Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1973304 - check-rpath flags valid rpath as invalid
Summary: check-rpath flags valid rpath as invalid
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: rpm
Version: rawhide
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Packaging Maintenance Team
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-06-17 15:38 UTC by Michael Catanzaro
Modified: 2021-06-23 13:25 UTC (History)
10 users (show)

Fixed In Version: rpm-4.17.0-0.beta1.0.fc35.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-06-23 09:07:51 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github rpm-software-management rpm pull 1721 0 None open Allow /usr/libexec/* rpaths 2021-06-21 16:11:56 UTC

Description Michael Catanzaro 2021-06-17 15:38:09 UTC 
Hi, glib2 build is now failing in rawhide with:

+ /usr/lib/rpm/check-rpaths
*******************************************************************************
*
* WARNING: 'check-rpaths' detected a broken RPATH OR RUNPATH and will cause
*          'rpmbuild' to fail. To ignore these errors, you can set the
*          '$QA_RPATHS' environment variable which is a bitmask allowing the
*          values below. The current value of QA_RPATHS is 0x0000.
*
*    0x0001 ... standard RPATHs (e.g. /usr/lib); such RPATHs are a minor
*               issue but are introducing redundant searchpaths without
*               providing a benefit. They can also cause errors in multilib
*               environments.
*    0x0002 ... invalid RPATHs; these are RPATHs which are neither absolute
*               nor relative filenames and can therefore be a SECURITY risk
*    0x0004 ... insecure RPATHs; these are relative RPATHs which are a
*               SECURITY risk
*    0x0008 ... the special '$ORIGIN' RPATHs are appearing after other
*               RPATHs; this is just a minor issue but usually unwanted
*    0x0010 ... the RPATH is empty; there is no reason for such RPATHs
*               and they cause unneeded work while loading libraries
*    0x0020 ... an RPATH references '..' of an absolute path; this will break
*               the functionality when the path before '..' is a symlink
*          
*
* Examples:
* - to ignore standard and empty RPATHs, execute 'rpmbuild' like
*   $ QA_RPATHS=$(( 0x0001|0x0010 )) rpmbuild my-package.src.rpm
* - to check existing files, set $RPM_BUILD_ROOT and execute check-rpaths like
*   $ RPM_BUILD_ROOT=<top-dir> /usr/lib/rpm/check-rpaths
*  
*******************************************************************************
ERROR   0002: file '/usr/libexec/installed-tests/glib/gdbus-peer' contains an invalid runpath '/usr/libexec/installed-tests/glib' in [/usr/libexec/installed-tests/glib]

which is coming from https://fedoraproject.org/wiki/Changes/Broken_RPATH_will_fail_rpmbuild.

Problem is the runpath here looks fine. It is an absolute filename, so I don't see why it should fail the 0x0002 check. And it's pointing to a location for private libraries, which is also supposed to be allowed. The installed tests will not work without it.

I'm going to use __brp_check_rpaths %{nil} to disable check-rpath for the entire package as a temporary workaround.
Comment 1 Jerry James 2021-06-17 15:55:03 UTC 
I hit the same problem with swift-antlr4-runtime (a subpackage of antlr4-project), which has an RPATH pointing to the Swift runtime libraries, which are under /usr/libexec.  The Swift support will not work unless it can find the Swift runtime, so in this case, too, the RPATH is valid.
Comment 2 Miro Hrončok 2021-06-23 09:07:51 UTC 
Verified the fix with sudo package. Thanks.
Comment 3 Michael Catanzaro 2021-06-23 13:25:35 UTC 
Confirmed fixed.
Note You need to log in before you can comment on or make changes to this bug.