Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build: fix insecure RUNPATH #3212

Merged
merged 1 commit into from
Feb 1, 2025
Merged

build: fix insecure RUNPATH #3212

merged 1 commit into from
Feb 1, 2025

Conversation

orbea
Copy link
Contributor

@orbea orbea commented Dec 2, 2024

In Gentoo -static-libtool-libs causes a QA Notice.

  • QA Notice: The following files contain insecure RUNPATHs
  • Please file a bug about this at https://bugs.gentoo.org/
  • with the maintainer of the package.
  • /var/tmp/portage/app-misc/jq-1.7.1/image/usr/bin/jqn RPATH: /var/tmp/portage/app-misc/jq-1.7.1/work/jq-jq-1.7.1/.libs

Gentoo-Issue: https://bugs.gentoo.org/945698

orbea added a commit to orbea/gentoo that referenced this pull request Dec 2, 2024
@orbea
app-misc/jq: fix insecure RUNPATH
01a280b 
Closes: https://bugs.gentoo.org/945698
Fixes: df24c1f
Upstream-PR: jqlang/jq#3212
Signed-off-by: orbea <[email protected]>
@orbea orbea mentioned this pull request Dec 2, 2024
Closed
4 tasks
@itchyny itchyny added the build label Dec 2, 2024
gentoo-bot pushed a commit to gentoo/gentoo that referenced this pull request Dec 3, 2024
@orbea @thesamesam
app-misc/jq: fix insecure RUNPATH
9feb11c 
[sam: Add revbump.]

Closes: https://bugs.gentoo.org/945698
Fixes: df24c1f
Upstream-PR: jqlang/jq#3212
Signed-off-by: orbea <[email protected]>
Closes: #39565
Signed-off-by: Sam James <[email protected]>
@itchyny
Copy link
Contributor

itchyny commented Jan 28, 2025

@orbea Sorry, I'm trying to catch up the issue but I can't understand well. Could you explain the issue and why we have to remove the flag?

@orbea
build: fix insecure RUNPATH
0b86ffe 
In Gentoo -static-libtool-libs causes a QA Notice.

 * QA Notice: The following files contain insecure RUNPATHs
 *  Please file a bug about this at https://bugs.gentoo.org/
 *  with the maintainer of the package.
 *   /var/tmp/portage/app-misc/jq-1.7.1/image/usr/bin/jqn    RPATH: /var/tmp/portage/app-misc/jq-1.7.1/work/jq-jq-1.7.1/.libs

Gentoo-Issue: https://bugs.gentoo.org/945698
Signed-off-by: orbea <[email protected]>
@orbea
Copy link
Contributor Author

orbea commented Jan 28, 2025

The -static-libtool-libs flag causes GNU libtool to add a rpath to the .libs build directory which is intended for internal use by the libtool implementation and is not installed in the resulting package causing Gentoo to print a QA notice. I can't say what the original intent in adding the flag in the first place was, it doesn't seem very useful to me.

@wader
Copy link
Member

wader commented Jan 28, 2025

Was added in 5d9ec83 unclear why. Seem ok to me to remove. I wonder if we should have a CI test that verify that the resulting binary actually is static? inspect the binary or maybe run the binary in a scratch container etc?

@orbea
Copy link
Contributor Author

orbea commented Jan 29, 2025

Was added in 5d9ec83 unclear why. Seem ok to me to remove. I wonder if we should have a CI test that verify that the resulting binary actually is static? inspect the binary or maybe run the binary in a scratch container etc?

If the intent is that the binary is built entirely statically then I think the correct flag is -static where it will be entirely static excluding system libraries (Unless those are also built statically by the user). Where with -all-static it will result in failing to link any non-static system libraries like libonig.

itchyny
itchyny approved these changes Feb 1, 2025
View reviewed changes
Copy link
Contributor

@itchyny itchyny left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for explanation. LGTM!

@itchyny itchyny merged commit 07af9c1 into jqlang:master Feb 1, 2025
28 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@itchyny itchyny itchyny approved these changes

Assignees
No one assigned
Labels
build
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@orbea @itchyny @wader