[Rpm-maint] [rpm-software-management/rpm] Don't brp-strip .ko files (#1744)

Michal Domonkos notifications at github.com
Mon Jul 12 11:25:33 UTC 2021


Otherwise SecureBoot signatures may be stripped too.

We used to exclude shared libraries from this strip as they were
supposed to be covered by another brp script (brp-strip-shared), however
it turned out the latter was never really used, so we removed the
exclusion in commit 0ab151ab138fd4fb6d3176fd0270d9cc6f4623f3.

As it turns out, that was a little too ambitious, since we may now
inadvertently strip SecureBoot signatures from kernel modules too,
provided that they're made during the build, prior to the invocation of
brp-strip.

Note that this regression currently does *not* affect the following two
cases on Fedora/RHEL systems with redhat-rpm-config installed:

  - in-tree modules; these are built from kernel.spec which already
    contains a hack ensuring that module signing only happens *after*
    any stripping (see %__modsign_install_post in kernel.spec)

  - out-of-tree modules built with debuginfo enabled; this is because
    brp-strip is only called when %debug_package is set to %{nil}

Any other combinations may be affected, depending on the macros and
.spec files used, so let's fix this by effectively "reverting" said
commit for .ko files only.

Fixes: rhbz#1967291
You can view, comment on, or merge this pull request online at:

  https://github.com/rpm-software-management/rpm/pull/1744

-- Commit Summary --

  * Don't brp-strip .ko files

-- File Changes --

    M scripts/brp-strip (2)

-- Patch Links --

https://github.com/rpm-software-management/rpm/pull/1744.patch
https://github.com/rpm-software-management/rpm/pull/1744.diff

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/1744
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20210712/e0400d87/attachment.html>


More information about the Rpm-maint mailing list