Skip to content

glibc: Enable openssf-compiler-options #53351

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

glibc: Enable openssf-compiler-options #53351

wants to merge 1 commit into from

Conversation

sergiodj
Copy link
Member

@sergiodj sergiodj commented May 14, 2025
edited
Loading

Restore openssf-compiler-options hardening on glibc.

This build is now passing on both amd64 and arm64.

Relates: https://github.com/chainguard-dev/internal-dev/issues/7756
Relates: #39303
Relates: https://github.com/chainguard-dev/internal-dev/issues/7940

@sergiodj
glibc: Enable openssf-compiler-options
9a2aada 
Signed-off-by: Sergio Durigan Junior <[email protected]>
@sergiodj sergiodj requested a review from a team as a code owner May 14, 2025 18:43
@sergiodj sergiodj marked this pull request as draft May 14, 2025 18:43
@octo-sts octo-sts bot added the bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. label May 14, 2025
@sergiodj sergiodj changed the title DNM: glibc: Enable openssf-compiler-options glibc: Enable openssf-compiler-options May 14, 2025
@sergiodj sergiodj marked this pull request as ready for review May 14, 2025 20:34
@sergiodj sergiodj enabled auto-merge May 14, 2025 20:34
@dannf dannf disabled auto-merge May 14, 2025 21:40
@dannf
Copy link
Member

dannf commented May 14, 2025

We merged this before, but it resulted in an incident where a number of binaries were segfaulting.

dannf
dannf requested changes May 14, 2025
View reviewed changes
Copy link
Member

@dannf dannf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding a blocking comment just to prevent an overly friendly foundation'er from approving until we've root caused the issue

@xnox
Copy link
Member

xnox commented May 15, 2025

We merged this before, but it resulted in an incident where a number of binaries were segfaulting.

Some of the hardening enablement requires rebuilding / rebootstrapping in order. We did it a few times before in debian and ubuntu. If we look through mailing list archives there should be messages from @doko42 about it. Possibly @stevebeattie remembers it too?

@sergiodj
Copy link
Member Author

@eslerm ^

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dannf dannf dannf requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sergiodj @dannf @xnox