Hi Guillem,
I'm rebuilding all packages failed with the original patch and a good share
does compile with the following additional patches.
I would have preferred only the original patch, but apparently this is
our best chance for enabling PIE for the archive.
I'll start filing bugs for for the packages still failing to build.
Cheers,
Balint
2016-09-04 3:03 GMT+02:00 Balint Reczey <bal...@balintreczey.hu>:
> Hi Guillem,
>
> Many packages fail to build due to gcc ... -shared -no-pie ... failing.
> I have reported the issue to GCC but they don't seem to fix that:
> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=77464
>
> The proposed workarounds don't seem to be viable in Debian thus I
> propose making the -pie dpkg hardening flag a noop instead of passing
> -no-pie and friends as compiler/ flags like in the proposed patch.
> This is not symmetric but consistent with Ubuntu's way of enabling PIE.
>
> What do you think?
>
> Cheers,
> Balint
>
> On Tue, 23 Aug 2016 00:29:00 +0200 Balint Reczey
> <bal...@balintreczey.hu> wrote:
>> Package: dpkg
>> Version: 1.18.10
>> Severity: wishlist
>> Tags: patch moreinfo
>>
>> Dear Guillem,
>>
>> As a continuation of the discussions [1][2] on debian-devel I'm
>> attaching the simple patch that changes dpkg's pie hardening flag
>> to adapt to GCC's new default settings proposed in #835148.
>>
>> I'm continuing with the rebuild/autopkgtest tests according to
>> the Dpkg FAQ, hence the moreinfo tag.
>>
>> Cheers,
>> Balint
>>
>> [1] https://lists.debian.org/debian-devel/2016/05/msg00228.html
>> [2] https://lists.debian.org/debian-devel/2016/08/msg00324.html
>>
From 125b18d25203a5abc173421fde21c685ae9ef3e3 Mon Sep 17 00:00:00 2001
From: Balint Reczey <bal...@balintreczey.hu>
Date: Sun, 4 Sep 2016 02:56:38 +0200
Subject: [PATCH 3/4] Make -pie hardening flag a noop
---
scripts/Dpkg/Vendor/Debian.pm | 12 +-----------
1 file changed, 1 insertion(+), 11 deletions(-)
diff --git a/scripts/Dpkg/Vendor/Debian.pm b/scripts/Dpkg/Vendor/Debian.pm
index 8e9a0ac..a2b4ca9 100644
--- a/scripts/Dpkg/Vendor/Debian.pm
+++ b/scripts/Dpkg/Vendor/Debian.pm
@@ -328,17 +328,7 @@ sub _add_hardening_flags {
}
# PIE
- if ($pie_by_default == 1 and not $use_feature{pie}) {
- my $flag = '-fno-PIE';
- $flags->append('CFLAGS', $flag);
- $flags->append('OBJCFLAGS', $flag);
- $flags->append('OBJCXXFLAGS', $flag);
- $flags->append('FFLAGS', $flag);
- $flags->append('FCFLAGS', $flag);
- $flags->append('CXXFLAGS', $flag);
- $flags->append('GCJFLAGS', $flag);
- $flags->append('LDFLAGS', '-fno-PIE -no-pie');
- } elsif ($pie_by_default == 0 and $use_feature{pie}) {
+ if ($pie_by_default == 0 and $use_feature{pie}) {
my $flag = '-fPIE';
$flags->append('CFLAGS', $flag);
$flags->append('OBJCFLAGS', $flag);
--
2.1.4
From 7cb9f2be91f45a20fc0a78b596da508309e90657 Mon Sep 17 00:00:00 2001
From: Balint Reczey <bal...@balintreczey.hu>
Date: Mon, 5 Sep 2016 22:40:04 +0200
Subject: [PATCH 4/4] Update documentation of the pie hardening setting
---
man/dpkg-buildflags.1 | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/man/dpkg-buildflags.1 b/man/dpkg-buildflags.1
index cb157c9..dd344fc 100644
--- a/man/dpkg-buildflags.1
+++ b/man/dpkg-buildflags.1
@@ -366,6 +366,11 @@ Static libraries can be used by programs or other shared libraries.
Depending on the flags used to compile all the objects within a static
library, these libraries will be usable by different sets of objects:
+On several architectures (where the performanance loss is acceptable)
+gcc generates Position Independent Executables by default. On such
+architectures both enabling and disabling the \fBpie\fP setting is
+ignored and flags are not changed.
+
.RS
.TP
none
--
2.1.4
