all sources in one go, instead of using
# separate -z calls
%forgesetup(z:va) %{lua:
local fedora = require "fedora.common"
if (rpm.expand("%{-z}") == "") and (rpm.expand("%{-a}") ~= "") then
for _,s in pairs(fedora.getsuffixes("forgesetupargs")) do
print(rpm.expand("%setup %{!-v:-q} %{?forgesetupargs" .. s .. "}\\n"))
end
else
print( rpm.expand("%setup %{!-v:-q} %{?forgesetupargs" .. rpm.expand("%{-z*}") .. "}\\n"))
end
}
# Calls %autosetup using %forgemeta results
# this will probably be removed since it is unsafe in presence of multiple
# sources
# Control variables, flags and arguments:
# -z <number> process the zth block of definitions
# -v -N -S -p relayed to %autosetup
%forgeautosetup(z:vNS:p:q) %{lua:
print(rpm.expand("%autosetup %{-v} %{-N} %{?-S} %{?-p} %{?forgesetupargs" .. rpm.expand("%{-z*}") .. "}\\n"))
}

@ -0,0 +1,2 @@
# Arches that GAP runs on
%gap_arches aarch64 ppc64le s390x x86_64

@ -0,0 +1,2 @@
# Arches that OpenJDK and dependent packages run on
%java_arches aarch64 ppc64le s390x x86_64

@ -0,0 +1,16 @@
%autorelease(e:s:pb:n) %{?-p:0.}%{lua:
release_number = tonumber(rpm.expand("%{?_rpmautospec_release_number}%{!?_rpmautospec_release_number:1}"));
base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
print(release_number + base_release_number - 1);
}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
%autochangelog %{lua:
locale = os.setlocale(nil)
os.setlocale("C.utf8")
date = os.date("%a %b %d %Y")
os.setlocale(locale)
packager = rpm.expand("%{?packager}%{!?packager:John Doe <packager@example.com>}")
evr = rpm.expand("%{?epoch:%{epoch}:}%{version}-%{release}")
print("* " .. date .. " " .. packager .. " - " .. evr .. "\\n")
print("- local build")
}

@ -0,0 +1,3 @@
%bash_completions_dir %{_datadir}/bash-completion/completions
%zsh_completions_dir %{_datadir}/zsh/site-functions
%fish_completions_dir %{_datadir}/fish/vendor_completions.d

@ -1,2 +1,3 @@
*cc1_options: *cc1_options:
+ %{!-fno-use-annobin:%{!iplugindir*:%:find-plugindir()} -fplugin=annobin} + %{!-fno-use-annobin:%{!iplugindir*:%:find-plugindir()} -fplugin=annobin}

@ -3,7 +3,7 @@
# should be the destination of the redhat-annobin-cc1 symlink. # should be the destination of the redhat-annobin-cc1 symlink.
# Author: Nick Clifton <nickc@redhat.com> # Author: Nick Clifton <nickc@redhat.com>
# Copyright (c) 2021-2022 Red Hat. # Copyright (c) 2021 Red Hat.
# #
# This is free software; you can redistribute it and/or modify it # This is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published # under the terms of the GNU General Public License as published

@ -1,2 +1,3 @@
*cc1_options: *cc1_options:
+ %{!-fno-use-annobin:%{!iplugindir*:%:find-plugindir()} -fplugin=annobin} + %{!-fno-use-annobin:%{!iplugindir*:%:find-plugindir()} -fplugin=annobin}

@ -1,2 +1,3 @@
*cc1_options: *cc1_options:
+ %{!-fno-use-annobin:%{!iplugindir*:%:find-plugindir()} -fplugin=gcc-annobin} + %{!-fno-use-annobin:%{!iplugindir*:%:find-plugindir()} -fplugin=gcc-annobin}

@ -1,2 +1,5 @@
*cc1_options: *cc1_options:
+ %{!r:%{!fpie:%{!fPIE:%{!fpic:%{!fPIC:%{!fno-pic:-fPIE}}}}}} + %{!r:%{!fpie:%{!fPIE:%{!fpic:%{!fPIC:%{!fno-pic:-fPIE}}}}}}
*cpp_options:
+ %{!r:%{!fpie:%{!fPIE:%{!fpic:%{!fPIC:%{!fno-pic:-fPIE}}}}}}

@ -0,0 +1,2 @@
*self_spec:
+ %{!fuse-ld*:%{!r:-Wl,--error-rwx-segments -Wl,--error-execstack}}

@ -3,80 +3,20 @@ include: /usr/lib/rpm/rpmrc
optflags: i386 %{__global_compiler_flags} -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection optflags: i386 %{__global_compiler_flags} -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection
optflags: i486 %{__global_compiler_flags} -m32 -march=i486 -fasynchronous-unwind-tables -fstack-clash-protection optflags: i486 %{__global_compiler_flags} -m32 -march=i486 -fasynchronous-unwind-tables -fstack-clash-protection
optflags: i586 %{__global_compiler_flags} -m32 -march=i586 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection optflags: i586 %{__global_compiler_flags} -m32 -march=i586 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection
optflags: i686 %{__global_compiler_flags} -m32 -march=i686 -mtune=generic -msse2 -mfpmath=sse -mstackrealign -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection optflags: i686 %{__global_compiler_flags} -m32 -march=i686 -mtune=generic -msse2 -mfpmath=sse -mstackrealign -fasynchronous-unwind-tables -fstack-clash-protection
optflags: athlon %{__global_compiler_flags} -m32 -march=athlon -fasynchronous-unwind-tables -fstack-clash-protection optflags: athlon %{__global_compiler_flags} -m32 -march=athlon -fasynchronous-unwind-tables -fstack-clash-protection
optflags: ia64 %{__global_compiler_flags} optflags: x86_64 %{__global_compiler_flags} -m64 %{__cflags_arch_x86_64} %__cflags_arch_x86_64_common
optflags: x86_64 %{__global_compiler_flags} -m64 %{__cflags_arch_x86_64} -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection optflags: x86_64_v2 %{__global_compiler_flags} -m64 -march=x86-64-v2 %__cflags_arch_x86_64_common
optflags: x86_64_v3 %{__global_compiler_flags} -m64 -march=x86-64-v3 %__cflags_arch_x86_64_common
optflags: x86_64_v4 %{__global_compiler_flags} -m64 -march=x86-64-v4 %__cflags_arch_x86_64_common
optflags: alpha %{__global_compiler_flags} -mieee
optflags: alphaev5 %{__global_compiler_flags} -mieee -mcpu=ev5
optflags: alphaev56 %{__global_compiler_flags} -mieee -mcpu=ev56
optflags: alphapca56 %{__global_compiler_flags} -mieee -mcpu=pca56
optflags: alphaev6 %{__global_compiler_flags} -mieee -mcpu=ev6
optflags: alphaev67 %{__global_compiler_flags} -mieee -mcpu=ev67
optflags: sparc %{__global_compiler_flags} -m32 -mcpu=v7 -mtune=ultrasparc
optflags: sparcv8 %{__global_compiler_flags} -m32 -mcpu=v8
optflags: sparcv9 %{__global_compiler_flags} -m32 -mcpu=ultrasparc
optflags: sparcv9v %{__global_compiler_flags} -m32 -mcpu=niagara
optflags: sparc64 %{__global_compiler_flags} -m64 -mcpu=ultrasparc
optflags: sparc64v %{__global_compiler_flags} -m64 -mcpu=niagara
optflags: m68k %{__global_compiler_flags}
optflags: ppc %{__global_compiler_flags} -m32 -fasynchronous-unwind-tables
optflags: ppciseries %{__global_compiler_flags} -m32
optflags: ppcpseries %{__global_compiler_flags} -m32
optflags: ppc64 %{__global_compiler_flags} -m64 -fasynchronous-unwind-tables -fstack-clash-protection
optflags: ppc64p7 %{__global_compiler_flags} -m64 -O3 -mcpu=power7 -mtune=power7 -fasynchronous-unwind-tables -fstack-clash-protection
optflags: ppc64le %{__global_compiler_flags} -m64 %{__cflags_arch_ppc64le} -fasynchronous-unwind-tables -fstack-clash-protection optflags: ppc64le %{__global_compiler_flags} -m64 %{__cflags_arch_ppc64le} -fasynchronous-unwind-tables -fstack-clash-protection
optflags: ppc64iseries %{__global_compiler_flags} -m64
optflags: ppc64pseries %{__global_compiler_flags} -m64
optflags: ppc8260 %{__global_compiler_flags} -m32
optflags: ppc8560 %{__global_compiler_flags} -m32
optflags: parisc %{__global_compiler_flags} -mpa-risc-1-0
optflags: hppa1.0 %{__global_compiler_flags} -mpa-risc-1-0
optflags: hppa1.1 %{__global_compiler_flags} -mpa-risc-1-0
optflags: hppa1.2 %{__global_compiler_flags} -mpa-risc-1-0
optflags: hppa2.0 %{__global_compiler_flags} -mpa-risc-1-0
optflags: mips %{__global_compiler_flags} -march=mips32r2 -mfpxx
optflags: mipsel %{__global_compiler_flags} -march=mips32r2 -mfpxx
optflags: mips64 %{__global_compiler_flags} -march=mips64r2 -mabi=64
optflags: mips64el %{__global_compiler_flags} -march=mips64r2 -mabi=64
optflags: mipsr6 %{__global_compiler_flags} -march=mips32r6
optflags: mipsr6el %{__global_compiler_flags} -march=mips32r6
optflags: mips64r6 %{__global_compiler_flags} -march=mips64r6
optflags: mips64r6el %{__global_compiler_flags} -march=mips64r6
optflags: armv3l %{__global_compiler_flags} -fsigned-char -march=armv3
optflags: armv4b %{__global_compiler_flags} -fsigned-char -march=armv4
optflags: armv4l %{__global_compiler_flags} -fsigned-char -march=armv4
optflags: armv4tl %{__global_compiler_flags} -march=armv4t
optflags: armv5tel %{__global_compiler_flags} -march=armv5te -mfloat-abi=soft
optflags: armv5tejl %{__global_compiler_flags} -march=armv5te -mfloat-abi=soft
optflags: armv6l %{__global_compiler_flags} -march=armv6 -mfloat-abi=soft
optflags: armv6hl %{__global_compiler_flags} -march=armv6 -mfpu=vfp -mfloat-abi=hard
optflags: armv6hnl %{__global_compiler_flags} -march=armv6 -mfpu=neon -mfloat-abi=hard
optflags: armv7l %{__global_compiler_flags} -march=armv7-a -mfloat-abi=soft
optflags: armv7hl %{__global_compiler_flags} -march=armv7-a -mfpu=vfpv3-d16 -mtune=generic-armv7-a -mabi=aapcs-linux -mfloat-abi=hard
optflags: armv7hnl %{__global_compiler_flags} -march=armv7-a -mfpu=neon -mfloat-abi=hard
optflags: atarist %{__global_compiler_flags}
optflags: atariste %{__global_compiler_flags}
optflags: ataritt %{__global_compiler_flags}
optflags: falcon %{__global_compiler_flags}
optflags: atariclone %{__global_compiler_flags}
optflags: milan %{__global_compiler_flags}
optflags: hades %{__global_compiler_flags}
optflags: s390 %{__global_compiler_flags} -m31 %{__cflags_arch_s390x} -fasynchronous-unwind-tables
optflags: s390x %{__global_compiler_flags} -m64 %{__cflags_arch_s390x} -fasynchronous-unwind-tables -fstack-clash-protection optflags: s390x %{__global_compiler_flags} -m64 %{__cflags_arch_s390x} -fasynchronous-unwind-tables -fstack-clash-protection
optflags: aarch64 %{__global_compiler_flags} -fasynchronous-unwind-tables %[ "%{toolchain}" == "gcc" ? "-fstack-clash-protection" : "" ] optflags: aarch64 %{__global_compiler_flags} -mbranch-protection=standard -fasynchronous-unwind-tables %[ "%{toolchain}" == "gcc" ? "-fstack-clash-protection" : "" ] %{_frame_pointers_cflags} %{_frame_pointers_cflags_aarch64}
optflags: riscv64 %{__global_compiler_flags} -fasynchronous-unwind-tables %[ "%{toolchain}" == "gcc" ? "-fstack-clash-protection" : "" ] optflags: riscv64 %{__global_compiler_flags} -fasynchronous-unwind-tables %{_frame_pointers_cflags}
# set build arch to fedora buildarches on hardware capable of running it # set build arch to fedora buildarches on hardware capable of running it
# saves having to do rpmbuild --target= # saves having to do rpmbuild --target=
@ -87,11 +27,5 @@ buildarchtranslate: pentium3: i686
buildarchtranslate: i686: i686 buildarchtranslate: i686: i686
buildarchtranslate: i586: i586 buildarchtranslate: i586: i586
buildarchtranslate: sparcv9: sparcv9
buildarchtranslate: sparcv9v: sparcv9
buildarchtranslate: armv5tejl: armv5tel
buildarchtranslate: armv6l: armv5tel
buildarchtranslate: armv7l: armv5tel
buildarchtranslate: armv7hl: armv7hl buildarchtranslate: armv7hl: armv7hl
buildarchtranslate: armv7hnl: armv7hl buildarchtranslate: armv7hnl: armv7hl

@ -1,15 +1,17 @@
# TO WHOM IT MAY CONCERN # TO WHOM IT MAY CONCERN
# #
# 1) Don't add patches, dist-git is the upstream repository for this package. # 1) Don't add patches, dist-git is the upstream repository for this package.
# 2) When making changes, update version by +1, leave release alone. # 2) When making changes, increment the version (in baserelease) by 1.
# # rpmdev-bumpspec and other tools update the macro below, which is used
# in Version: to get the desired effect.
%global baserelease 287
Summary: Red Hat specific rpm configuration files Summary: Red Hat specific rpm configuration files
Name: redhat-rpm-config Name: redhat-rpm-config
Version: 201 Version: %{baserelease}
Release: 1%{?dist} Release: 1%{?dist}
# No version specified. # config.guess, config.sub are GPL-3.0-or-later WITH Autoconf-exception-generic
License: GPL+ License: GPL-1.0-or-later AND GPL-2.0-or-later AND GPL-3.0-or-later WITH Autoconf-exception-generic AND Boehm-GC
URL: https://src.fedoraproject.org/rpms/redhat-rpm-config URL: https://src.fedoraproject.org/rpms/redhat-rpm-config
# Core rpm settings # Core rpm settings
@ -19,7 +21,10 @@ Source1: rpmrc
# gcc specs files for hardened builds # gcc specs files for hardened builds
Source50: redhat-hardened-cc1 Source50: redhat-hardened-cc1
Source51: redhat-hardened-ld Source51: redhat-hardened-ld
Source52: redhat-hardened-clang.cfg Source52: redhat-hardened-ld-errors
# clang config spec files
Source53: redhat-hardened-clang.cfg
Source54: redhat-hardened-clang-ld.cfg
# gcc specs files for annobin builds # gcc specs files for annobin builds
Source60: redhat-annobin-cc1 Source60: redhat-annobin-cc1
@ -37,13 +42,17 @@ Source102: macros.mono-srpm
Source103: macros.nodejs-srpm Source103: macros.nodejs-srpm
Source104: macros.ldc-srpm Source104: macros.ldc-srpm
Source105: macros.valgrind-srpm Source105: macros.valgrind-srpm
Source106: macros.java-srpm
Source107: macros.gap-srpm
# Other misc macros # Other misc macros
Source150: macros.dwz Source150: macros.build-constraints
Source152: macros.vpath Source151: macros.dwz
Source153: macros.forge Source152: macros.fedora-misc
Source154: macros.ldconfig Source155: macros.ldconfig
Source155: macros.fedora-misc Source156: macros.vpath
Source157: macros.shell-completions
Source158: macros.rpmautospec
# Build policy scripts # Build policy scripts
# this comes from https://github.com/rpm-software-management/rpm/pull/344 # this comes from https://github.com/rpm-software-management/rpm/pull/344
@ -51,14 +60,6 @@ Source155: macros.fedora-misc
# and an echo when the mangling happens # and an echo when the mangling happens
Source201: brp-mangle-shebangs Source201: brp-mangle-shebangs
# this comes from rpm itself
# however, now we can do Fedora changes within
Source202: brp-python-bytecompile
# for fixing pyc files reproducibility with marshalparser
# https://github.com/fedora-python/marshalparser
Source203: brp-fix-pyc-reproducibility
# for converting llvm LTO bitcode objects into ELF # for converting llvm LTO bitcode objects into ELF
Source204: brp-llvm-compile-lto-elf Source204: brp-llvm-compile-lto-elf
@ -70,9 +71,9 @@ Source304: find-requires
Source400: dist.sh Source400: dist.sh
Source404: gpgverify Source404: gpgverify
# 2016-10-02 snapshots from http://git.savannah.gnu.org/gitweb/?p=config.git # Snapshots from http://git.savannah.gnu.org/gitweb/?p=config.git
Source500: config.guess Source500: https://git.savannah.gnu.org/cgit/config.git/plain/config.guess
Source501: config.sub Source501: https://git.savannah.gnu.org/cgit/config.git/plain/config.sub
# Dependency generators & their rules # Dependency generators & their rules
Source602: libsymlink.attr Source602: libsymlink.attr
@ -83,7 +84,6 @@ Source701: brp-strip-lto
# Convenience lua functions # Convenience lua functions
Source800: common.lua Source800: common.lua
Source801: forge.lua
# Documentation # Documentation
Source900: buildflags.md Source900: buildflags.md
@ -94,30 +94,35 @@ Requires: coreutils
Requires: efi-srpm-macros Requires: efi-srpm-macros
Requires: fonts-srpm-macros Requires: fonts-srpm-macros
Requires: ghc-srpm-macros # ↓ Provides macros.forge and forge.lua originally shipped by us
Requires: forge-srpm-macros
Requires: go-srpm-macros Requires: go-srpm-macros
# ↓ Provides kmod.attr originally shipped by us # ↓ Provides kmod.attr originally shipped by us
Requires: kernel-srpm-macros >= 1.0-6 Requires: kernel-srpm-macros >= 1.0-12
Requires: lua-srpm-macros Requires: lua-srpm-macros
Requires: ocaml-srpm-macros Requires: ocaml-srpm-macros
Requires: openblas-srpm-macros Requires: openblas-srpm-macros
Requires: perl-srpm-macros Requires: perl-srpm-macros
# ↓ Provides compileall2 Python module # ↓ Has Python BRPs originaly present in redhat-rpm-config
Requires: python-srpm-macros >= 3-46 Requires: python-srpm-macros >= 3.11-7
Requires: qt5-srpm-macros Requires: qt6-srpm-macros
Requires: rust-srpm-macros Requires: rust-srpm-macros
Requires: package-notes-srpm-macros
Requires: pyproject-srpm-macros Requires: pyproject-srpm-macros
%if ! 0%{?rhel} %if ! 0%{?rhel}
Requires: ansible-srpm-macros
Requires: fpc-srpm-macros Requires: fpc-srpm-macros
Requires: ghc-srpm-macros
Requires: gnat-srpm-macros Requires: gnat-srpm-macros
Requires: nim-srpm-macros Requires: qt5-srpm-macros
Requires: zig-srpm-macros
%endif %endif
Requires: rpm >= 4.11.0 Requires: rpm >= 4.11.0
Requires: dwz >= 0.4 Requires: dwz >= 0.4
Requires: zip Requires: zip
Requires: (annobin if (gcc or clang)) Requires: (annobin-plugin-gcc if gcc)
Requires: (gcc-plugin-annobin if gcc) Requires: (gcc-plugin-annobin if gcc)
# for brp-mangle-shebangs # for brp-mangle-shebangs
@ -129,10 +134,14 @@ Requires: %{_bindir}/xargs
# for brp-llvm-compile-lto-elf # for brp-llvm-compile-lto-elf
Requires: (llvm if clang) Requires: (llvm if clang)
Requires: (gawk if clang)
# -fstack-clash-protection and -fcf-protection require GCC 8. # -fstack-clash-protection and -fcf-protection require GCC 8.
Conflicts: gcc < 8.0.1-0.22 Conflicts: gcc < 8.0.1-0.22
# Replaced by macros.rpmautospec shipped by us
Obsoletes: rpmautospec-rpm-macros < 0.6.3-2
Provides: system-rpm-config = %{version}-%{release} Provides: system-rpm-config = %{version}-%{release}
%global rrcdir /usr/lib/rpm/redhat %global rrcdir /usr/lib/rpm/redhat
@ -169,15 +178,10 @@ install -p -m 644 -t %{buildroot}%{_fileattrsdir} *.attr
mkdir -p %{buildroot}%{_rpmluadir}/fedora/{rpm,srpm} mkdir -p %{buildroot}%{_rpmluadir}/fedora/{rpm,srpm}
install -p -m 644 -t %{buildroot}%{_rpmluadir}/fedora common.lua install -p -m 644 -t %{buildroot}%{_rpmluadir}/fedora common.lua
install -p -m 644 -t %{buildroot}%{_rpmluadir}/fedora/srpm forge.lua
# This trigger is used to decide which version of the annobin plugin for gcc # This trigger is used to decide which version of the annobin plugin for gcc
# should be used. See comments in the script for full details. # should be used. See comments in the script for full details.
# #
# Note: for RHEL the rpm containing the annobin built plugin is called
# "annobin", whereas in Fedora it is called "annobin-plugin-gcc". This is
# for historical reasons and will change with the introduction of RHEL-10.
#
# Note - whilst "gcc-plugin-annobin" requires "gcc" and hence in theory we # Note - whilst "gcc-plugin-annobin" requires "gcc" and hence in theory we
# do not need to trigger on "gcc", the redhat-annobin-plugin-select.sh # do not need to trigger on "gcc", the redhat-annobin-plugin-select.sh
# script invokes gcc to determine the version of the gcc plugin, and this # script invokes gcc to determine the version of the gcc plugin, and this
@ -207,15 +211,16 @@ install -p -m 644 -t %{buildroot}%{_rpmluadir}/fedora/srpm forge.lua
# #
# Hence it is necessary to trigger on both gcc and gcc-plugin-annobin. # Hence it is necessary to trigger on both gcc and gcc-plugin-annobin.
%triggerin -- annobin gcc-plugin-annobin gcc %triggerin -- annobin-plugin-gcc gcc-plugin-annobin gcc
%{rrcdir}/redhat-annobin-plugin-select.sh %{rrcdir}/redhat-annobin-plugin-select.sh
%end %end
# We also trigger when an annobin plugin is uninstalled. This allows us to switch # We also trigger when an annobin plugin is uninstalled. This allows us to
# over to the other version of the plugin. It does not matter if # switch over to the other version of the plugin. Note - we do not bother
# gcc is uninstalled, since if that happens the plugin cannot be used. # triggering on the uninstallation of "gcc", since if that is removed, the
# plugins are rendered useless.
%triggerpostun -- annobin gcc-plugin-annobin %triggerpostun -- annobin-plugin-gcc gcc-plugin-annobin
%{rrcdir}/redhat-annobin-plugin-select.sh %{rrcdir}/redhat-annobin-plugin-select.sh
%end %end
@ -234,16 +239,17 @@ install -p -m 644 -t %{buildroot}%{_rpmluadir}/fedora/srpm forge.lua
%{rrcdir}/brp-ldconfig %{rrcdir}/brp-ldconfig
%{_fileattrsdir}/*.attr %{_fileattrsdir}/*.attr
%{_rpmconfigdir}/macros.d/macros.*-srpm %{_rpmconfigdir}/macros.d/macros.*-srpm
%{_rpmconfigdir}/macros.d/macros.build-constraints
%{_rpmconfigdir}/macros.d/macros.dwz %{_rpmconfigdir}/macros.d/macros.dwz
%{_rpmconfigdir}/macros.d/macros.forge %{_rpmconfigdir}/macros.d/macros.fedora-misc
%{_rpmconfigdir}/macros.d/macros.ldconfig %{_rpmconfigdir}/macros.d/macros.ldconfig
%{_rpmconfigdir}/macros.d/macros.rpmautospec
%{_rpmconfigdir}/macros.d/macros.shell-completions
%{_rpmconfigdir}/macros.d/macros.vpath %{_rpmconfigdir}/macros.d/macros.vpath
%{_rpmconfigdir}/macros.d/macros.fedora-misc
%dir %{_rpmluadir}/fedora %dir %{_rpmluadir}/fedora
%dir %{_rpmluadir}/fedora/srpm %dir %{_rpmluadir}/fedora/srpm
%dir %{_rpmluadir}/fedora/rpm %dir %{_rpmluadir}/fedora/rpm
%{_rpmluadir}/fedora/*.lua %{_rpmluadir}/fedora/*.lua
%{_rpmluadir}/fedora/srpm/*lua
%attr(0755,-,-) %{rrcdir}/redhat-annobin-plugin-select.sh %attr(0755,-,-) %{rrcdir}/redhat-annobin-plugin-select.sh
%verify(owner group mode) %{rrcdir}/redhat-annobin-cc1 %verify(owner group mode) %{rrcdir}/redhat-annobin-cc1
@ -253,84 +259,365 @@ install -p -m 644 -t %{buildroot}%{_rpmluadir}/fedora/srpm forge.lua
%doc buildflags.md %doc buildflags.md
%changelog %changelog
* Mon May 08 2023 Nikita Popov <npopov@redhat.com> - 201-1 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 287-1
- Add llvm dependency if clang toolchain used - Bump release for October 2024 mass rebuild:
- Resolves: rhbz#2193406 Resolves: RHEL-64018
* Fri Oct 25 2024 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 286-1
- Rebuilt for MSVSphere 10
* Wed Sep 25 2024 Siddhesh Poyarekar <siddhesh@redhat.com> - 286-1
- Change ppc64le tuning to Power 10 for RHEL10 and beyond (RHEL-58074)
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 285-1
- Bump release for June 2024 mass rebuild
* Tue Jun 18 2024 Tulio Magno Quites Machado Filho <tuliom@redhat.com> - 284-1
- Use --config=xxx for clang configs instead of two separate arguments to work
around a bug in meson
- Add clang link config file
* Mon Jun 17 2024 Florian Weimer <fweimer@redhat.com> - 283-1
- Switch back to traditional Version: management (RHEL-42436)
* Fri Jun 7 2024 Florian Weimer <fweimer@redhat.com> - 282-4
- Enable DT_RELR on aarch64 (RHEL-40379)
* Wed May 22 2024 Florian Weimer <fweimer@redhat.com> - 282-3
- Drop ghc-srpm-macros dependency
* Fri May 10 2024 Florian Weimer <fweimer@redhat.com> - 282-2
- Enable GNU2 TLS descriptors on x86-64 (GCC only) (RHEL-25031)
* Tue Feb 06 2024 Yaakov Selkowitz <yselkowi@redhat.com> - 282-1
- Loosen rust-srpm-macros requirement
* Mon Feb 05 2024 Jonathan Wright <jonathan@almalinux.org> - 281-1
- simplify microarch macros for x86_64
* Tue Jan 16 2024 Florian Weimer <fweimer@redhat.com> - 280-1
- Drop -fcf-protection for i686 because there won't be kernel support
* Tue Jan 16 2024 Nils Philippsen <nils@redhat.com> - 279-1
- Obsolete rpmautospec-rpm-macros without version
* Mon Jan 15 2024 Nick Clifton <nickc@redhat.com> - 278-1
- Add hardening feature to convert linker warning messages into errors.
- https://fedoraproject.org/wiki/Changes/Linker_Error_On_Security_Issues
* Mon Jan 15 2024 Florian Weimer <fweimer@redhat.com> - 277-1
- Switch C type safety level to 3 (GCC 14 default), and adjust for GCC 14
* Thu Jan 11 2024 Jan Grulich <jgrulich@redhat.com> - 276-1
- Drop qt5-srpm-macros from RHEL 10
* Fri Jan 05 2024 Yaakov Selkowitz <yselkowi@redhat.com> - 275-1
- Define RUSTFLAGS only when rust macros are installed
* Wed Jan 3 2024 Florian Weimer <fweimer@redhat.com> - 274-1
- Missing packed relative relocation support on aarch64, s390x (#2256645)
* Tue Jan 2 2024 Florian Weimer <fweimer@redhat.com> - 273-1
- Pack relative ELF relocations by default
* Tue Dec 26 2023 Jan Drögehoff <sentrycraft123@gmail.com> - 272-1
- Add zig-srpm-macros
* Fri Nov 03 2023 Stephen Gallagher <sgallagh@redhat.com> - 271-1
- ELN: Enable frame pointers for RHEL 11+ (for now)
* Thu Oct 5 2023 Florian Weimer <fweimer@redhat.com> - 270-1
- Disable -fstack-clash-protection on riscv64 (#2242327)
* Thu Oct 5 2023 Nikita Popov <npopov@redhat.com> - 269-1
- Use correct format specifier in brp-llvm-compile-lto-elf
* Fri Sep 29 2023 Nikita Popov <npopov@redhat.com> - 268-1
- Fix brp-llvm-compile-lto-elf parallelism with hardlinks (#2234024)
* Tue Sep 26 2023 Florian Weimer <fweimer@redhat.com> - 267-1
- Switch %%build_type_safety_c to 1 (#2142177)
* Thu Sep 07 2023 Maxwell G <maxwell@gtmx.me> - 266-1
- Split out forge macros to forge-srpm-macros package
* Tue Aug 29 2023 Florian Weimer <fweimer@redhat.com> - 265-1
- Add support for x86_64_v2, x86_64_v3, x86_64_v4 (#2233093)
* Tue Aug 22 2023 Yaakov Selkowitz <yselkowi@redhat.com> - 264-1
- Add macros.rpmautospec
* Mon Aug 21 2023 Miroslav Suchy <msuchy@redhat.com> - 263-1
- Migrate to SPDX
* Wed Aug 02 2023 Charalampos Stratakis <cstratak@redhat.com> - 262-1
- Strip all extension builder flags except -fexceptions and -fcf-protection
- https://fedoraproject.org/wiki/Changes/Python_Extension_Flags_Reduction
* Fri Jul 7 2023 Florian Weimer <fweimer@redhat.com> - 261-1
- Fix warnings that appear during the build of the llvm package
* Wed Jul 5 2023 Florian Weimer <fweimer@redhat.com> - 260-1
- Implement the %%build_type_safety_c macro (#2218019)
* Wed Jul 5 2023 Florian Weimer <fweimer@redhat.com> - 259-1
- Filter out C, C++ build flags from Fortran build flags (#2177253)
* Wed Jul 5 2023 Florian Weimer <fweimer@redhat.com> - 258-1
- Enable PIC mode for assembler files (#2167430)
* Wed Jul 05 2023 Frederic Berat <fberat@redhat.com> - 257-1
- update config.{guess,sub} to gnuconfig git HEAD
* Sat Jun 17 2023 Tom Stellard <tstellar@redhat.com> - 256-1
- Remove -fno-openmp-implicit-rpath from clang ldflags
* Fri Jun 16 2023 Lumír Balhar <lbalhar@redhat.com> - 255-1
- Add qt6-srpm-macros
* Thu Mar 9 2023 Florian Weimer <fweimer@redhat.com> - 254-1
- Switch ELN to x86-64-v3
* Tue Feb 28 2023 Maxwell G <gotmax@e.email> - 253-1
- Include RUSTFLAGS in %%set_build_flags
- Fixes: rhbz#2167183
* Tue Feb 28 2023 Tom Stellard <tstellar@redhat.com> - 252-1
- Rename _pkg_extra_* macros to _distro_extra_*
* Thu Feb 23 2023 Miro Hrončok <mhroncok@redhat.com> - 251-1
- Drop the requirement of orphaned nim-srpm-macros
- No Fedora package uses the %%nim_arches macro
* Tue Feb 14 2023 Frederic Berat <fberat@redhat.com> - 250-1
- update config.{guess,sub} to gnuconfig git HEAD
* Wed Apr 19 2023 Nikita Popov <npopov@redhat.com> - 200-1 * Thu Feb 09 2023 Jerry James <loganjerry@gmail.com> - 249-1
- Change clang LTO default to ThinLTO - Add macros.gap-srpm
- Resolves: rhbz#2178788
* Mon Feb 13 2023 Miro Hrončok <mhroncok@redhat.com> - 199-1 * Tue Feb 07 2023 Tom Stellard <tstellar@redhat.com> - 248-1
- Add %%pkg_extra_* macros
* Mon Feb 06 2023 Nick Clifton <nickc@redhat.com> - 247-1
- Fix triggers for the installation and removal of gcc-plugin-annobin.
Fixes: rhbz#2124562
* Tue Jan 17 2023 Miro Hrončok <mhroncok@redhat.com> - 246-1
- Add pyproject-srpm-macros to the default buildroot - Add pyproject-srpm-macros to the default buildroot
- Related: rhbz#2168193
* Tue Feb 07 2023 Nick Clifton <nickc@redhat.com> - 198-1 * Tue Jan 17 2023 Davide Cavalca <dcavalca@fedoraproject.org> - 245-1
- Fix triggers for the installation and removal of gcc-plugin-annobin. (#2167713) - Do not include frame pointers on ppc64le for now
Fixes: rhbz#2161595
* Wed Sep 21 2022 Timm Bäder <tbaeder@redhat.com> - 197-1 * Mon Jan 16 2023 Tom Stellard <tstellar@redhat.com> - 244-1
- Ship brp-llvm-compile-lto-elf script - Make -flto=thin the default lto flag for clang
* Mon Jun 27 2022 Nick Clifton <nickc@redhat.com> - 196-1 * Mon Jan 16 2023 Siddhesh Poyarekar <siddhesh@redhat.com> - 243-1
- Pass "--remove section .gnu.build.attributes" to the find-debuginfo script. - Consolidate the _FORTIFY_SOURCE switches.
- Resolves: rhbz#2099613
* Wed Jun 15 2022 Florian Festi <ffesti@redhat.com> - 195-1 * Fri Jan 13 2023 Miro Hrončok <mhroncok@redhat.com> - 242-1
- Detect compressed kernel modules - Don't use %%[ ] expressions with %%{undefined}
- Resolves: rhbz#2008544 - Fixes: rhbz#2160716
* Thu Feb 17 2022 Nick Clifton <nickc@redhat.com> - 194-1 * Thu Jan 12 2023 Stephen Gallagher <sgallagh@redhat.com> - 241-1
- Use the correct package names for the triggers. - Do not include frame pointers on RHEL
- Resolves: rhbz#2030671
* Tue Feb 15 2022 Nick Clifton <nickc@redhat.com> - 193-1 * Tue Jan 10 2023 Davide Cavalca <dcavalca@fedoraproject.org> - 240-1
- Fix bugs in plugin selection script. - Do not include frame pointers on i686 and s390x for now
- Resolves: rhbz#2030671
* Tue Feb 01 2022 Nick Clifton <nickc@redhat.com> - 192-1 * Wed Jan 4 2023 Davide Cavalca <dcavalca@fedoraproject.org> - 239-1
- Select between gcc-built and annobin-built versions of the annobin plugin. - Enable frame pointers by default
- Resolves: rhbz#2030671 - Set arch specific flags for frame pointers support
* Wed Dec 08 2021 Miro Hrončok <mhroncok@redhat.com> - 191-1 * Tue Jan 3 2023 Miro Hrončok <mhroncok@redhat.com> - 238-1
- brp-mangle-shebangs: also mangle shebangs of JavaScript executables - Set %%source_date_epoch_from_changelog to 1
- Resolves: rhbz#2030427 - https://fedoraproject.org/wiki/Changes/ReproducibleBuildsClampMtimes
* Thu Dec 02 2021 Neal Gompa <ngompa@centosproject.org> - 190-1 * Tue Jan 3 2023 Siddhesh Poyarekar <siddhesh@redhat.com> - 237-1
- Make vpath builddir not include arch-specific info - Make _FORTIFY_SOURCE configurable and bump default to 3.
Resolves: rhbz#1984679
* Wed Dec 28 2022 Davide Cavalca <dcavalca@fedoraproject.org> - 236-1
- Add conditional support for always including frame pointers
* Sat Dec 10 2022 Florian Weimer <fweimer@redhat.com> - 235-1
- Add %%_configure_use_runstatedir to disable --runstatedir configure option
* Fri Nov 4 2022 Tom Stellard <tstellar@redhat.com> - 234-1
- Remove unsupported arches from rpmrc
* Fri Nov 4 2022 Florian Weimer <fweimer@redhat.com> - 233-1
- Set -g when building Vala applications
* Fri Sep 23 2022 Timm Bäder <tbaeder@redhat.com> - 232-1
- Fix brp-compile-lto-elf to not rely on a backtracking regex
* Thu Sep 08 2022 Maxwell G <gotmax@e.email> - 231-1
- forge macros: Support Sourcehut. Fixes rhbz#2035935.
* Tue Aug 30 2022 Frederic Berat <fberat@redhat.com> - 230-1
- Add support for runstatedir in %%configure
* Fri Aug 26 2022 Dan Horák <dan[at]danny.cz> - 229-1
- Move the baseline s390x arch to z13 for F-38+
* Mon Aug 8 2022 Maxwell G <gotmax@e.email> - 228-1
- Add macros.shell-completions
* Fri Aug 05 2022 Nikita Popov <npopov@redhat.com> - 227-1
- brp-llvm-compile-lto-elf: Pass -r to xargs
* Wed Jun 22 2022 Timm Bäder <tbaeder@redhat.com> - 226-1
- Move llvm_compile_lto_to_elf before __debug_install_post
* Fri Jun 17 2022 Nick Clifton <nickc@redhat.com> - 225-1
- Add definition of _find_debuginfo_extra_opts which will
- move annobin data into a separate debuginfo file.
* Tue Jun 14 2022 Tom Stellard <tstellar@redhat.com> - 224-1
- Fix passing of CFLAGS to brp-llvm-compile-lto-elf
* Fri May 27 2022 Tom Stellard <tstellar@redhat.com> - 223-1
- Move -fno-openmp-implicit-rpath option from CFLAGS to LDFLAGS
* Fri May 27 2022 Florian Weimer <fweimer@redhat.com> - 222-1
- Use %%baserelease to store the version number
* Fri May 27 2022 Frederic Berat <fberat@redhat.com> - 221-1
- update config.{guess,sub} to gnuconfig git HEAD
* Tue May 17 2022 Maxwell G <gotmax@e.email> - 220-1
- Add `Requires: ansible-srpm-macros`
* Tue May 17 2022 Miro Hrončok <mhroncok@redhat.com> - 219-2
- Remove a tab character from the definition of %%__global_compiler_flags
- Fixes: rhbz#2083296
* Tue May 10 2022 Mikolaj Izdebski <mizdebsk@redhat.com> - 219-1
- Add java_arches macro
* Wed Apr 20 2022 Timm Bäder <tbaeder@redhat.com> - 218-1
- Parallelize bpr-llvm-compile-lto-elf
* Tue Apr 19 2022 Tom Stellard <tstellar@redhat.com> - 217-1
- Add -fno-openmp-implicit-rpath when building with clang
* Wed Apr 13 2022 Nick Clifton <nickc@redhat.com> - 216-1
- Add support for comparing gcc-built and annobin-built plugins.
* Tue Nov 16 2021 Florian Weimer <fweimer@redhat.com> - 189-1 * Mon Feb 21 2022 Timm Bäder <tbaeder@redhat.com> - 215-1
- buildflags.md: Documentation updates (#2005080) - Add %%__brp_remove_la_files to %%__os_install_post
* Tue Aug 24 2021 Florian Weimer <fweimer@redhat.com> - 188-1 * Thu Feb 10 2022 Florian Weimer <fweimer@redhat.com> - 214-1
- redhat-rpm-config: Enable x86-64-v2 baseline for Clang/LLVM (#1890170) - ppc64le: Switch baseline to POWER9 on ELN (ELN issue 78)
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 187-2 * Thu Feb 10 2022 Florian Weimer <fweimer@redhat.com> - 213-1
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags - s390x: Switch baseline to z14 on ELN (ELN issue 79)
Related: rhbz#1991688
* Fri Jul 30 2021 Florian Weimer <fweimer@redhat.com> - 187-1 * Sun Jan 23 2022 Robert-André Mauchin <zebob.m@gmail.com> - 212-1
- Active GCC plugin during LTO linking (#1983727) - Add package note generation to %%check preamble
- Fix: rhbz#2043977
* Thu Jul 22 2021 Florian Weimer <fweimer@redhat.com> - 186-1 * Fri Jan 21 2022 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 211-1
- aarch64: Do not build with -mbranch-protection=standard (#1984652) - Move package note generation to build preamble
- Do ELF package notes also on ELN
* Tue May 25 2021 Michal Domonkos <mdomonko@redhat.com> - 185-3 * Thu Jan 20 2022 Miro Hrončok <mhroncok@redhat.com> - 210-1
- Bump release for a rebuild in a sidetag - Remove package ELF note from the extension LDFLAGS
- Related: rhbz#2043092
- Fix %%set_build_flags when %%_generate_package_note_file is not defined
- Fixes: rhbz#2043166
* Wed May 12 2021 Michal Domonkos <mdomonko@redhat.com> - 185-1 * Thu Jan 13 2022 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 209-1
- Drop kernel-rpm-macros subpackage & kmod.attr - Add package ELF note to the default LDFLAGS
- Resolves: #1959924
* Wed Apr 21 2021 Michal Domonkos <mdomonko@redhat.com> - 184-1 * Tue Jan 04 2022 Tom Stellard <tstellar@redhat.com> - 208-1
- Call %%set_build_flags before %%build, %%check, and %%install stages
* Tue Dec 14 2021 Tom Stellard <tstellar@redhat.com> - 207-1
- Add -Wl,--build-id=sha1 to the default LDFLAGS
* Tue Dec 07 2021 Miro Hrončok <mhroncok@redhat.com> - 206-1
- brp-mangle-shebangs: also mangle shebangs of JavaScript executables
- Fixes: rhbz#1998924
* Thu Nov 18 2021 Michal Domonkos <mdomonko@redhat.com> - 205-1
- Drop kernel-rpm-macros subpackage & kmod.attr (new home: kernel-srpm-macros)
* Tue Nov 16 2021 Miro Hrončok <mhroncok@redhat.com> - 204-1
- Don't pull in Python to all buildroots
- Remove llvm-lto-elf-check script
* Tue Nov 09 2021 Michal Domonkos <mdomonko@redhat.com> - 203-1
- Drop {fpc,gnat,nim}-srpm-macros dependencies on RHEL - Drop {fpc,gnat,nim}-srpm-macros dependencies on RHEL
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 183-2 * Wed Nov 03 2021 David Benoit <dbenoit@redhat.com> - 202-1
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 - Add llvm-lto-elf-check script
- Resolves: rhbz#2017193
* Mon Nov 01 2021 Jason L Tibbitts III <j@tib.bs> - 201-1
- Better error handling for %%constrain_build.
* Mon Oct 18 2021 Jason L Tibbitts III <j@tib.bs> - 200-1
- Add %%constrain_build macro.
* Tue Sep 21 2021 Tom Stellard <tstellar@redhat.com> - 199-1
- Drop annobin-plugin-clang dependency
* Mon Aug 30 2021 Florian Weimer <fweimer@redhat.com> - 198-1
- ELN: Enable -march=x86-64-v2 for Clang as well
* Tue Aug 17 2021 Tom Stellard <tstellar@redhat.com> - 197-1
- Add build_ preifix to cc, cxx, and cpp macros
* Mon Aug 16 2021 Tom Stellard <tstellar@redhat.com> - 196-1
- Add cc, cxx, and cpp macros
* Sun Aug 15 2021 Michel Alexandre Salim <salimma@fedoraproject.org> - 195-1
- Fix macros.build-constraints' %%limit_build
- number of CPUs will never be set to less than 1
- this now outputs build flag overrides to be used with %%make_build etc.
- add documentation
* Mon Aug 2 2021 Florian Weimer <fweimer@redhat.com> - 194-1
- Active GCC plugin during LTO linking
* Sat Jul 24 2021 Michel Alexandre Salim <salimma@fedoraproject.org> - 193-1
- Add macros.build-constraints
- Keep the misc macros in alphabetical order
* Sat Jul 10 2021 Neal Gompa <ngompa13@gmail.com> - 192-1
- Make vpath builddir not include arch-specific info
* Thu Jul 01 2021 Miro Hrončok <mhroncok@redhat.com> - 191-1
- Require python-srpm-macros with Python related BuildRoot Policy scripts
* Wed Jun 30 2021 Miro Hrončok <mhroncok@redhat.com> - 190-1
- Move Python related BuildRoot Policy scripts from redhat-rpm-config to python-srpm-macros
* Mon Jun 28 2021 Ben Burton <bab@debian.org> - 189-1
- Adapt macros and BRP scripts for %%topdir with spaces
- Fixes rhbz#1947416
* Tue Jun 22 2021 Panu Matilainen <pmatilai@redhat.com> - 188-1
- Drop reference to now extinct brp-python-hardlink script
* Tue Jun 8 2021 Stephen Coady <scoady@redhat.com> - 187-1
- Add Requires: rpmautospec-rpm-macros
* Mon May 31 2021 Charalampos Stratakis <cstratak@redhat.com> - 186-1
- Enable RPATH check after %%install
- Part of https://fedoraproject.org/wiki/Changes/Broken_RPATH_will_fail_rpmbuild
- Resolves: rhbz#1964548
* Wed May 26 2021 Arjun Shankar <arjun@redhat.com> - 185-1
- Disable annobin on armv7hl
* Mon Apr 12 2021 David Benoit <dbenoit@redhat.com> - 184-1
- Change 'Requires: annobin' to 'Requires: annobin-plugin-gcc'.
* Thu Apr 15 2021 Florian Weimer <fweimer@redhat.com> - 183-1 * Tue Apr 6 2021 David Benoit <dbenoit@redhat.com> - 183-1
- ppc64le: Update ISA baseline to POWER9 (#1876584) - BRP: LLVM Compile LTO Bitcode to ELF
- s390x: Update ISA baseline to z14 (#1876479) - Add Requires: (llvm if clang)
* Mon Mar 22 2021 Lumír Balhar <lbalhar@redhat.com> - 182-1 * Mon Mar 22 2021 Lumír Balhar <lbalhar@redhat.com> - 182-1
- Fix handling of files without newlines in brp-mangle-shebang - Fix handling of files without newlines in brp-mangle-shebang

Loading…
Cancel
Save