Bug#846889: [pkg-gnupg-maint] Bug#846889: gnupg2: FTBFS on hppa - Please don't link static version with -pie on hppa

Mon, 05 Dec 2016 09:39:34 -0800 

On 2016-12-05 12:27 PM, Daniel Kahn Gillmor wrote:

Hi Dave--

thanks for this report!

On Sat 2016-12-03 18:12:41 -0500, John David Anglin wrote:

make[2]: Entering directory '/<<PKGBUILDDIR>>/build-gpgv-static/g10'
gcc     -Wall -Wno-pointer-sign -Wpointer-arith  -g -O2 
-fdebug-prefix-map=/<<PKGBUILDDIR>>=. -Wformat -Werror=format-security  -pie 
-static -o gpgv gpgv.o build-packet.o compress.o  free-packet.o getkey.o keydb.o keyring.o 
seskey.o kbnode.o mainproc.o armor.o mdfilter.o textfilter.o progress.o misc.o rmd160.o 
openfile.o keyid.o parse-packet.o cpr.o plaintext.o sig-check.o keylist.o pkglue.o ecdh.o 
verify.o ../kbx/libkeybox.a ../common/libcommon.a ../common/libgpgrl.a -lz    -lgcrypt 
-L/usr/lib/hppa-linux-gnu -lgpg-error
/usr/bin/ld: /usr/lib/gcc/hppa-linux-gnu/6/crtbeginT.o: relocation 
R_PARISC_DPREL21L can not be used when making a shared object; recompile with 
-fPIC
/usr/lib/gcc/hppa-linux-gnu/6/crtbeginT.o: error adding symbols: Bad value
collect2: error: ld returned 1 exit status
Makefile:788: recipe for target 'gpgv' failed

Full log is here:
https://buildd.debian.org/status/fetch.php?pkg=gnupg2&arch=hppa&ver=2.1.16-2&stamp=1479760527

The build will complete successfully if "-pie" is removed from the following
line in debian/rules:
         cd build-gpgv-static/g10 && $(MAKE) LDFLAGS="$$LDFLAGS -pie -static" 
gpgv

PIE support is not well tested on hppa.  Further, gcc on hppa is not built
with --enable-pie-default.  So, archive libraries and executable code are
not built by default with -fPIE.  So, in general, linking with -pie and -static
isn't going to work.

that's a bummer, since it means that ASLR isn't going to work for hppa,
which leaves hppa users more vulnerable to certain kinds of attack.

Understood.


I plan on resolving this in the next upload with a change like the following:

--- a/debian/rules
+++ b/debian/rules
@@ -14,6 +14,12 @@ include /usr/share/dpkg/architecture.mk
export DEB_BUILD_MAINT_OPTIONS = hardening=+all +ifeq ($(DEB_HOST_ARCH),hppa) 
+       GPGV_STATIC_HARDENING = ""
+else
+       GPGV_STATIC_HARDENING = "-pie"
+endif
+
  %:
        dh $@ --with=autoreconf --builddirectory=build
@@ -36,7 +42,7 @@ override_dh_auto_build-arch: 
        dh_auto_build --builddirectory=build
        cp -a build-gpgv-udeb build-gpgv-static
        rm -f build-gpgv-static/g10/gpgv
-       cd build-gpgv-static/g10 && $(MAKE) LDFLAGS="$$LDFLAGS -pie -static" 
gpgv
+       cd build-gpgv-static/g10 && $(MAKE) LDFLAGS="$$LDFLAGS 
$(GPGV_STATIC_HARDENING) -static" gpgv
        mv build-gpgv-static/g10/gpgv build-gpgv-static/g10/gpgv-static
override_dh_auto_build-indep: 


Please let me know if you think this could be improved.

The patch looks good.

Thanks,

Dave

--
John David Anglin  dave.ang...@bell.net

Reply via email to