On Tue, 13 Sep 2016 17:12:46 +0300, Niko Tyni wrote: > As for #835148, it's triggered by bindnow (not PIE). I think the patch in > #835148 just shows that PIE was already enabled in Ubuntu on s390x, but > not in Debian.
Ah, I see, thank you. > My understanding is that the Apache module parts (mod_embperl) get > compiled into Embperl.so, but don't get used unless the thing is loaded > by Apache. The 'bindnow' hardening is incompatible with this scheme; > from the ld(1) documentation for '-z now': Cool. > So when perl dlopens Embperl.so without Apache, the ap_* functions > aren't needed but still get loaded (unsuccessfully). > > I think the fix/workaround for this is explicitly opting out of bindnow > with something like > > export DEB_BUILD_MAINT_OPTIONS=hardening=-bindnow > > in debian/rules, and possibly a wishlist bug upstream for separating > the Apache module into a separate DSO that loads Embperl.so ? I tried now with export DEB_BUILD_MAINT_OPTIONS = hardening=+all,-bindnow to build with PIE but without bindnow, and indeed the build + tests succeed. Cheers, gregor -- .''`. Homepage https://info.comodo.priv.at/ - OpenPGP key 0xBB3A68018649AA06 : :' : Debian GNU/Linux user, admin, and developer - https://www.debian.org/ `. `' Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe `- NP: hons: strive
signature.asc
Description: Digital Signature