Workaround redhat-10 possible bug with rpmbuild and check-rpaths related to not allowing absolute RPATH entries

craigcomstock · craigcomstock · commit 69be09a9513b · 2025-10-21T16:17:28.000-05:00
We include RPATH entries of /var/cfengine/lib which should be OK but for some reason check-rpaths-worker flags it as > 0x0002 ... invalid RPATHs; these are RPATHs which are neither absolute nor relative filenames and can therefore be a SECURITY risk So setting QA_RPATHS to include this flag changes the ERROR to a WARNING but also prevents check-rpaths from finding RPATH entries that are problematic. Related bug rpm-software-management/rpm#3982 Ticket: ENT-13016 Changelog: none
diff --git a/deps-packaging/pkg-build-rpm b/deps-packaging/pkg-build-rpm
@@ -112,6 +112,11 @@ fi
 # example cmd --define 'a b':
 #     - argv[1] = --define
 #     - argv[2] = a b
+
+# We have /var/cfengine/lib in RPATHS which should be OK
+# We asked in https://github.com/rpm-software-management/rpm/issues/3982, and it seems allowing this is OK
+# 0x0002 - contains an invalid RPATH - in our case /var/cfengine/lib is OK so allow it as an exception
+export QA_RPATHS=$(( 0x0002 ))
 eval rpmbuild -bb \
   --define "'_topdir $BASEDIR/$PKGNAME'" \
   --define "'version $VERSION'" \
