Control: tags -1 patch Hi Robert,
On Sun, 11 Sep 2016 19:04:08 +0200 Balint Reczey <bal...@balintreczey.hu> wrote: > Source: check > Version: 0.10.0-3 > Severity: important > User: bal...@balintreczey.hu > Usertags: pie-bindnow-20160906 > Justification: makes several packages FTBFS on amd64 with extra hardening > Affects: ettercap galera-3 gubbins netcfg vnstat > > Dear Maintainers, > > During a rebuild of all packages in sid, several packages > failed to build on amd64 with patched GCC and dpkg. The root > cause seems to be that libcheck.a is shipped as a non-PIC library. > > The rebuild tested if packages are ready for a transition > enabling PIE and bindnow for amd64. > > For more information about the changes to sid's dpkg and GCC please > visit: > https://wiki.debian.org/Hardening/PIEByDefaultTransition ... > I'm aware of the provided libcheck_pic.a file, but I think > there is little value in providing the non-PIC library > thus I suggest providing only one, libcheck.a with PIC. I have pushed the attached patch to the packaging repository. I have not dropped libcheck_pic.a yet because radvd seems to refer to it: https://codesearch.debian.net/search?q=lcheck_pic It would be nice if you could update the package in the not too distant future including the patch. Cheers, Balint
>From 1794069bc155cdc661025f3867b61a6ef9f509e1 Mon Sep 17 00:00:00 2001 From: Balint Reczey <bal...@balintreczey.hu> Date: Thu, 29 Sep 2016 15:39:30 +0200 Subject: [PATCH] Build libcheck with -fPIC Closes: 837445 --- debian/README.Debian | 13 ++++++------- debian/patches/01pkgconfig.patch | 2 +- debian/rules | 26 +++++++------------------- 3 files changed, 14 insertions(+), 27 deletions(-) diff --git a/debian/README.Debian b/debian/README.Debian index 302a4fd..d499e00 100644 --- a/debian/README.Debian +++ b/debian/README.Debian @@ -1,13 +1,12 @@ P I C S U P P O R T ===================== -In addition to the non-PIC static library, check now also ships a PIC- -enabled library libcheck_pic.a, this is e.g. needed if you want to link -libcheck against a dynamic library on x86_64. Since 0.9.8-1.1 this is the -default when you use pkg-config, by popular demand. I still think that -linking unit tests into shared lib is eccentric, but it doesn't seem to -hurt, so there you are. If you want the non-pic library then don't use -pkg-config, but state the link flags yourself. +This package ships static libraries and they are compiled with -fPIC +to let reverse dependencies use the static libraries as part of shared +libraries and PIE binaries. + +The exception is discussed in this thread: + https://lists.debian.org/debian-devel/2016/09/msg00277.html On a related note, the fact that check doesn't build a shared library but a static one is deliberate, not a missing feature: you aree building *unit diff --git a/debian/patches/01pkgconfig.patch b/debian/patches/01pkgconfig.patch index c8ef284..4f01922 100644 --- a/debian/patches/01pkgconfig.patch +++ b/debian/patches/01pkgconfig.patch @@ -9,6 +9,6 @@ -Libs.private: @GCOV_LIBS@ @PTHREAD_LIBS@ @LIBS@ -Cflags: -I${includedir} @PTHREAD_CFLAGS@ +Requires: @LIBSUBUNIT_PC@ -+Libs: -L${libdir} -lcheck_pic @GCOV_LIBS@ @PTHREAD_CFLAGS@ @PTHREAD_LIBS@ @LIBS@ ++Libs: -L${libdir} -lcheck @GCOV_LIBS@ @PTHREAD_CFLAGS@ @PTHREAD_LIBS@ @LIBS@ +Libs.private: +Cflags: -I${includedir} -pthread diff --git a/debian/rules b/debian/rules index bc3f562..7904306 100755 --- a/debian/rules +++ b/debian/rules @@ -1,5 +1,7 @@ #!/usr/bin/make -f +export DEB_CFLAGS_MAINT_APPEND = -fPIC + ifneq ($(DEB_BUILD_PROFILES),stage1) ENABLE_SUBUNIT=--enable-subunit else @@ -9,33 +11,19 @@ endif %: dh $@ --buildsystem=autoconf --with autoreconf -override_dh_auto_clean: - dh_auto_clean --builddirectory build-standard - dh_auto_clean --builddirectory build-pic - override_dh_auto_configure: - dh_auto_configure --builddirectory build-standard -- --prefix=/usr \ + dh_auto_configure -- --prefix=/usr \ --libdir=\$${prefix}/lib/$(DEB_HOST_MULTIARCH) \ --host=$(DEB_HOST_GNU_TYPE) \ --infodir=/usr/share/info --disable-shared $(ENABLE_SUBUNIT) - - CFLAGS="-fPIC $(CFLAGS)" dh_auto_configure --builddirectory build-pic - -- --prefix=/usr --host=$(DEB_HOST_GNU_TYPE) \ - --libdir=\$${prefix}/lib/$(DEB_HOST_MULTIARCH) \ - --infodir=/usr/share/info --disable-shared $(ENABLE_SUBUNIT) - -override_dh_auto_build: - dh_auto_build --builddirectory build-standard - dh_auto_build --builddirectory build-pic override_dh_auto_test: ifeq (,$(findstring nocheck, $(DEB_BUILD_OPTIONS))) - dh_auto_test --builddirectory build-standard --max-parallel=1 -- ARGS="--verbose" - dh_auto_test --builddirectory build-pic --max-parallel=1 -- ARGS="--verbose" + dh_auto_test --max-parallel=1 -- ARGS="--verbose" endif override_dh_auto_install: - dh_auto_install --builddirectory build-standard + dh_auto_install # fix the installation / setup rm -f debian/check/usr/share/doc/check/COPYING* @@ -45,5 +33,5 @@ override_dh_auto_install: rm -f debian/check/usr/share/info/dir.gz rm -rf debian/check/usr/share/doc/check/example - # install the pic library - install build-pic/src/.libs/libcheck.a debian/check/usr/lib/$(DEB_HOST_MULTIARCH)/libcheck_pic.a + # install the pic library to previous location, too, for packages still using it + install src/.libs/libcheck.a debian/check/usr/lib/$(DEB_HOST_MULTIARCH)/libcheck_pic.a -- 2.1.4