Hi Nick, On Fri, 2019-06-14 at 09:29 -0700, nickclifton wrote: > This is a request to add support for compressing annobin notes found > in executable binaries built on Fedora and RHEL systems. > > The annobin project adds a note section to binary files describing > the security hardening features of how they were > built. Unfortunately these notes can get quite large, especially for > projects that use lots of object files. The objcopy program from the > binutils package has an option to reduce the size of these notes by > eliminating empties and merging duplicates. If the binary does not > contain any annobin notes then the objcopy will take no noticeable > amount of time. In fact even if the file does contain annobin notes > the merging process is relatively fast and it is unlikely to add any > significant amount of time to the overall build process. > [...] > diff --git a/scripts/find-debuginfo.sh b/scripts/find-debuginfo.sh > index d75da1108..14d9ed901 100755 > --- a/scripts/find-debuginfo.sh > +++ b/scripts/find-debuginfo.sh > @@ -296,6 +296,8 @@ add_minidebug() > xz "$mini_debuginfo" > mini_debuginfo="${mini_debuginfo}.xz" > objcopy --add-section .gnu_debugdata="$mini_debuginfo" "$binary" > + # Compress any annobin notes in the original binary. > + objcopy --merge-notes "$binary" > rm -f "$dynsyms" "$funcsyms" "$keep_symbols" "$mini_debuginfo" > } > >
I don't think this should be part of add_minidebug (). It is something that would need to happen even if we don't run add_minidebug (). Also add_minidebug () runs after stripping/splitting the main ELF file into a .debug file (which also gets a copy of all notes). I noticed older binutils objcopy don't seem to know about --merge- notes. And produce large errors when trying to run. So I think this should be something like this, in do_file (), before the binary is actually stripped. diff --git a/scripts/find-debuginfo.sh b/scripts/find-debuginfo.sh index d75da11..b6a343e 100755 --- a/scripts/find-debuginfo.sh +++ b/scripts/find-debuginfo.sh @@ -405,6 +405,10 @@ do_file() fi fi + # Compress any annobin notes in the original binary. + # Ignore any errors, since older objcopy don't support --merge-notes + objcopy --merge-notes "$f" 2>/dev/null || true + # A binary already copied into /usr/lib/debug doesn't get stripped, # just has its file names collected and adjusted. case "$dn" in Cheers, Mark _______________________________________________ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint