feat(elf-metadata): embed os, osVersion, and moduleVersion in .note.package#17671
Open
anphel31 wants to merge 1 commit into
Open
feat(elf-metadata): embed os, osVersion, and moduleVersion in .note.package#17671anphel31 wants to merge 1 commit into
anphel31 wants to merge 1 commit into
Conversation
anphel31
requested review from
christopherco,
ddstreetmicrosoft and
reubeno
as code owners
Contributor
There was a problem hiding this comment.
Pull request overview
This PR extends the package-notes linker spec JSON payload embedded in .note.package to include structured OS identity (os, osVersion) and a normalized moduleVersion, and wires rpmbuild macro hooks to ensure the needed environment is present across build phases.
Changes:
- Extend
redhat-package-notes.inJSON payload withos,osVersion, andmoduleVersion. - Add an rpmbuild hook (
%_generate_package_note_file) to exportRPM_MODULE_VERSION, and ensure it runs during%installas well. - Introduce a dedicated
package-notescomponent definition with overlays + build-time self-tests; update locks and rendered specs accordingly.
Reviewed changes
Copilot reviewed 8 out of 10 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| specs/p/package-notes/redhat-package-notes.in | Adds the new JSON keys to the linker spec template. |
| specs/p/package-notes/package-notes.spec | Updates %build generation and adds self-test checks for the injected fields/hook. |
| specs/p/package-notes/macros.package-notes-srpm | Implements %_generate_package_note_file to export RPM_MODULE_VERSION. |
| specs/a/azurelinux-rpm-config/macros | Expands %{?_generate_package_note_file} in %__spec_install_pre to cover install-time relinks. |
| specs/a/azurelinux-rpm-config/azurelinux-rpm-config.spec | Adds a build-time guard to detect missing hook expansions in macros. |
| locks/package-notes.lock | Updates input fingerprint after component customization. |
| locks/azurelinux-rpm-config.lock | Updates input fingerprint after overlay changes. |
| base/comps/package-notes/package-notes.comp.toml | New dedicated component with overlays to inject fields and enforce self-tests. |
| base/comps/components.toml | Removes inline package-notes entry now that it has a dedicated comp file. |
| base/comps/azurelinux-rpm-config/azurelinux-rpm-config.comp.toml | Adds overlay to wire the hook into %__spec_install_pre and adds a guard in %install. |
anphel31
force-pushed
the
anphel/elf-metadata-updates
branch
from
fe5a977 to
f673668
Compare
…pe in .note.package
Enrich the FDO_PACKAGING_METADATA ELF note emitted into every binary built
with the Azure Linux LDFLAGS so SBOM and crash-analysis tools (e.g. Azure
Watson) get a parsed view of the build's OS identity and package version.
package-notes:
- Add structured "os", "osVersion" and "moduleVersion" keys to the
.note.package JSON payload, alongside "osCpe".
- Hardcode osCpe to the canonical CPE 2.3 string
"cpe:2.3:o:microsoft:azure_linux:4.0:*:*:*:*:*:*:*" and set os to
"azure_linux" / osVersion to "4.0", instead of reading
/usr/lib/system-release-cpe. During Stage 1 the buildroot is seeded from
the Fedora package set, so that file reports the Fedora CPE and would bake
the wrong identity into every binary; hardcoding guarantees correct
metadata regardless of the seed.
- Derive moduleVersion as a 4-part, zero-padded numeric form of
RPM_PACKAGE_VERSION, truncating each dot-separated field at the first
non-digit (so prerelease/git suffixes are dropped, not folded in).
Exported via the %_generate_package_note_file hook in
macros.package-notes-srpm.
- Self-test in %build that the generated linker spec contains the expected
fields, failing the build loudly on overlay regression.
azurelinux-rpm-config:
- Hook %{?_generate_package_note_file} into %__spec_install_pre so
RPM_MODULE_VERSION is exported during %install as well as %build/%check.
Packages that relink during %install (e.g. avahi's libtool --relink for
PIE libraries) otherwise fail because the package-notes GCC linker spec
uses a strict %:getenv() lookup that aborts the link when the var is unset.
anphel31
force-pushed
the
anphel/elf-metadata-updates
branch
from
f673668 to
43bedfc
Compare
ddstreetmicrosoft
requested changes
Jun 11, 2026
ddstreetmicrosoft
left a comment
ddstreetmicrosoft
left a comment
There was a problem hiding this comment.
Er, no.
What problem is this attempting to fix?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds three structured fields —
os,osVersion, andmoduleVersion— to the.note.packageELF section that the package-notes linker spec injects intoevery dynamically-linked binary built with our LDFLAGS. These sit alongside the
existing
osCpeand give SBOM and crash-analysis tooling a pre-parsed view ofthe build's OS identity and package version without having to crack the CPE
string.
Example
.note.packagepayload after this change (/usr/bin/tar):{ "type": "rpm", "name": "tar", "version": "1.35-7.azl4", "architecture": "x86_64", "osCpe": "cpe:2.3:o:microsoft:azure_linux:4.0:*:*:*:*:*:*:*", "os": "azure_linux", "osVersion": "4.0", "moduleVersion": "1.35.0.0" }Before this change:
{ "type": "rpm", "name": "tar", "version": "1.35-7.azl4", "architecture": "x86_64", "osCpe": "cpe:/o:microsoft:azurelinux:4.0" }Note related PR #17685