Project

General

Profile

Bug #14422

Ruby configuration options should not be reused for gem builds

Added by vo.x (Vit Ondruch) 19 days ago. Updated 17 days ago.

Status:
Open
Priority:
Normal
Assignee:
-
Target version:
-
ruby -v:
ruby 2.5.0p0 (2017-12-25 revision 61468) [x86_64-linux]
[ruby-core:85247]

Description

When Fedora started to harden its packages, we quite often seen complains from our users about problems installing their gems, with errors such as 1:

gcc: error: /usr/lib/rpm/redhat/redhat-hardened-cc1: No such file or directory

The issue as analyzed by Mamoru TASAKA is 2:

Well, if I am not mistaken, the real problem here is that rpm's %optflags is always embedded into Fedora's ruby config file, that is

/usr/lib64/ruby/rbconfig.rb:167: CONFIG["CXXFLAGS"] = "-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -mtune=generic"
/usr/lib64/ruby/rbconfig.rb:171: CONFIG["CFLAGS"] = "-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -mtune=generic -fPIC"

on x86_64, for example.

Although I am not sure this is already discussed somewhere or not, basically I think changing the default CFLAGS of "system" ruby like this way is undesirable and ? installed "rbconfig.rb" should have some "minimal" CFLAGS / CXXFLAGS.
( for example, just like CONFIG["CFLAGS"] = "-fPIC" )

Only when we build Fedora gems or so (on koji), we should change CFLAGS / CXXFLAGS explicitly afterwards using %optflags.

and Red Hat toolchain team responds 3:

The current advice of the Red Hat toolchain team is to keep distribution build flags and toolchain default flags separate. This is why running “gcc” gives you the upstream defaults, and not the flags we use to compile Fedora packages. For consistency, Ruby (and other compilation support tools) follow this pattern: Use distribution flags when building for Fedora, but use upstream flags when the user compiles packages (i.e., what Ruby uses, probably something involving -O2).

Our build flags are fully ABI-compatible with each other, so mismatches will not cause any problems at the C/C++/ABI level.

The question is why Ruby does this and how we can avoid this behavior. We could force installation of redhat-rpm-config package, providing the "/usr/lib/rpm/redhat/redhat-hardened-cc1", to every ruby user, but that does not seems right. There are also other similar issues discussing this situation 4, 5. Any thoughts?

History

#1 [ruby-core:85249] Updated by nobu (Nobuyoshi Nakada) 19 days ago

vo.x (Vit Ondruch) wrote:

Our build flags are fully ABI-compatible with each other, so mismatches will not cause any problems at the C/C++/ABI level.

Possibly it can be true on Fedora, but no one guarantees it on other platforms, and for different $(CC) especially, in general.

The question is why Ruby does this and how we can avoid this behavior. We could force installation of redhat-rpm-config package, providing the "/usr/lib/rpm/redhat/redhat-hardened-cc1", to every ruby user, but that does not seems right. There are also other similar issues discussing this situation [4], [5]. Any thoughts?

Options given to configure as XCFLAGS and XLDFLAGS are used to build ruby itself, but not for extension libraries.
May this help you?

#2 [ruby-core:85250] Updated by Hanmac (Hans Mackowiak) 19 days ago

i had some problem when building wxWidgets gem for ruby (and testing it on osx)

i needed to check that both wxWidgets, ruby and my gem where both build with the same compiler,
and in cases of wxWidgets and my gem with same compiler flags like -std

thats why i am unsure about removing configuration options

#3 [ruby-core:85252] Updated by shevegen (Robert A. Heiler) 19 days ago

This sounds very much like fedora-specific problems rather than
a problem caused by ruby, to be honest.

#4 [ruby-core:85325] Updated by vo.x (Vit Ondruch) 17 days ago

nobu (Nobuyoshi Nakada) wrote:

vo.x (Vit Ondruch) wrote:

The question is why Ruby does this and how we can avoid this behavior. We could force installation of redhat-rpm-config package, providing the "/usr/lib/rpm/redhat/redhat-hardened-cc1", to every ruby user, but that does not seems right. There are also other similar issues discussing this situation [4], [5]. Any thoughts?

Options given to configure as XCFLAGS and XLDFLAGS are used to build ruby itself, but not for extension libraries.
May this help you?

Well, for configuration of every Fedora package, I should be using standard %configure macro, which by default defines CFLAGS and similar env variables. Of course I might opt to not use the %configure macro, but this means diverging from defaults and possibly causing different issues (e.g. the hardening options will be forgotten etc).

#5 [ruby-core:85326] Updated by vo.x (Vit Ondruch) 17 days ago

shevegen (Robert A. Heiler) wrote:

This sounds very much like fedora-specific problems rather than
a problem caused by ruby, to be honest.

This issue might suffer any binary distribution sooner or later, be it Fedora, Debian or even Homebrew on Mac. The only case where it doesn't really matter is when you build everything from scratch on the target system, because there you have the whole toolchain and it is run only on that specific environment.

Actually it would have never be issue if the -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 option, which pulls in some configuration file, was not among the parameters.

Also available in: Atom PDF