[Bug 972477] Review Request: fido - A multi-threaded file watch utility

Wed, 12 Jun 2013 11:07:51 -0700 

https://bugzilla.redhat.com/show_bug.cgi?id=972477

--- Comment #11 from Roman Mohr <ro...@fenkhuber.at> ---
(In reply to Björn Esser from comment #9)
> (In reply to Björn Esser from comment #8)
> > [!]: %build honors applicable compiler flags or justifies otherwise.
> > 
> >      ---> {C,LD}FLAGS possibly ignored by Makefile; GOT is still writeable
> >           caused by "partial RELRO", complete RELRO needs
> > `-Wl,-z,relro,-z,now`
> >           doesn't build PIE, although %global _hardened_build 1 is in spec
> > 
> >           `hardening-check --verbose fido`
> >           fido:
> >            Position Independent Executable: no, normal executable!
> >            ...
> >            Immediate binding: no, not found!
> > 
> >           see attached build.log
> 
> Upstream's way to build the binary is the key to this:  Makefile compiles a
> STATIC-lib and links this into the sbin-exec, which makes real, useful
> hardening impossible.  Static libs can't be build as PIE and linked with
> -z,now, afaik.
> 
> You should work out a way, with upstream, avoiding this static-lib during
> build;  either it should build a shlib and link this or just building the
> sbin-exec from all single objects.

I just discovered a few minutes ago, that siege (also from the same author)
which is already in fedora also includes lib/joedog.

(In reply to Terje Røsten from comment #10)
> Some of the functions on lib/ are simple/unneeded(?), building a static lib
> for these seems like overkill.

Yes most of these functions are just convenience wrappers of the author, but I
think I have no choice, as the library is also in another package and I already
found critical bugs in there.

(In reply to Björn Esser from comment #8)
> [?]: Package complies to the Packaging Guidelines
> 
>      ---> needs check for bundled libs, esp. files with license differing
>           from upstream

The library is in all of the GPLv2 projects of the author. I have checked them,
they have all the same license in the header.


So I think the cleanest solution is, that I contact  the author and the
maintainer of siege and we will create a separate package for the library, what
do you think?

-- 
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug 
https://bugzilla.redhat.com/token.cgi?t=1d78RdIpZ7&a=cc_unsubscribe
_______________________________________________
package-review mailing list
package-review@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-review

Reply via email to