]>
Commit | Line | Data |
---|---|---|
5e993f12 | 1 | Index: ebuild.sh |
2 | =================================================================== | |
3 | --- ebuild.sh (revision 2825) | |
4 | +++ ebuild.sh (working copy) | |
5 | @@ -1095,7 +1095,7 @@ | |
6 | done | |
7 | ||
8 | if type -p scanelf > /dev/null ; then | |
9 | - local insecure_rpath=0 | |
10 | + local qa_var insecure_rpath=0 | |
11 | ||
12 | # Make sure we disallow insecure RUNPATH/RPATH's | |
13 | # Don't want paths that point to the tree where the package was built | |
14 | @@ -1132,9 +1132,22 @@ | |
15 | fi | |
16 | ||
17 | # TEXTREL's are baaaaaaaad | |
18 | - f=$(scanelf -qyRF '%t %p' "${D}") | |
19 | + # Allow devs to mark things as ignorable ... e.g. things that are | |
20 | + # binary-only and upstream isn't cooperating (nvidia-glx) ... we | |
21 | + # allow ebuild authors to set QA_TEXTRELS_arch and QA_TEXTRELS ... | |
22 | + # the former overrides the latter ... regexes allowed ! :) | |
23 | + qa_var="QA_TEXTRELS_${ARCH}" | |
24 | + [[ -n ${!qa_var} ]] && QA_TEXTRELS=${!qa_var} | |
25 | + f=$(scanelf -qyRF '%t %p' "${D}" | grep -v ' usr/lib/debug/' | \ | |
26 | + gawk ' | |
27 | + BEGIN { split("'"${QA_TEXTRELS}"'", ignore); } | |
28 | + { for (idx in ignore) | |
29 | + if ($NF ~ "^"ignore[idx]"$") | |
30 | + next; | |
31 | + print; | |
32 | + }') | |
33 | if [[ -n ${f} ]] ; then | |
34 | - scanelf -qyRF '%T %p' "${WORKDIR}"/ &> "${T}"/scanelf-textrel.log | |
35 | + scanelf -qyRF '%T %p' "${PORTAGE_BUILDDIR}"/ &> "${T}"/scanelf-textrel.log | |
36 | echo -ne '\a\n' | |
37 | echo "QA Notice: the following files contain runtime text relocations" | |
38 | echo " Text relocations force the dynamic linker to perform extra" | |
39 | @@ -1158,15 +1171,30 @@ | |
40 | # http://hardened.gentoo.org/gnu-stack.xml (Arch Status) | |
41 | case ${CTARGET:-${CHOST}} in | |
42 | i?86*|ia64*|m68k*|powerpc64*|s390*|x86_64*) | |
43 | - f=$(scanelf -qyRF '%e %p' "${D}") ;; | |
44 | - *) | |
45 | - f="" ;; | |
46 | + # Allow devs to mark things as ignorable ... e.g. things | |
47 | + # that are binary-only and upstream isn't cooperating ... | |
48 | + # we allow ebuild authors to set QA_EXECSTACK_arch and | |
49 | + # QA_EXECSTACK ... the former overrides the latter ... | |
50 | + # regexes allowed ! :) | |
51 | + | |
52 | + qa_var="QA_EXECSTACK_${ARCH}" | |
53 | + [[ -n ${!qa_var} ]] && QA_EXECSTACK=${!qa_var} | |
54 | + f=$(scanelf -qyRF '%e %p' "${D}" | grep -v ' usr/lib/debug/' | \ | |
55 | + gawk ' | |
56 | + BEGIN { split("'"${QA_EXECSTACK}"'", ignore); } | |
57 | + { for (idx in ignore) | |
58 | + if ($NF ~ "^"ignore[idx]"$") | |
59 | + next; | |
60 | + print; | |
61 | + }') | |
62 | + ;; | |
63 | + *) f="" ;; | |
64 | esac | |
65 | ;; | |
66 | esac | |
67 | if [[ -n ${f} ]] ; then | |
68 | # One more pass to help devs track down the source | |
69 | - scanelf -qyRF '%e %p' "${WORKDIR}"/ &> "${T}"/scanelf-exec.log | |
70 | + scanelf -qyRF '%e %p' "${PORTAGE_BUILDDIR}"/ &> "${T}"/scanelf-execstack.log | |
71 | echo -ne '\a\n' | |
72 | echo "QA Notice: the following files contain executable stacks" | |
73 | echo " Files with executable stacks will not work properly (or at all!)" | |
74 | @@ -1174,7 +1202,7 @@ | |
75 | echo " at http://bugs.gentoo.org/ to make sure the file is fixed." | |
76 | echo " For more information, see http://hardened.gentoo.org/gnu-stack.xml" | |
77 | echo " Please include this file in your report:" | |
78 | - echo " ${T}/scanelf-exec.log" | |
79 | + echo " ${T}/scanelf-execstack.log" | |
80 | echo "${f}" | |
81 | echo -ne '\a\n' | |
82 | die_msg="${die_msg} execstacks" |