Wrong parameters from dpkg-buildflags for LDFLAGS on Forky

[Paebbels]

I'm building CPython on my own CI infrastructure for Forky (Debian 14, testing). Currently the output of dpkg-buildflags --get LDLAGS is broken, because:

• it contains a space and breaks further concatenations in the Dockerfile e.g. with ,--strip-all
• it emits a compiler flag appended to linker flags.

The output I see is:
LDFLAGS="-Wl,-z-relro -fcf-protection,--strip-all"

When debugging the output from dpkg-buildflags, I get
LDFLAGS="-Wl,-z-relro -fcf-protection"

Looking at the outputs of make, I noticed -fcf-protection close to other compiler flags, which is correct. Thus, -fcf-protection seems to be applied two times.

Workaround:
LDFLAGS="${LDFLAGS%% *}"

I'm not sure who is responsible for dpkg-buildflags and where to report it.
I just wanted to inform docker-library of a potential future problem for upcoming Forky - if not fixed until then.

---

I checked Forky and Trixie images from Docker Hub:

	CFLAGS	LDFLAGS
Debian 13, Trixie	-g -O2 ..... -fcf-protection	-Wl,-z,relro
Debian 14, Forky	-g -O2 ..... -fcf-protection	-Wl,-z,relro -fcf-protection

Documentation for -fcf-protection: https://gcc.gnu.org/onlinedocs/gcc-15.2.0/gcc/Instrumentation-Options.html#index-fcf-protection

This option is not a linker option.

---

/cc @skoehler

[Paebbels]

In discussion, I figured out with help from @skoehler, LDFLAGS can contain multiple options.
Some are not compatible to the -Wl,...,...,... syntax.

Thus, if maintainers for the CPython Dockerfile want to appen --strip-all, it MUST be added with a new -Wl, prefix.

The corrected line is:

LDFLAGS="$(dpkg-buildflags --get LDFLAGS) -Wl,--strip-all";

[tianon]

Oh nice, good call! We don't explicitly support Forky yet, but we certainly will someday, so I'm fine with fixing this, especially since the fix is "more correct"!

The specific line in question is:

python/Dockerfile-linux.template

Line 220 in 34416dc

LDFLAGS="${LDFLAGS:--Wl},--strip-all"; \

and because we use set -u, the line needs to be something like this:

	LDFLAGS="${LDFLAGS:-} -Wl,--strip-all"; \

or if we wanted to be really pedantic, which will lead to slightly cleaner generated code (maybe not enough to bother?):

	LDFLAGS="${LDFLAGS:+$LDFLAGS }-Wl,--strip-all"; \

(then running ./apply-templates.sh to apply that change across all our generated Dockerfiles)

Is making a PR for that something you're interested in trying, or would you rather we take this on?

[Paebbels]

@tianon please go on. I'm not into all the code generation this repository runs. That's why I posted the details, my investigation and a fix that works for me.

I think you have all the details you need. I'm out 😃.

[Paebbels]

@tianon is this kind of code (calling dpkg-buildflags and appending further flags) specific to the Python docker image or is this maybe also appearing in other docker-library repositories?

[tianon]

In a quick grep the way we were mis-appending to LDFLAGS is unique to this image (it is queried in a couple other images, but not appended to in the same format-assuming way).