Hi folks, Security hardening of Linux systems suggests marking ELF binary sections as much read-only as it gets. A part of this binary hardening is making the ELF relocations in binaries and libraries read-only to avoid them being overwritten and used for attacks. SUSE has built everything with "Partial RELRO" for a long time (via a default in binutils). (-z relro) We did not yet do "Full RELRO" (-z now) as we feared the amount of integration work. However as this is industry standard now, we have started the integration and will push it to main Factory / Tumbleweed soon. It is being implemented by: - The SUSE binutils "ld" queries the "SUSE_ZNOW" environment variable. If it is present and not "0", it will enable "-z now". - The post-build-checks injects via /etc/profile.d/build-system.sh the environment variable SUSE_ZNOW=1 into all RPM build chroots (that use post-build-checks, which should be all of them). - Packages can still deselect it. Either: - use linker option "-z lazy". - or export SUSE_ZNOW=0 in the %build section. Currently only "xorg-x11-server" and "python-atspi:tests" needed to do this in our staging. After this is integrated in on the next snapshots, if you see weird symbol lookup errors, as usual report them via bugzilla. Ciao, Marcus