Make rpath optional

Issue #183 invalid
Vít Ondruch
created an issue

As a resolution of #146, you added explicitly the -rpath option. While I understand this solves some issues, it causes issues for rubygem-pg Fedora package, since Fedora discourages usage or rpaths. I would be glad, if this change could be optional or reverted and the fix is applied where it belongs [2].

[1] https://fedoraproject.org/wiki/Packaging:Guidelines#Beware_of_Rpath [2] https://fedoraproject.org/wiki/Packaging:Guidelines#Alternatives_to_Rpath

Comments (5)

  1. Vít Ondruch reporter

    Just for the record, this is output of Fedora's tool for checking RPATH:

    $ /usr/lib/rpm/check-rpaths-worker /var/lib/mock/fedora-f21-ruby-x86_64/root/builddir/build/BUILD/rubygem-pg-0.17.1/usr/lib64/gems/ruby/pg-0.17.1/pg_ext.so 
    *******************************************************************************
    *
    * WARNING: 'check-rpaths' detected a broken RPATH and will cause 'rpmbuild'
    *          to fail. To ignore these errors, you can set the '$QA_RPATHS'
    *          environment variable which is a bitmask allowing the values
    *          below. The current value of QA_RPATHS is 0x0000.
    *
    *    0x0001 ... standard RPATHs (e.g. /usr/lib); such RPATHs are a minor
    *               issue but are introducing redundant searchpaths without
    *               providing a benefit. They can also cause errors in multilib
    *               environments.
    *    0x0002 ... invalid RPATHs; these are RPATHs which are neither absolute
    *               nor relative filenames and can therefore be a SECURITY risk
    *    0x0004 ... insecure RPATHs; these are relative RPATHs which are a
    *               SECURITY risk
    *    0x0008 ... the special '$ORIGIN' RPATHs are appearing after other
    *               RPATHs; this is just a minor issue but usually unwanted
    *    0x0010 ... the RPATH is empty; there is no reason for such RPATHs
    *               and they cause unneeded work while loading libraries
    *    0x0020 ... an RPATH references '..' of an absolute path; this will break
    *               the functionality when the path before '..' is a symlink
    *          
    *
    * Examples:
    * - to ignore standard and empty RPATHs, execute 'rpmbuild' like
    *   $ QA_RPATHS=$[ 0x0001|0x0010 ] rpmbuild my-package.src.rpm
    * - to check existing files, set $RPM_BUILD_ROOT and execute check-rpaths like
    *   $ RPM_BUILD_ROOT=<top-dir> /usr/lib/rpm/check-rpaths
    *  
    *******************************************************************************
    ERROR   0001: file '/var/lib/mock/fedora-f21-ruby-x86_64/root/builddir/build/BUILD/rubygem-pg-0.17.1/usr/lib64/gems/ruby/pg-0.17.1/pg_ext.so' contains a standard rpath '/usr/lib64' in [/usr/lib64]
    
  2. Vít Ondruch reporter

    So far it is just against policy, but the policy prevents against real world issues as explained in the link I provided in my initial comment as well as by the output of the check-rpaths-worker command.

  3. Michael Granger repo owner

    Your initial links certainly say "beware of rpath", but don't provide any insight into why it's (seemingly) always bad to use it. It just describes what it does, which in pg's case is exactly what it's meant to do: ensure that the extension links against a specific version of libpq, namely the one it's compiled against.

    The policies of one distribution of one of the many OSes supported by Ruby and PostgreSQL do not in my mind trump the additional insurance provided by setting rpath, but if you're motivated to provide some mechanism to omit it at gem-install time then I'll happily accept a pull request/patch for it.

  4. Log in to comment