[Bug 2078244] Re: ceph: Does not respect compiler flags for Python extensions

James Page 2078244 at bugs.launchpad.net
Mon Sep 2 08:31:39 UTC 2024 

Hi Graham

I think this is worth fixing however I'm not sure the proposed patch is
the right approach - the CMake module it touches actively manages
PY_CFLAGS:

  # Note: no quotes, otherwise distutils will execute "/usr/bin/ccache gcc"
  # CMake's implicit conversion between strings and lists is wonderful, isn't it?
  set(PY_CFLAGS ${COMPILE_OPTIONS})
  cmake_parse_arguments(DU "DISABLE_VTA" "" "" ${ARGN})
  if(DU_DISABLE_VTA AND HAS_VTA)
    list(APPEND PY_CFLAGS -fno-var-tracking-assignments)
  endif()

so although this does result in passing the flags through for the Python
module, it inhibits the function of the CMake module (and I'd like to
get whatever fix we use upstream).

It feels like PY_CFLAGS should be populated with the environmental
CFLAGS but that's not getting passed through correctly?  How does
COMPILE_OPTIONS get generated by cmake?


** Changed in: ceph (Ubuntu Noble)
   Importance: Undecided => Medium

** Changed in: ceph (Ubuntu Oracular)
   Importance: Undecided => Medium

** Changed in: ceph (Ubuntu Oracular)
       Status: New => Triaged

** Changed in: ceph (Ubuntu Noble)
       Status: New => Triaged

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to ceph in Ubuntu.
https://bugs.launchpad.net/bugs/2078244

Title:
   ceph: Does not respect compiler flags for Python extensions

Status in ceph package in Ubuntu:
  Triaged
Status in ceph source package in Noble:
  Triaged
Status in ceph source package in Oracular:
  Triaged

Bug description:
  [Impact]
  The packaging does not respect compiler flags when building the Python extensions, notably hardening flags like the stack protector, as well as frame-pointer.

  [Test plan]
  Look at the build log and see that the build flags have been passed, notably stuff like

  -fno-strict-overflow -Wsign-compare -DNDEBUG -g -O2 -Wall -g -O2 -Werror=implicit-function-declaration -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -ffile-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=for
  mat-security -fcf-protection

  It can be seen that this is already the case for the shared libraries,
  it is only the Python extensions that are missing flags.

  [Where problems could occur]
  Hardening flags could surface existing (possibly security) bugs that have been asymptomatic so far; frame-pointers will incur some slow down.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ceph/+bug/2078244/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list