The contrib/devtools/test-security-check.py script is not robust enough to work not only in the well-predicted Guix environment but also in the wild.
For example, on Ubuntu 22.04, GCC has -fcf-protection=full by default. See:
gcc -E -dM - < /dev/null | grep CET
#define __CET__ 3
This PR explicitly provides -fcf-protection=none in cases where it is expected.
<!--e57a25ab6845829454e8d69fc972939a-->
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.
<!--021abf342d371248e50ceaed478a90ca-->
See the guideline for information on the review process.
| Type | Reviewers |
|---|---|
| Concept NACK | fanquake |
If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.
is not robust enough to work not only in the well-predicted Guix environment but also in the wild.
It's not meant to be, and this isn't a design goal.
Concept NACK.
It's not meant to be, and this isn't a design goal.
I agree that security-check.py is supposed to be run in the Guix environment.
But I don't see the point of the same restrictions for test-security-check.py. Mind elaborating this "design goal"? Maybe document it?
Btw, the same approach is used for some other flags.
But I don't see the point of the same restrictions for test-security-check.py.
If the only reason test-security-check.py exists is to sanity-check a script that only runs in Guix, why would it need to work in any other environment.