From 20256ee2a2aa8a121507db5b4285546a25996afd Mon Sep 17 00:00:00 2001 From: shankar0123 Date: Thu, 30 Apr 2026 23:21:59 +0000 Subject: [PATCH] fix(deploy/test/libest): drop make-time CFLAGS/LDFLAGS pass-through MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit estclient link was failing with `cannot find -lsafe_lib` despite libsafe_lib.a building cleanly under safe_c_stub/lib/. Root cause: libest's configure.ac (lines 193-195) appends the bundled safec stub's path to user-supplied flags: CFLAGS="$CFLAGS -Wall -I$safecdir/include" LDFLAGS="$LDFLAGS -L$safecdir/lib" LIBS="$LIBS -lsafe_lib" These get baked into the generated Makefile via @CFLAGS@/@LDFLAGS@/ @LIBS@ substitutions. Per automake's variable-precedence rules, a command-line `make LDFLAGS=...` overrides the `LDFLAGS = @LDFLAGS@` line in the Makefile — wiping the `-L/src/safe_c_stub/lib` that configure put there. The previous commit (759e627) passed these flags at BOTH configure- time AND make-time. The make-time pass-through was redundant (configure already baked the flags in) and actively destructive (it overrode configure's own additions). Configure-time alone is correct: configure appends to the user's flags, writes the merged value once, and every link command picks it up. Verified against upstream r3.2.0: - safe_c_stub/lib/Makefile.am produces noinst_LIBRARIES=libsafe_lib.a - example/client/Makefile.am does NOT mention -lsafe_lib explicitly; it relies on the configure-baked LIBS+LDFLAGS to bring it in - top-level Makefile.am has SUBDIRS=safe_c_stub src ... so the stub is built before src/est gets a chance to depend on it CI fix #7 in the ci-pipeline-cleanup post-merge fix-up sequence. Each "new bug" the cleaned-up CI surfaces is the same shape: a pre-existing latent bug that the old per-vendor matrix or missing checks structurally hid. The Docker build smoke step in the new image-and-supply-chain job is exposing this libest sidecar's full dependency chain for the first time. --- deploy/test/libest/Dockerfile | 26 +++++++++++++++++++++++--- 1 file changed, 23 insertions(+), 3 deletions(-) diff --git a/deploy/test/libest/Dockerfile b/deploy/test/libest/Dockerfile index 1197116..35f0080 100644 --- a/deploy/test/libest/Dockerfile +++ b/deploy/test/libest/Dockerfile @@ -131,13 +131,33 @@ WORKDIR /src # next-older default-fcommon GCC is 9.x in debian:buster, which is # LTS-EOL since June 2024. Restoring the flag explicitly is cleaner # than downgrading the base again. +# +# CRITICAL: pass CFLAGS + LDFLAGS at configure-time ONLY. Do NOT also +# pass them on the `make` command line. +# +# Why: libest's configure.ac (lines 193-195) unconditionally appends +# the bundled safec stub paths to the user's CFLAGS/LDFLAGS/LIBS: +# +# CFLAGS="$CFLAGS -Wall -I$safecdir/include" +# LDFLAGS="$LDFLAGS -L$safecdir/lib" +# LIBS="$LIBS -lsafe_lib" +# +# The merged values get baked into the generated Makefile as +# @CFLAGS@/@LDFLAGS@/@LIBS@ substitutions, so every link command — +# notably estclient's — gets `-L/src/safe_c_stub/lib -lsafe_lib`. +# +# Per automake's variable-precedence rules, a command-line +# `make LDFLAGS=...` OVERRIDES the `LDFLAGS = @LDFLAGS@` line in +# the Makefile. Pass-through at make-time wipes the safec stub's +# `-L` path; estclient then fails to link with +# `cannot find -lsafe_lib` even though `safe_c_stub/lib/libsafe_lib.a` +# built fine. Configure-time alone is sufficient — configure writes +# the merged value into the Makefile exactly once. RUN git clone --depth 1 --branch ${LIBEST_REF} https://github.com/cisco/libest.git . \ && CFLAGS="-fcommon" \ LDFLAGS="-Wl,--allow-multiple-definition" \ ./configure --prefix=/opt/libest --disable-shared --enable-static \ - && make CFLAGS="-fcommon" \ - LDFLAGS="-Wl,--allow-multiple-definition" \ - -j"$(nproc)" \ + && make -j"$(nproc)" \ && make install # Runtime stage. Carries only what we need to docker-exec estclient