rust-lld: error: duplicate symbol: security_txt

[sjoerd-dijkstra]

When compiling multiple Anchor programs from the same workspace, we get this error.

error: linking with `rust-lld` failed: exit status: 1

# omitted

  = note: rust-lld: error: duplicate symbol: security_txt

Directory structure:

programs/
├── program-1
│   ├── Cargo.toml      # solana-security-txt = "1.0.1"
│   └── src
├── program-2
│   ├── Cargo.toml      # solana-security-txt = "1.0.1"
│   └── src
└── program-3
    ├── Cargo.toml      # solana-security-txt = "1.0.1"
    └── src

When we set the dependency in only 1 program we do not get the error.

Note; the error occurs when we use the crate and try the utilize the macro, like so

use solana_security_txt::security_txt;

security_txt! {
// omitted
}

EDIT

Upon further checking, it seems other programs inherit the security txt setting when they have dependency with a program that already has a security-txt

In below example, program-2 inherits the security-txt settings from program-1 and cannot set it's own. Also block explorers show the wrong entry.

programs/
├── program-1
│   ├── Cargo.toml      # solana-security-txt = "1.0.1"
│   └── src
└── program-2
    ├── Cargo.toml      # program-1 = { path = "../program-1", features = ["cpi"] }
    └── src

Are we doing something wrong, or is this unintended behaviour?

We would like to have a unique security report for each of our programs and have them depend on each other for CPI purposes.

Thanks in advance!

[giacomo-cc]

+1 on this, we're having exactly the same problem. this issue is quite old, this repo is still maintained?
We faced the problem unfortunately only on isolated cases, compiling our project on windows / macos was fine, but on linux (ubuntu 20.04 LTS) failed for the same reason @sjoerd-dijkstra pointed out. Can anybody give advice?

[tlambertz]

I see the issue. When using another smart-contract as dependency it also generates it's security.txt.
The compiler is helpful here and prevents two conflicting security.txt being present.

Dependencies have to omit emitting the security.txt. Solana contracts already use the no-entrypoint feature to avoid including entrypoints of dependent smart-contracts, this can easily be adapted here.

We have brainstormed a bit, but there doesn't seem to be a fool-proof solution for solving this automatically. So there isn't much we can do about that from the perspective from this crate. The decision to include or not include the macro always has to happen from the caller, and we cannot introspect if the parent is compiled with no-entrypoint.

This aspect is currently lacking from the documentation, working on a pull-request to fix this, and make it very clear that if you expect to be included as dependency and have an exposed no_entrypoint feature, you have to put the security.txt under that as well:

#[cfg(not(feature = "no-entrypoint"))]
security_txt! {
...
}

Unfortunately, this issue means contracts that currently do not do this cannot be used as a dependency until they are updated.

[tlambertz]

Thanks to the help of @w4rum, we've opened pull request on all relevant repositories we could find.

Once they are merged, this issue should be solved. Closing for now. Please let me know if you still encounter this issue anywhere!

[sjoerd-dijkstra]

Thank you for working out a solution @tlambertz , and thank you @w4rum implementing this fix over in nosana-ci/nosana-programs#2 !

Much appreciated! 🙏