k8s-device-plugin: Restore use of non-problematic openssf-compiler-op…

…tions Continue the (admittedly ugly) pattern of copy+modifying openssf.spec to remove -Wl,-z,now so we can reenable the remaining hardening. Here's the diff in hardening-check output this produces: --- before 2025-01-08 10:50:31.373533578 -0700 +++ after 2025-01-08 10:50:42.569543846 -0700 @@ -1,7 +1,7 @@ /usr/bin/gpu-feature-discovery: Position Independent Executable: no, normal executable! Stack protected: no, not found! -Fortify Source functions: no, only unprotected functions found! +Fortify Source functions: yes Read-only relocations: yes Immediate binding: no, not found! Stack clash protection: unknown, no -fstack-clash-protection instructions found @@ -9,7 +9,7 @@ /usr/bin/mps-control-daemon: Position Independent Executable: no, normal executable! Stack protected: yes -Fortify Source functions: no, only unprotected functions found! +Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no, not found! Stack clash protection: unknown, no -fstack-clash-protection instructions found @@ -17,7 +17,7 @@ /usr/bin/nvidia-device-plugin: Position Independent Executable: no, normal executable! Stack protected: yes -Fortify Source functions: no, only unprotected functions found! +Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no, not found! Stack clash protection: unknown, no -fstack-clash-protection instructions found Fixes: #34568 Signed-off-by: dann frazier <dann.frazier@chainguard.dev>
wolfi-dev · Jan 8, 2025 · b42805d · b42805d
1 parent 9aa421e
commit b42805d
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/k8s-device-plugin.yaml b/k8s-device-plugin.yaml
@@ -1,7 +1,7 @@
 package:
   name: k8s-device-plugin
   version: 0.17.0
-  epoch: 2
+  epoch: 3
   description: meta package providing all NVIDIA device plugins for Kubernetes
   copyright:
     - license: Apache-2.0
@@ -20,7 +20,7 @@ environment:
       - go
   environment:
     # See https://github.com/wolfi-dev/os/issues/34568
-    GCC_SPEC_FILE: "/dev/null"
+    GCC_SPEC_FILE: /home/build/openssf.spec
 
 pipeline:
   - uses: git-checkout
@@ -29,6 +29,10 @@ pipeline:
       tag: v${{package.version}}
       expected-commit: d475b2cfcf12b983a4975d4fc59d91af432cf28e
 
+  - runs: |
+      gccdir="$(GCC_SPEC_FILE=/dev/null gcc --print-search-dirs | grep ^install: | cut -d' ' -f2)"
+      sed -r 's/,?-z,now//' < "$gccdir/openssf.spec" > /home/build/openssf.spec
+
   - uses: go/bump
     with:
       deps: golang.org/x/net@v0.33.0