rootninja

Warning: This is my workaround for building other people’s packages that may or may not have security issues or other problems but will not build correctly without removing the RPATHs check.

I define several things in my ~/.rpmmacros for creating RPMs from source tarballs, one of which is this line:

%__arch_install_post /usr/lib/rpm/check-rpaths /usr/lib/rpm/check-buildroot

Rpmbuild’s RPATH feature is used to search libraries outside of standard paths. They are given to the linker at buildtime and can be inspected (readelf -a binary | grep RPATH.)

They can be a security risk, cause just unneeded work, or break functionality. If you see the following message from rpmbuild when a build breaks, then you may find that removing the check will allow the RPM to build.

***********************************************************
*
* WARNING: ‘check-rpaths’ detected a broken RPATH and will cause ‘rpmbuild’
* to fail. To ignore these errors, you can set the ‘\$QA_RPATHS’
* environment variable which is a bitmask allowing the values
* below. The current value of QA_RPATHS is $(printf ‘0x%04x’ $QA_RPATHS).
*
* 0×0001 … standard RPATHs (e.g. /usr/lib); such RPATHs are a minor
* issue but are introducing redundant searchpaths without
* providing a benefit. They can also cause errors in multilib
* environments.
* 0×0002 … invalid RPATHs; these are RPATHs which are neither absolute
* nor relative filenames and can therefore be a SECURITY risk
* 0×0004 … insecure RPATHs; these are relative RPATHs which are a
* SECURITY risk
* 0×0008 … the special ‘\$ORIGIN’ RPATHs are appearing after other
* RPATHs; this is just a minor issue but usually unwanted
* 0×0010 … the RPATH is empty; there is no reason for such RPATHs
* and they cause unneeded work while loading libraries
* 0×0020 … an RPATH references ‘..’ of an absolute path; this will break
* the functionality when the path before ‘..’ is a symlink
*
* Examples:
* - to ignore standard and empty RPATHs, execute ‘rpmbuild’ like
* \$ QA_RPATHS=\$[ 0x0001|0x0010 ] rpmbuild my-package.src.rpm
* - to check existing files, set \$RPM_BUILD_ROOT and execute check-rpaths like
* \$ RPM_BUILD_ROOT= /usr/lib/rpm/check-rpaths
*
***********************************************************

The text above came straight out of /usr/lib/rpm/check-rpaths-worker. If the developers of the code you’re trying to turn into an RPM did not take any of these considerations into account when they write their programs then you may be forced to skip the checks by removing the check-rpath line from your rpmmacros too.

One of the ‘cons’ of RPATH is the check-rpaths script checks EVERY file in $RPM_BUILD_ROOT, ignoring the %exclude directives. And I don’t think there’s any way around that. I ran across this problem trying to build a custom rpm version of goocanvasmm, the C++ bindings for goocanvas.