openssf-compiler-options: -Wl,-z,now causes nvidia-device-plugin to fail to load
#34568
Comments
See: wolfi-dev#34568 Signed-off-by: dann frazier <dann.frazier@chainguard.dev>
|
could have just change it to i guess that this pkg need to link with |
Related: #34568 Signed-off-by: dann frazier <dann.frazier@chainguard.dev>
Yeah, that did work when I hacked it onto the end of the options in
That's right. |
|
https://github.com/chainguard-dev/melange/blob/main/pkg/build/pipelines/go/build.yaml |
Thanks @tuananh. That would provide a hook for passing a clean [...]
- uses: go/build
with:
packages: ./cmd/nvidia-device-plugin
ldflags: -extldflags="-Wl,-z,lazy"
output: test
- runs: |
exit 1The spec-defined options just seem to be super sticky. |
|
yeah i tried it too and it didnt work. |
|
@dannf you can quickly escape all hardening by setting To keep all hardening, but use lazy binding do this:
The second step hopefully means "if -z now was not specified, and if -z lazy was not specified, add -z now". Such that if one manually specified either now or lazy on the commandline it wins, and the spec file doesn't add or do anything, creating an opt in. |
|
yeah i think it's better to keep all hardening but only do lazy binding. |
…ev#34569) Until `abseil-cpp-compiler-options` is available (which is blocked by a melange/apko issue), let's disable openssf-compiler-options to unblock building this package. Related: wolfi-dev#34568 Signed-off-by: dann frazier <dann.frazier@chainguard.dev>
…ev#34569) Until `abseil-cpp-compiler-options` is available (which is blocked by a melange/apko issue), let's disable openssf-compiler-options to unblock building this package. Related: wolfi-dev#34568 Signed-off-by: dann frazier <dann.frazier@chainguard.dev>
|
i wonder if this is a gcc bug! |
|
Filed https://gcc.gnu.org/bugzilla/show_bug.cgi?id=117739 Added test case at https://github.com/wolfi-dev/os/pull/35016/files it appears that it is not possible to keep using |
Until `abseil-cpp-compiler-options` is available (which is blocked by a melange/apko issue), let's disable openssf-compiler-options to unblock building this package. Related: wolfi-dev#34568 Signed-off-by: dann frazier <dann.frazier@chainguard.dev>
Until `abseil-cpp-compiler-options` is available (which is blocked by a melange/apko issue), let's disable openssf-compiler-options to unblock building this package. Related: wolfi-dev#34568 Signed-off-by: dann frazier <dann.frazier@chainguard.dev>
Until `abseil-cpp-compiler-options` is available (which is blocked by a melange/apko issue), let's disable openssf-compiler-options to unblock building this package. Related: #34568 Signed-off-by: dann frazier <dann.frazier@chainguard.dev>
Until `abseil-cpp-compiler-options` is available (which is blocked by a melange/apko issue), let's disable openssf-compiler-options to unblock building this package. Related: #34568 Signed-off-by: dann frazier <dann.frazier@chainguard.dev>
This package requires lazy binding to build, which conflicts with
the `-Wl,-z,now` flag in openssf-compiler-options. Instead of disabling
all of the openssf options, let's just drop that one flag.
I tried to implement this completely within openssf-compiler-options,
as described here[*], but the %{!Wl,-z,now:...} syntax doesn't seem
to work for detecting these options. I also tried including various
spec file snippets to tweak the *link_command and friends, but failed.
For now, let's just make our own copy of openssf.spec and edit/use it.
Note: spec files need to have fully qualified paths. melange doesn't
support ${{package.srcdir}} expansion in environment variables yet[**],
so I've hardcoded `/home/build` for now.
[*] #34568 (comment)
[**] chainguard-dev/melange#1728
Signed-off-by: dann frazier <dann.frazier@chainguard.dev>
This package requires lazy binding to build, which conflicts with
the `-Wl,-z,now` flag in openssf-compiler-options. Instead of disabling
all of the openssf options, let's just drop that one flag.
I tried to implement this completely within openssf-compiler-options,
as described here[*], but the %{!Wl,-z,now:...} syntax doesn't seem
to work for detecting these options. I also tried including various
spec file snippets to tweak the *link_command and friends, but failed.
For now, let's just make our own copy of openssf.spec and edit/use it.
Note: spec files need to have fully qualified paths. melange doesn't
support ${{package.srcdir}} expansion in environment variables yet[**],
so I've hardcoded `/home/build` for now.
[*] #34568 (comment)
[**] chainguard-dev/melange#1728
Signed-off-by: dann frazier <dann.frazier@chainguard.dev>
…lazy binding
This package requires lazy binding to build, which conflicts with
the `-Wl,-z,now` flag in openssf-compiler-options. Instead of disabling
all of the openssf options, let's just drop that one flag.
I tried to implement this completely within openssf-compiler-options,
as described here[*], but the %{!Wl,-z,now:...} syntax doesn't seem
to work for detecting these options. I also tried including various
spec file snippets to tweak the *link_command and friends, but failed.
For now, let's just make our own copy of openssf.spec and edit/use it.
Note: spec files need to have fully qualified paths. melange doesn't
support ${{package.srcdir}} expansion in environment variables yet[**],
so I've hardcoded `/home/build` for now.
[*] #34568 (comment)
[**] chainguard-dev/melange#1728
Signed-off-by: dann frazier <dann.frazier@chainguard.dev>
|
|
…w lazy binding
This package requires lazy binding to build, which conflicts with
the `-Wl,-z,now` flag in openssf-compiler-options. Instead of disabling
all of the openssf options, let's just drop that one flag.
I tried to implement this completely within openssf-compiler-options,
as described here[*], but the %{!Wl,-z,now:...} syntax doesn't seem
to work for detecting these options. I also tried including various
spec file snippets to tweak the *link_command and friends, but failed.
For now, let's just make our own copy of openssf.spec and edit/use it.
Note: spec files need to have fully qualified paths. melange doesn't
support ${{package.srcdir}} expansion in environment variables yet[**],
so I've hardcoded `/home/build` for now.
[*] wolfi-dev#34568 (comment)
[**] chainguard-dev/melange#1728
Signed-off-by: dann frazier <dann.frazier@chainguard.dev>
…lazy binding
This package requires lazy binding to build, which conflicts with
the `-Wl,-z,now` flag in openssf-compiler-options. Instead of disabling
all of the openssf options, let's just drop that one flag.
I tried to implement this completely within openssf-compiler-options,
as described here[*], but the %{!Wl,-z,now:...} syntax doesn't seem
to work for detecting these options. I also tried including various
spec file snippets to tweak the *link_command and friends, but failed.
For now, let's just make our own copy of openssf.spec and edit/use it.
Note: spec files need to have fully qualified paths. melange doesn't
support ${{package.srcdir}} expansion in environment variables yet[**],
so I've hardcoded `/home/build` for now.
[*] wolfi-dev#34568 (comment)
[**] chainguard-dev/melange#1728
Signed-off-by: dann frazier <dann.frazier@chainguard.dev>
I'm reporting this per https://github.com/orgs/wolfi-dev/discussions/33052.
I found that while a rebuild of
nvidia-device-pluginw/openssf-compiler-flagssucceeds, the tests will fail:nvidia-device-plugin-build-and-test-fail.txt
nvidia-device-plugin-no-rebuild-test-ok.txt
The text was updated successfully, but these errors were encountered: