cc-wrapper: omit adding -D_FORTIFY_SOURCE if it would cause redefinition#246067
cc-wrapper: omit adding -D_FORTIFY_SOURCE if it would cause redefinition#246067risicle wants to merge 1 commit intoNixOS:stagingfrom
-D_FORTIFY_SOURCE if it would cause redefinition#246067Conversation
this shouldn't actually change behaviour as the way hardeningCFlags are currently *prepended* to supplied params, the caller-supplied value will win anyway, but in omitting our definition, we'll avoid annoying (and potentially fatal) warnings
|
I'm not too excited about this. Trying to parse the flags that upstream's build process passes to the wrapper, and then change our behavior based on that... I mean down that path lies madness. It's a long established principle that conflicting C compiler flags are okay, and later flags supersede earlier flags. Nixpkgs has always exploited and depended upon this, extensively. It sounds like all this extra complexity is simply because:
Frankly I think the complexity this adds to Better solutions would be:
I think 2 is a good idea in any case. We use and rely upon the ability to pass flags that override other flags. It's not a defect; we don't need to be warned when this happens. |
|
FWIW we already inspect As for it "being annoying" it's a bit of an understatement - there are some packages where it doubles the size of the build log. But failing that, a more comprehensive solution may be to move Anyway, let's keep more general discussion of other possible solutions on #224822 |
|
I think I would generally support overriding upstream for hardening, especially since I expect most of these in practice are opting in to hardening rather than out and we can (In other words I think "adding |
|
I think one of my concerns is how few things cc-wrapper currently adds to the end of the command line. The general pattern is to let the command-line "win". (urgh let's bring this back to #224822) |
|
#246244 was merged instead |
Description of changes
See discussion in #224822 regarding annoying redefinition warnings it caused. This is the simplest of my proposed options.
This shouldn't actually change behaviour as the way
hardeningCFlagsare currently prepended to supplied params, the caller-supplied value will win anyway, but in omitting our definition, we'll avoid annoying (and potentially fatal) warnings.Tested against #217390 successfully, nixos x86_64.
Things done
sandbox = trueset innix.conf? (See Nix manual)nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/)