from:"Balint Reczey"

Bug#812127: login: wrong German error message

2017-01-20 Thread Balint Reczey

Control: tags -1 help moreinfo

Hi,

On Wed, 20 Jan 2016 21:33:21 +0100 "B. Ruva"  wrote:
> Package: login
> Version: 1:4.2-3.1
> Severity: l10n
> 
> Dear Maintainer,
> 
> the following error message of 'login':
> 
> "Cannot possibly work without effective root"
> 
> is translated into German as:
> 
> "Arbeit ohne effektive root-Rechte eventuell nicht mÃ¶glich"
> 
> This wrong and pretty misleading. It means something like:
> 
> "It is perhaps not possible to work without effective root"
> 
> I would translate the original error message as:
> 
> "Kann unmÃ¶glich ohne effektive root-Rechte arbeiten"

I need help here for sure.

My wife says the proposed solution does not sound good and I don't speak
German thus I can't make a decision here. :-)

Please someone from the l10n team take a look and review the translations.

Cheers,
Balint

Bug#791661: [Pkg-shadow-devel] Bug#791661: patches

2017-01-21 Thread Balint Reczey

Control: tags -1 moreinfo patch upstream

Hi,

On Fri, 18 Sep 2015 10:27:11 +0100 Dimitri John Ledkov
 wrote:
> Hello,
> 
> On 18 September 2015 at 08:13, Michael Vogt  wrote:
> > Hi,
> >
> > looks like the actual patches are missing for some reason. Attached
> > are the two patches that add support for libnss-extrausers.
> >
> 
> These patches look weird. Are these used to manipulate
> /var/lib/extrausers/* ? and why not use systemd-sysusers for that?
> 
> E.g. in clearlinux.org we have sysusers.d config files, which at build
> time are used to generate {passwd,group,shadow,...}
> 
> The patches that we have for shadow (and i believe i have even
> published some of them) go further - that is they load information
> from both databases and allow manipulating it. Such that kvm group is
> defined in altfiles location, yet one can still add users to said
> group. In those patches a lookup is done to alternative location, and
> the entry is copied across into the writable /etc/group, if one wants
> custom user accounts to be added into a "system" group. There we use
> libnss-altfiles modules.
> 
> Could you please elaborate how this patch fits together and used in
> Ubuntu / snappy? If it's never interactive, why not use
> systemd-sysusers support then?

Could you please upstream [1] the Ubuntu or the ClearLinux version?
I would happily update the package with the fix, but I would prefer one
you could agree on.

Cheers,
Balint

[1] https://github.com/shadow-maint/shadow

Bug#620898: Moving bash from essential/required to important

2017-01-21 Thread Balint Reczey

Control: tags -1 confirmed

Hi,

On Sat, 27 Sep 2014 21:14:46 -0500 Troy Benjegerdes  wrote:
> So can we have a prerm script for bash that sets the root
> shell back to /bin/sh, or at least asks the admin if they want
> zsh or tcsh, and warns about any other users?
> 
> Any of this stuff of trying to have login figure out the 
> right shell seems like a new remote exploit in the making.

It is too late for making changes related to this bug in Stretch. :-(
In the next cycle we will evaluate switching to login implementatiln in
util-linux per #833256. This bug may be solved by the switch or later in
util-linux.

Cheers,
Balint

Bug#853249: ruby-minitar: diff for NMU version 0.5.4-3.1

2017-01-31 Thread Balint Reczey

Hi All,

On Mon, 30 Jan 2017 09:42:19 +0100 Salvatore Bonaccorso
 wrote:
> Hi Markus,
> 
> On Mon, Jan 30, 2017 at 09:28:35AM +0100, Markus Frosch wrote:
> > On 30.01.2017 07:08, Salvatore Bonaccorso wrote:
> > > I've prepared an NMU for ruby-minitar (versioned as 0.5.4-3.1) and
> > > uploaded it to DELAYED/5. Please feel free to tell me if I
> > > should delay it longer.
> > 
> > Thanks Salvatore, I'm perfectly fine with that.
> 
> Ok, if you want I can as well reshedule to get the fix faster.
> 
> > Should I take care about the migration to stretch? Or is there some
> > new auto-security mechanism? :)
> 
> There is no aut-security mechanism no ;-). So we need to ask a unblock
> request. If you want to take care of it, it is appreciated. Otherwise
> I put it on my TODO list.

I have uploaded the fix for ruby-archive-tar-minitar in wheezy and I
would happily do it for jessie, too.

Cheers,
Balint

Bug#841403: debian-policy: Allow (encourage?) PIC static libraries

2016-12-18 Thread Balint Reczey

Hi,

On Tue, 25 Oct 2016 08:25:02 +0200 Mathieu Malaterre 
wrote:

> Underway: https://bugs.debian.org/837478

I afraid the policy change won't be implemented thus mupdf needs to
provide a separate _pic postfixed PIC library on its own to let shared
libraries embed it.

The other option would be providing a shared library which needs to be
PIC according to current policy.

Libmupdf.a can already be linked to executables, even PIE ones, thanks
to the latest upload which has been built with a GCC enabling PIE for
static libraries, too.

Cheers,
Balint

Bug#848830: dcmtk: remote stack buffer overflow CVE-2015-8979

2016-12-19 Thread Balint Reczey

Package: dcmtk
Severity: grave
Version: 3.6.0-15
Tags: security

Hi,

the following vulnerability was published for dcmtk.

CVE-2015-8979[0]:
remote stack buffer overflow

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-8979
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8979
Please adjust the affected versions in the BTS as needed.

Bug#849038: libgd2: CVE-2016-9933: imagefilltoborder stackoverflow on truecolor images

2016-12-21 Thread Balint Reczey

Package: libgd2
Severity: serious
Tags: security

Hi,

the following vulnerability was published for libgd2.

CVE-2016-9933[0]:
imagefilltoborder stackoverflow on truecolor images

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-9933
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9933
Please adjust the affected versions in the BTS as needed.

Bug#816664: Useless in Debian

2016-12-23 Thread Balint Reczey

Hi David,

Control: notfound -1 2.97a.20150601+dfsg-1

On Thu, 3 Mar 2016 15:18:51 -0400 David =?iso-8859-1?Q?Pr=E9vot?=
 wrote:
> Package: libjs-soundmanager2
> Version: 2.97a.20150601+dfsg-1
> Severity: serious
> 
> [ Filled as an RC-bug by the maintainer to see the package auto-removed
>   from testing. ]
> 
> I recently packaged libjs-soundmanager2 as used by owncloud-music, but
> owncloud is going away, see #816376. There is a priori little point to
> release libjs-soundmanager2 in a stable Debian release.
> 
> I intend to follow up with an RM request in a few months if nobody
> objects (but feel free to beat me to it).

Please keep the package in Debian for at least Stretch.

Kodi upstream recently switched to a new web interface which uses
soundmanager2 and to provide the same web interface in Debian I need to
have it packaged.

Cheers,
Balint

PS: Closing the bug since the package is not useless anymore. In a few
days I plan uploading the new reverse dependency.

Bug#823704: ping?

2016-12-28 Thread Balint Reczey

Hi Wouter,

On Wed, 28 Dec 2016 12:49:00 +0100 Wouter Verhelst 
wrote:
> Hi,
> 
> I filed #823704 back in may of this year, noting that the libcec3v4
> package made kodi crash. A reply was sent that you'd asked for a binNMU
> of kodi, but that hasn't materialized thus far AFAICS.
> 
> What's the status of this?

I made several uploads to kodi since then instead of binNMU-ing it. I
think the the problem should be gone now.
Do you still see it crashing? (I don't, but I don't have any TV with CEC.)

Cheers,
Balint

Bug#842090: libwmf: CVE-2016-9011

2016-10-27 Thread Balint Reczey

On Tue, 25 Oct 2016 22:10:34 +0200 Salvatore Bonaccorso
 wrote:
> Hi,
> 
> the following vulnerability was published for libwmf. Opening the bug
> to track the issue in the Debian BTS.
> 
> CVE-2016-9011[0]:
> memory allocation failure in wmf_malloc (api.c)
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2016-9011

Fedora has already released a fix, which I have updated for Debian.
Please see it in the attached patch.

Origin per Fedora package's [1] changelog:

* Wed Oct 26 2016 Caolán McNamara  - 0.2.8.4-49
- Resolves: rhbz#1388451 (CVE-2016-9011) check max claimed record len
against max seekable position

Cheers,
Balint

[1] http://koji.fedoraproject.org/koji/buildinfo?buildID=812787
--- ./src/player.c.orig	2016-10-27 23:17:53.076604344 +0200
+++ ./src/player.c	2016-10-27 23:20:15.271078052 +0200
@@ -140,7 +140,30 @@
 		return (API->err);
 	}
 
- 	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char));
+	U32 nMaxRecordSize = (MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char);
+	if (nMaxRecordSize)
+	{
+		//before allocating memory do a sanity check on size by seeking
+		//to claimed end to see if its possible. We're constrained here
+		//by the api and existing implementations to not simply seeking
+		//to SEEK_END. So use what we have to skip to the last byte and
+		//try and read it.
+		const long nPos = WMF_TELL (API);
+		WMF_SEEK (API, nPos + nMaxRecordSize - 1);
+		if (ERR (API))
+		{	WMF_DEBUG (API,"bailing...");
+			return (API->err);
+		}
+		int byte = WMF_READ (API);
+		if (byte == (-1))
+		{	WMF_ERROR (API,"Unexpected EOF!");
+		   	API->err = wmf_E_EOF;
+		   	return (API->err);
+		}
+		WMF_SEEK (API, nPos);
+	}
+
+ 	P->Parameters = (unsigned char*) wmf_malloc (API, nMaxRecordSize);
 
 	if (ERR (API))
 	{	WMF_DEBUG (API,"bailing...");

Bug#833841: kodi: Checks fail at TestSystemInfo.GetOsVersion when building package

2016-11-03 Thread Balint Reczey

Control: fixed -1 17.0~alpha3+dfsg1-1

Hi,

On Tue, 9 Aug 2016 13:02:39 +0200 Simon Frei  wrote:
> In the meantime I realised there is already a patch for the tests, so I 
> updated it such that it works in my case (see attached patch).

Thank you for the report and the patch.
The build is not failing now for failing tests thus I think we don't
need to patch this failing test out.

Cheers,
Balint

Bug#838051: kodi: Embedded libsquish library now available in debian

2016-11-03 Thread Balint Reczey

Control: notfound -1 17.0~alpha3+dfsg1-1
Control: found -1  16.1+dfsg1-2

Hi Wookey,

On Mon, 26 Sep 2016 11:46:50 +0200 =?UTF-8?B?QsOhbGludCBSw6ljemV5?=
 wrote:
> Hi Wookey,
> 
> 2016-09-25 0:49 GMT+02:00 Wookey :
> > On 2016-09-24 14:14 +0200, BÃ¡lint RÃ©czey wrote:
> >> Control: tags -1 upstream fixed-upstream pending
> >> Control: notfound -1 17.0~alpha3+dfsg1-1
> >>
> >> Hi Wookey,

> >>
> >> 2016-09-17 2:26 GMT+02:00 Wookey :
> >
> >> > The changes have also been sent upstream and will hopefully appear
> >> > in libsquish 1.14 at some point.
> >
> > This has now happened, so I just uploaded 1.14. (no functional changes over 
> > 1.13-3)
> >
> >> Thank you for packaging libsquish.
> >> Kodi upstream dropped many embedded code copies recently including
> >> libsquish in 17.x.
> >> Experimental already has a kodi version without libsquish.
> >
> > You mean that it doesn't actually use it any more?
> 
> Yes, upstream stopped using it before the removal:
> 
> commit 7d9b190a0a87a23ad2108889b20840be9b759fb8
> Author: Stefan Saraev 
> Date:   Sun Feb 7 22:02:38 2016 +0200
> 
> [guilib] remove libsquish usage
> ---
>  xbmc/guilib/DDSImage.cpp | 86
> ++
>  xbmc/guilib/DDSImage.h   | 21 -
>  xbmc/guilib/Texture.cpp  | 41 
> ++---
>  xbmc/guilib/TextureBundleXBT.cpp |  5 ++---
>  4 files changed, 26 insertions(+), 127 deletions(-)

Kodi 17 is now in unstable, this bug can be closed.

Cheers,
Balint

Bug#831591: ffmpeg: kodi crash

2016-11-03 Thread Balint Reczey

Control: forwarded -1 https://github.com/xbmc/xbmc/pull/10846
Control: tags -1 upstream


Hi Andreas,

On Fri, 14 Oct 2016 01:27:47 +0200 Andreas Cadhalpun
 wrote:
...

> 
> Hi,
> 
> The relevant backtrace from the kodi_crashlog is:
> 
> Thread 1 (Thread 0x7f1b6bffe700 (LWP 16893)):
> #0  0x7f1ba92991c8 in __GI_raise (sig=sig@entry=6) at 
> ../sysdeps/unix/sysv/linux/raise.c:54
> #1  0x7f1ba929a64a in __GI_abort () at abort.c:89
> #2  0x7f1ba92d4f4a in __libc_message (do_abort=do_abort@entry=2, 
> fmt=fmt@entry=0x7f1ba93cdb30 "*** Error in `%s': %s: 0x%s ***\n") at 
> ../sysdeps/posix/libc_fatal.c:175
> #3  0x7f1ba92da6b6 in malloc_printerr (action=3, str=0x7f1ba93ca909 
> "free(): invalid pointer", ptr=, ar_ptr=) at 
> malloc.c:5004
> #4  0x7f1ba92dae9e in _int_free (av=0x7f1ba9601b20 , 
> p=, have_lock=0) at malloc.c:3865
> #5  0x7f1baa6d4a9d in av_buffer_unref () from 
> /usr/lib/x86_64-linux-gnu/libavutil.so.55
> #6  0x7f1baa6e15d2 in av_frame_unref () from 
> /usr/lib/x86_64-linux-gnu/libavutil.so.55
> #7  0x7f1bab93cf10 in avcodec_decode_video2 () from 
> /usr/lib/x86_64-linux-gnu/libavcodec.so.57
> #8  0x0090b26c in CDVDDemuxFFmpeg::ParsePacket(AVPacket*) ()
> #9  0x0090d0c2 in CDVDDemuxFFmpeg::Read() ()
> #10 0x01079b53 in CDVDPlayer::ReadPacket(DemuxPacket*&, 
> CDemuxStream*&) ()
> #11 0x0107ecd7 in CDVDPlayer::Process() ()
> #12 0x012103ff in CThread::Action() ()
> #13 0x012106bf in CThread::staticThread(void*) ()
> #14 0x7f1bb23e5464 in start_thread (arg=0x7f1b6bffe700) at 
> pthread_create.c:333
> #15 0x7f1ba934d30d in clone () at 
> ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
> 
> Looking at the ParsePacket function reveals [1]:
> AVFrame picture;
> memset(&picture, 0, sizeof(AVFrame));
> picture.pts = picture.pkt_dts = picture.pkt_pts = 
> picture.best_effort_timestamp = AV_NOPTS_VALUE;
> picture.pkt_pos = -1;
> picture.key_frame = 1;
> picture.format = -1;
> 
> This is using non-public ABI, e.g. the size of AVFrame, while the 
> documentation
> explicitly says "sizeof(AVFrame) is not a part of the public ABI" [2].
> What's worse is that it doesn't use av_frame_alloc as required [3]:
> "AVFrame must be allocated using av_frame_alloc()."
> 
> The whole block quoted above should be replaced with:
> AVFrame *picture = av_frame_alloc().
> 
> Then the following code should use picture instead of &picture:
> avcodec_decode_video2(st->codec, picture, &got_picture, pkt);
> 
> And at the end it can be freed (instead of using av_frame_unref) with:
> av_frame_free(&picture);
> 
> In the experimental kodi branch there is another occurrence of this bug
> in xbmc/cores/VideoPlayer/VideoRenderers/HwDecRender/MMALRenderer.cpp.

Thank you for the triaging and extensive description of the problem.
I have now forwarded the patch to upstream under your name since I did
not really add anything to the patch.

> 
> Best regards,
> Andreas
> 
> 
> 1: 
> https://anonscm.debian.org/cgit/pkg-multimedia/kodi.git/tree/xbmc/cores/dvdplayer/DVDDemuxers/DVDDemuxFFmpeg.cpp?id=8d5cf423001aa4e7f850c20b158b2811e637e607#n1665
> 2: 
> https://anonscm.debian.org/cgit/pkg-multimedia/ffmpeg.git/tree/libavutil/frame.h?id=87b93f4e3ee2b6253ab9f5a166860a1ff18877d5#n174
> 3: 
> https://anonscm.debian.org/cgit/pkg-multimedia/ffmpeg.git/tree/libavutil/frame.h?id=87b93f4e3ee2b6253ab9f5a166860a1ff18877d5#n154
> 
>

Bug#816907: kodi: Crashes on shutdown

2016-11-04 Thread Balint Reczey

Control: fixed -1 17.0~beta5+dfsg1-1

On Sun, 06 Mar 2016 15:31:34 +0100 Valery Melou 
wrote:
> Package: kodi
> Version: 15.2+dfsg1-3
> Severity: normal
> 
> Dear Maintainer,
> 
> *** Reporter, please consider answering these questions, where appropriate ***
> 
>* What led up to the situation?
>   I cliked on the shutdown button.
>* What exactly did you do (or not do) that was effective (or
>  ineffective)?
>   The shutdown was effective but created a kodi_crashlog file in my home 
> folder.
>* What was the outcome of this action?
>   The creation of that crash log file.
>* What outcome did you expect instead?
>   I expected the app to close without creating that file.

This seems to be fixed in latest version.

Cheers,
Balint

Bug#843166: kodi: block migration to testing untill all reverse dependencies are ready

2016-11-04 Thread Balint Reczey

Source: kodi
Version: 17.0~beta5+dfsg1-1
Severity: grave

To not break testing users' addon configuration I'm blocking kodi's
migration to testing until all addons are ready to migrate together.

Close this bug when all reverse dependencies are ready.

Cheers,
Balint

Bug#673208: xbmc: XBMC crash when launching videos

2016-11-04 Thread Balint Reczey

Control: fixed -1 17.0~beta5+dfsg1-1

On Fri, 27 Dec 2013 02:45:20 +0100 Balint Reczey
 wrote:
> tags 673208 moreinfo
> thanks
> 
> Hi,
> 
> Could you please try latest version from unstable?
> You can find XBMC's logs at ~/.xbmc/temp/xbmc.log
> 
> Thanks,
> Balint
> 
> On 05/17/2012 12:57 AM, bohwaz wrote:
> > Package: xbmc
> > Version: 2:11.0~git20120510.82388d5-1
> > Severity: important
> > 
> > On a fresh Debian Wheezy install, with either testing or unstable 
> > xbmc package, I can't play a video in XBMC, as it crashes Xorg.
> > 
> > Each time I try to play a video XBMC and Xorg crashes, it restarts
> > and I get this in syslog:
> > xbmc kernel: xbmc.bin[3707] trap invalid opcode ip:7f182ea7be19 
> >   sp:7fffd00205e8 error:0 in i915_dri.so[7f182e849000+36d000]
> > 
> > Thought it was a bug with i915 driver but with VESA it's the same,
> > except that the module in the log is different.
> > 
> > My graphic card is:
> > Intel Corporation 82945G/GZ Integrated Graphics Controller (rev 02)
> > 
> > on a Dell Optiplex GX280
> > 
> > XBMC crashlog ends on:
> > NOTICE: Using GL_TEXTURE_2D
> > NOTICE: GL: Shaders support not present, falling back to SW mode
> > NOTICE: GL: NPOT texture support detected
> > 
> > No error, nothing else.
> > 
> > Don't know if that's a problem from the card or from XBMC itself...

It was probably a DRI issue, but in case it was Kodi's fault it is
probably gone long ago. Please reopen if you hit this again.

Cheers,
Balint

Bug#751634: /usr/lib/xbmc/xbmc.bin: XBMC aborts when scrolling over some directory

2016-11-04 Thread Balint Reczey

Control: fixed -1 17.0~beta5+dfsg1-1

On Sun, 15 Jun 2014 16:38:32 -0700 =?UTF-8?B?QsOhbGludCBSw6ljemV5?=
 wrote:
> Hi Sjors,
> 
> 2014-05-30 16:40 GMT-07:00 Sjors Gielen :
> > Package: xbmc-bin
> > Version: 2:11.0~git20120510.82388d5-1+b1
> > Severity: important
> > File: /usr/lib/xbmc/xbmc.bin
> >
> > Since upgrading from Wheezy to Jessie, xbmc has started to crash (sometimes
> > SIGABRT, sometimes SIGSEGV) while scrolling through a directory of videos 
> > that
> > previously worked fine. The specific directory it crashes on tends to 
> > change a
> > bit, but there is one that has always made XBMC crash until now. Next to the
> > crash itself, this also means I cannot scroll past the directory in 
> > question,
> > unless I connect a mouse, therefore filing as important.
> Are you sure you performed a full upgrade? The package versions makes
> me think that you are still using Wheezy.
> The version shipped in Wheezy is not supported by upstream for a long time.
> If you would like to use xbmc on Wheezy please consider using the
> version available in wheezy-backports.

Closing due to no activity for years.
The bug if ever existed is probably gone.

Cheers,
Balint

Bug#745829: xbmc: crashing at start /usr/lib/xbmc/xbmc.bin: relocation error:

2016-11-04 Thread Balint Reczey

Control: notfound -1 2:13.0~beta4+dfsg1-1

On Thu, 26 Jun 2014 09:54:46 +0200 =?UTF-8?B?QsOhbGludCBSw6ljemV5?=
 wrote:
> 2014-04-26 1:55 GMT+02:00 Reinhard Tartler :
> > On Fri, Apr 25, 2014 at 12:25 PM, Michael Hatzold  wrote:
> >
> >>* What was the outcome of this action?
> >> ~$ xbmc
> >> /usr/lib/xbmc/xbmc.bin: relocation error: /usr/lib/i386-linux-
> >> gnu/i686/cmov/libavfilter.so.4: symbol sws_isSupportedEndiannessConversion,
> >> version LIBSWSCALE_2 not defined in file libswscale.so.2 with link time
> >> reference
> >>
> >
> > what exact version of the libswscale2 package do you have installed?
> Most probably you have -dmo packages installed. They donât always play
> nicely with official Debian packages and removing them would probably
> solve your problem.
> 
> To get the list of -dmo packages run:
> dpkg -l | grep '.*-dmo'

Closing the bug, the crash was probably caused by 3rd party packages.

Cheers,
Balint

Bug#772347: xbmc: bashism in /bin/sh script

2016-11-04 Thread Balint Reczey

Control: fixed -1 15.1+dfsg1-3

On Mon, 8 Dec 2014 15:12:27 +0100 =?UTF-8?B?QsOhbGludCBSw6ljemV5?=
 wrote:
> Control: severity -1 important
> Control: tags -1 confirmed pending
> 
> Hi Raphael,
> 
> Thank you for the bug report.
> 
> 2014-12-06 15:34 GMT+01:00 Raphael Geissert :
> > Package: xbmc
> > Severity: serious
> > Version: 2:13.2+dfsg1-4
> > User: debian-rele...@lists.debian.org
> > Usertags: goal-dash
> >
> > Hi,
> >
> > I've ran checkbashisms (from the 'devscripts' package) over the whole
> > archive and I found that your package has a /bin/sh script that uses a
> > "bashism".
> >
> > checkbashisms' output:
> >> possible bashism in ./usr/bin/xbmc line 81 (should be >word 2>&1):
> >> if which systemd-coredumpctl &> /dev/null; then
> >> possible bashism in ./usr/bin/xbmc line 82 (should be >word 2>&1):
> >>   systemd-coredumpctl dump -o core xbmc.bin &> /dev/null
> Those are bashisms indeed, but they are harmless IMO.
> I will include the fix in next upload, but since the package is quite
> big I wouldn't like to prepare an upload just to fix this bug.

The issue has been fixed in Kodi.

Cheers,
Balint

Bug#843166: kodi: block migration to testing untill all reverse dependencies are ready

2016-11-18 Thread Balint Reczey

Control: notfound -1 17.0~beta5+dfsg1-1

On Fri, 4 Nov 2016 11:58:21 -0300 Felipe Sateler 
wrote:
> On 4 November 2016 at 11:57, BÃ¡lint RÃ©czey  wrote:
> > Hi Felipe,
> >
> > 2016-11-04 15:50 GMT+01:00 Felipe Sateler :
> >> On 4 November 2016 at 11:21, Balint Reczey  wrote:
> >>> Source: kodi
> >>> Version: 17.0~beta5+dfsg1-1
> >>> Severity: grave
> >>>
> >>> To not break testing users' addon configuration I'm blocking kodi's
> >>> migration to testing until all addons are ready to migrate together.
> >>>
> >>> Close this bug when all reverse dependencies are ready.
> >>
> >> It seems to me that then kodi and the plugin should have stricter
> >> dependencies. Maybe kodi should Provides: kodi-plugin-$version and the
> >> plugins should Depend: on that?
> >
> > Yes, this is the plan and Tobias already offered implementing it later.

Tobias implemented providing various API versions in kodi and some
add-ons started using it already.
The rest of the addons will depend on the right API version with their
next upload.

Closing this bug since the kodi addons are ready.

Kodi can't yet migrate to testing due to mips* builds failing probably
because of a toolchain problem (#844227).

Cheers,
Balint

Bug#813940: forked-daapd: Fails to scrobble plays to lastfm

2016-11-20 Thread Balint Reczey

Control: fixed -1 24.2-1

On Wed, 9 Nov 2016 22:18:03 +0100 =?UTF-8?B?QsOhbGludCBSw6ljemV5?=
 wrote:
...
> 
> Hi Chris,
> 
> 2016-02-06 22:47 GMT+01:00 Chris Carr :
> > Package: forked-daapd
> > Version: 22.0-2
> > Severity: normal
> >
> > Dear Maintainer,
> >
> >* What led up to the situation?
> >
> > I played some songs and checked my lastfm profile
> >
> >* What exactly did you do (or not do) that was effective (or
> >  ineffective)?
> >
> > I followed the instructions to put my lastfm credentials into a temporary 
> > file
> > which would enable forked-daapd to obtain a lastfm session key when it 
> > started
> > up.
> >
> >* What was the outcome of this action?
> >
> > The log file (attached) shows that forked-daapd obtained a lastfm session 
> > key,
> > but none of my plays have been scrobbled.
> >
> >* What outcome did you expect instead?
> >
> > I expected each played track to be scrobbled, either as it finished, or 
> > every
> > hour, or something.
> 
> Upstream fixed the issue.

And I forgot closing this bug from the changelog. :-)

Cheers,
Balint

Bug#845272: ITP: libopenhmd -- API and drivers for immersive technology (shared library)

2016-11-21 Thread Balint Reczey

Package: wnpp
Owner: Balint Reczey 
Severity: wishlist
X-Debbugs-CC: debian-de...@lists.debian.org

* Package name: libopenhmd
  Version : 0.2.0
* URL : http://openhmd.net/
* License : BSL-1.0
  Programming Lang: FIXME
  Description : API and drivers for immersive technology (shared
library)

OpenHMD aims to provide a Free and Open Source API and drivers for
immersive technology, such as head mounted displays with built in head
tracking.

This package provides the shared library.

Bug#835107: libpthread-workqueue: FTBFS: Testsuite hangs

2017-01-08 Thread Balint Reczey

Control: severity -1 important
Control: tags -1 unreproducible moreinfo

Hi Daniel,

On Mon, 22 Aug 2016 08:18:19 -0700 Daniel Schepler 
wrote:
...
> 
> From my pbuilder build log (on amd64):
> 
> ...
>dh_auto_test
> make -j1 check VERBOSE=1
> make[1]: Entering directory '/build/libpthread-workqueue-0.9.1'
> make  test_api test_latency test_witem_cache
> make[2]: Entering directory '/build/libpthread-workqueue-0.9.1'
> gcc -DHAVE_CONFIG_H -I.   -Wdate-time -D_FORTIFY_SOURCE=2 -I./include
> -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -c -o
> testing/api/test_api-test.o `test -f 'testing/api/test.c' || echo
> './'`testing/api/test.c
> /bin/bash ./libtool  --tag=CC   --mode=link gcc -I./include -g -O2
> -fstack-protector-strong -Wformat -Werror=format-security
> -Wl,-z,relro -o test_api testing/api/test_api-test.o
> libpthread_workqueue.la -lpthread -lrt
> libtool: link: gcc -I./include -g -O2 -fstack-protector-strong
> -Wformat -Werror=format-security -Wl,-z -Wl,relro -o .libs/test_api
> testing/api/test_api-test.o  ./.libs/libpthread_workqueue.so -lpthread
> -lrt
> gcc -DHAVE_CONFIG_H -I.   -Wdate-time -D_FORTIFY_SOURCE=2 -I./include
> -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -c -o
> testing/latency/test_latency-latency.o `test -f
> 'testing/latency/latency.c' || echo './'`testing/latency/latency.c
> /bin/bash ./libtool  --tag=CC   --mode=link gcc -I./include -g -O2
> -fstack-protector-strong -Wformat -Werror=format-security
> -Wl,-z,relro -o test_latency testing/latency/test_latency-latency.o
> libpthread_workqueue.la -lpthread -lrt
> libtool: link: gcc -I./include -g -O2 -fstack-protector-strong
> -Wformat -Werror=format-security -Wl,-z -Wl,relro -o
> .libs/test_latency testing/latency/test_latency-latency.o
> ./.libs/libpthread_workqueue.so -lpthread -lrt
> gcc -DHAVE_CONFIG_H -I.   -Wdate-time -D_FORTIFY_SOURCE=2 -I./include
> -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -c -o
> testing/witem_cache/test_witem_cache-test.o `test -f
> 'testing/witem_cache/test.c' || echo './'`testing/witem_cache/test.c
> /bin/bash ./libtool  --tag=CC   --mode=link gcc -I./include -g -O2
> -fstack-protector-strong -Wformat -Werror=format-security
> -Wl,-z,relro -o test_witem_cache
> testing/witem_cache/test_witem_cache-test.o libpthread_workqueue.la
> -lpthread -lrt
> libtool: link: gcc -I./include -g -O2 -fstack-protector-strong
> -Wformat -Werror=format-security -Wl,-z -Wl,relro -o
> .libs/test_witem_cache testing/witem_cache/test_witem_cache-test.o
> ./.libs/libpthread_workqueue.so -lpthread -lrt
> make[2]: Leaving directory '/build/libpthread-workqueue-0.9.1'
> make  check-TESTS
> make[2]: Entering directory '/build/libpthread-workqueue-0.9.1'
> make[3]: Entering directory '/build/libpthread-workqueue-0.9.1'
> 
> At this point, the build hangs and has to be interrupted.

The package builds fine for me in sbuild. The issue may be specific to
pbuilder/local configuration or is gone.

Is the build still failing for you?

Cheers,
Balint

Bug#760994: fixed in libv8-3.14 3.14.5.8-11

2017-01-10 Thread Balint Reczey

Hi,

I took Ubuntu's patch and now the package builds fine for ppc64el but
ppc and powerpc are still failing.

I would welcome help from porters in patching the remaining parts.

Cheers,
Balint

PS: Thanks for the patches which are already applied.

On Tue, 10 Jan 2017 15:06:25 + Balint Reczey
 wrote:
> Source: libv8-3.14
> Source-Version: 3.14.5.8-11
> 
> We believe that the bug you reported is fixed in the latest version of
> libv8-3.14, which is due to be installed in the Debian FTP archive.
> 
> A summary of the changes between this version and the previous one is
> attached.
> 
> Thank you for reporting the bug, which will now be closed.  If you
> have further comments please address them to 760...@bugs.debian.org,
> and the maintainer will reopen the bug report if appropriate.
> 
> Debian distribution maintenance software
> pp.
> Balint Reczey  (supplier of updated libv8-3.14 
> package)
> 
> (This message was generated automatically at their request; if you
> believe that there is a problem with it please contact the archive
> administrators by mailing ftpmas...@ftp-master.debian.org)
> 
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> Format: 1.8
> Date: Tue, 10 Jan 2017 15:26:12 +0100
> Source: libv8-3.14
> Binary: libv8-dev libv8-3.14-dev libv8-3.14.5 libv8-3.14-dbg
> Architecture: source
> Version: 3.14.5.8-11
> Distribution: unstable
> Urgency: medium
> Maintainer: Debian Javascript Maintainers 
> 
> Changed-By: Balint Reczey 
> Description:
>  libv8-3.14-dbg - V8 JavaScript engine - debugging symbols
>  libv8-3.14-dev - V8 JavaScript engine - development files for 3.14 branch
>  libv8-3.14.5 - V8 JavaScript engine - runtime library
>  libv8-dev  - V8 JavaScript engine - development files for latest branch
> Closes: 749288 760994 798590 812304 831161
> Changes:
>  libv8-3.14 (3.14.5.8-11) unstable; urgency=medium
>  .
>[ Balint Reczey ]
>* Fix FTBFS due to this == NULL tests (Closes: #831161)
>* Increase stack size for failing test to make it pass
>* Fix test failures by disabling optimizations (Closes: #812304)
>* Use -fno-delete-null-pointer-checks C++ flag instead of disabling all 
> optimizations
>* Add support for powerpc, ppc and ppc64el platform merging patch from 
> Ubuntu
>  (Closes: #760994)
>* Target default mips variant instead of loongson to fix FTBFS (Closes: 
> #798590)
>* Sync d/control and d/control.in
>* Keep old ABI to prevent symbol changes due to libcxx11 (GCC 5) transition
>  .
>[ Peter Michael Green ]
>* Add Raspbian support to configuration logic (Closes: #749288)
> Checksums-Sha1:
>  072317392512c9197d3502352bdb5297a5d22b5d 2690 libv8-3.14_3.14.5.8-11.dsc
>  bb33be6b85e830276b7a762ee25b9d414b4b3bb7 324764 
> libv8-3.14_3.14.5.8-11.debian.tar.xz

Bug#844162: src:kodi: validation failure with new fontforge

2017-01-13 Thread Balint Reczey

Control: severity -1 minor
Control: tags -1 confirmed upstream
Control: forwarded -1 https://github.com/fontforge/fontforge/issues/2920


Hi Adam,

On Sat, 12 Nov 2016 22:08:03 +0100 Adam Borowski 
wrote:
> Package: src:kodi
> Version: 17.0~beta5+dfsg1-1
> Severity: normal
> 
> Hi!
> The new version of fontforge, just uploaded to unstable, has a more stringent
> validator, which causes:
> 
> fontforge -script /<>/kodi-17.0~beta5+dfsg1/debian/mergefonts.ff \
> /usr/share/fonts/truetype/droid/DroidSansFallbackFull.ttf \
> /usr/share/fonts/truetype/dejavu/DejaVuSans.ttf \
> /<>/kodi-17.0~beta5+dfsg1/media/Fonts/arial.ttf
> Copyright (c) 2000-2014 by George Williams. See AUTHORS for Contributors.
>  License GPLv3+: GNU GPL version 3 or later 
>  with many parts BSD . Please read LICENSE.
>  Based on sources from 20161112-ML-D.
>  Based on source from git with hash:
> Cannot find your hotkey definition file!
> This font contains both a 'kern' table and a 'GPOS' table.
>   The 'kern' table will only be read if there is no 'kern' feature in 'GPOS'.
> Use-my-metrics flag set on at least two components in glyph 685
> The glyph named Omega is mapped to U+03A9.
>   But its name indicates it should be mapped to U+2126.
> 
> I don't know the first two problems, but the last one is caused by a
> confusion between U+03A9 GREEK CAPITAL LETTER OMEGA and U+2126 OHM SIGN;
> in an Adobe name list used by fontforge for some strange reason the name
> "Omega" maps to the latter.  The list was apparently changed by Adobe some
> time ago, between fontforge 20120731 and 20161005.  A workaround is to
> explicitly use "Omega.greek".  There's some discussion at:
> https://github.com/fontforge/fontforge/issues/2920

Thanks for the report!

It luckily does not break the build nor cause visible problems AFAIK in
kodi.

We will see how it gets resolved at fontforge or at the font upstreams.

Cheers,
Balint

Bug#849849: rabbitmq-server: CVE-2016-9877

2017-01-05 Thread Balint Reczey

Hi,

On Sun, 01 Jan 2017 12:13:30 +0100 Salvatore Bonaccorso
 wrote:
...

> 
> Hi,
> 
> the following vulnerability was published for rabbitmq-server.
> 
> CVE-2016-9877[0]:
> | An issue was discovered in Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x
> | before 3.6.6 and RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before
> | 1.6.12, and 1.7.x before 1.7.7. MQTT (MQ Telemetry Transport)
> | connection authentication with a username/password pair succeeds if an
> | existing username is provided but the password is omitted from the
> | connection request. Connections that use TLS with a client-provided
> | certificate are not affected.
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2016-9877
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9877
> [1] https://github.com/rabbitmq/rabbitmq-mqtt/pull/98
> [2] https://github.com/rabbitmq/rabbitmq-mqtt/issues/96
> 
> Please adjust the affected versions in the BTS as needed. I was only
> able to check the vulnerability sourcewise for 3.6.5 in unstable,
> older version have not been checked so far.

I'm attaching a proposed patch for jessie which builds fine but has not
been tested further.

Wheezy is not affected since the vulnerable mqtt plugin is not present.

Cheers,
Balint
>From 157948d86d391a325ac9702f78976c175ced58be Mon Sep 17 00:00:00 2001
From: Daniil Fedotov 
Date: Mon, 5 Sep 2016 12:33:49 +0100
Subject: [PATCH] Auth issue fix 039a3c22e57bf77b325d19494a9b20cd745f1ea7
 backport
 .
 Backported to Debian Jessie's 3.3.5-1.1 by Balint Reczey as part of the
 LTS work.

---
 src/rabbit_mqtt_processor.erl | 63 ++-
 test/Makefile |  2 +-
 test/src/com/rabbitmq/mqtt/test/MqttTest.java | 12 +
 3 files changed, 45 insertions(+), 32 deletions(-)

--- a/plugins-src/rabbitmq-mqtt/src/rabbit_mqtt_processor.erl
+++ b/plugins-src/rabbitmq-mqtt/src/rabbit_mqtt_processor.erl
@@ -75,7 +75,13 @@
 _ ->
 case creds(Username, Password) of
 nocreds ->
-rabbit_log:error("MQTT login failed - no credentials~n"),
+rabbit_log:error("MQTT login failed: no credentials provided~n"),
+{?CONNACK_CREDENTIALS, PState};
+{invalid_creds, {undefined, Pass}} when is_list(Pass) ->
+rabbit_log:error("MQTT login failed: no user username is provided"),
+{?CONNACK_CREDENTIALS, PState};
+{invalid_creds, {User, undefined}} when is_list(User) ->
+rabbit_log:error("MQTT login failed for ~p: no password provided", [User]),
 {?CONNACK_CREDENTIALS, PState};
 {UserBin, PassBin} ->
 case process_login(UserBin, PassBin, ProtoVersion, PState) of
@@ -370,20 +376,25 @@
 DefaultUser = rabbit_mqtt_util:env(default_user),
 DefaultPass = rabbit_mqtt_util:env(default_pass),
 Anon= rabbit_mqtt_util:env(allow_anonymous),
-U = case {User =/= undefined, is_binary(DefaultUser), Anon =:= true} of
- {true,  _,_   } -> list_to_binary(User);
- {false, true, true} -> DefaultUser;
- _   -> nocreds
-end,
-case U of
-nocreds ->
-nocreds;
-_ ->
-case {Pass =/= undefined, is_binary(DefaultPass), Anon =:= true} of
- {true,  _,_   } -> {U, list_to_binary(Pass)};
- {false, true, true} -> {U, DefaultPass};
- _   -> {U, none}
-end
+HaveDefaultCreds = Anon =:= true andalso
+   is_binary(DefaultUser) andalso
+   is_binary(DefaultPass),
+
+CredentialsProvided = User =/= undefined orelse
+  Pass =/= undefined,
+
+CorrectCredentials = is_list(User) andalso
+ is_list(Pass),
+
+case {CredentialsProvided, CorrectCredentials, HaveDefaultCreds} of
+%% Username and password take priority
+{true, true, _}  -> {list_to_binary(User),
+list_to_binary(Pass)};
+%% Either username or password is provided
+{true, false, _} -> {invalid_creds, {User, Pass}};
+%% Anonymous connection uses default credentials
+{false, false, true} -> {DefaultUser, DefaultPass};
+_   -> nocreds
 end.
 
 supported_subs_qos(?QOS_0) -> ?QOS_0;
--- a/plugins-src/rabbitmq-mqtt/test/M

Bug#833256: util-linux: Please use login/su/... implementations provided by util-linux

2017-01-06 Thread Balint Reczey


Hi,

On Tue, 2 Aug 2016 11:45:40 +0200 Andreas Henriksson 
wrote:
> Hello Laurent Bigonville.
> 
> Thanks for opening this bug report. I remember we've touched on this
> subject inside another bug report but I feel it's useful to have a
> separate on-topic discussion about this...
> 
> On Tue, Aug 02, 2016 at 11:01:56AM +0200, Laurent Bigonville wrote:
> > Package: util-linux
> > Version: 2.28-6
> > Severity: normal
> > 
> > Hi,
> > 
> > ATM, on debian, login, su, ... are provided by the shadow package.
> 
> Currently we use the --disable-login --disable-nologin and
> --disable-su configure flags when building util-linux in Debian
> because these are provided by the "login" package.
> 
> We also use --disable-chfn-chsh as that's provided by the "passwd"
> package.
> 
> Both "login" and "passwd" are built from src:shadow.
> 
> > 
> > It seems that all other distribution are using the implementations from
> > util-linux.
> 
> Yes.
> 
> > 
> > Shouldn't debian do the same and shouldn't we build the "login" from
> > util-linux?
> 
> It's not only these tools, but the entile login and authentication stack
> seems to have a different origin in Debian compared to other
> distributions. I'm sure you for example know better than me about the
> history about our PAM deviations from other distributions.
> I think this issue should be viewed in a broader perspective.
> 
> > 
> > This should of course be coordinated with the maintainer of the shadow
> > package.
> 
> Feedback from the shadow maintainer(s) would be very welcome/useful
> on this bug report.

I have just stepped up as a new shadow maintainer and I would support
the switch to the more widely used variants.

> 
> I think we should not only focus about a few tools that overlap between
> shadow and util-linux, but view this from a bigger perspective. Someone
> needs to draw the bigger picture, come up with a plan for how we'd like
> the future map to look like (and why we should do all this work).

Maybe discussing the bigger picture on
pkg-auth-maintain...@lists.alioth.debian.org would help the planning.

> 
> Also someone needs to make sure the different implementation of the
> tools are actually 100% compatible or what migrations we need to handle
> on package upgrades.
> 
> Please note that while "login" is Essential: yes, the "passwd" package
> is not. Things to keep in mind when expanding util-linux is that
> all tools then become Essential: yes which I think is unfortunate as
> we should strive to keep the essential set as small as possible.

Rebootstrapping [1] already covers util-linux thus I think building
login from util-linux would not cause big problems.

Cheers,
Balint

[1] https://anonscm.debian.org/cgit/users/helmutg/rebootstrap.git/

Bug#839827: freeimage: CVE-2016-5684

2016-10-05 Thread Balint Reczey

Hi,

On Wed, 05 Oct 2016 15:07:41 +0200 Salvatore Bonaccorso
 wrote:
> Source: freeimage
> Version: 3.17.0+ds1-2
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> 
> Hi,
> 
> the following vulnerability was published for freeimage.
> 
> CVE-2016-5684[0]:
> XMP Image Handling Code Execution Vulnerability
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2016-5684
> 
> Please adjust the affected versions in the BTS as needed. Only sid has
> been checked source wise in this case.

Jessie and Wheezy seem to be affected as well.

Cheers,
Balint

Bug#839865: kde-cli-tools: CVE-2016-7787

2016-10-05 Thread Balint Reczey

On Wed, 05 Oct 2016 21:48:58 +0200 Salvatore Bonaccorso
 wrote:
> Hi,
> 
> the following vulnerability was published for kde-cli-tools.
> 
> CVE-2016-7787[0]:
> kdesu: Displayed command truncated by unicode string terminator
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2016-7787
> [1] https://www.kde.org/info/security/advisory-20160930-1.txt
> 
> Please adjust the affected versions in the BTS as needed. I'm not sure
> if kde-runtime is as well affected (it looks source wise, since the
> same file can be patched).

It seems both Jessie and Wheezy are affected in some way.
Both show the command in the dialog, but on my vagrant VM installations
the string terminator was not interpreted on Wheezy, just on Jessie.

Test command: kdesudo ls $(printf 'aa\u9chidden')

On Jessie it shows the following dialog:
+---
|  ls aa[]hidden needs administrative privileges. Please eneter your
|  password.
|
| Command ls aa
| Password:|
| OK Cancel
+---
Thus the string terminator takes effect only once.

On Wheezy the dialog looks like this:
+---
|  ls aa[?]hidden needs administrative privileges. Please eneter your
|  password.
|
| Command ls aa[?]hidden
| Password:|
| OK Cancel
+---


[],[?] - block showing unknown unicode character

Cheers,
Balint

Bug#839686: forked-daapd: does not recreate stuff in /var/cache after deletion

2016-10-06 Thread Balint Reczey

Control: notfound -1 24.1-1+b1

Hi Dominik,

On Mon, 03 Oct 2016 23:23:26 +0200 Dominik George  wrote:
> Package: forked-daapd
> Version: 24.1-1+b1
> Severity: serious
> Justification: Policy 9.1.1
> 
> After deleting /var/cache/forked-daapd, forked-daapd cannot start up
> again because it fails to open the database.
> 
> forked-daapd seems to require its data files there, while the FHS
> unmistakably states:
> 
> "Unlike /var/spool, the cached files can be deleted without data loss.
> The data must remain valid between invocations of the application and
> rebooting the system.
> 
> Files located under /var/cache may be expired in an application specific
> manner, by the system administrator, or both. The application must
> always be able to recover from manual deletion of these files (generally
> because of a disk space shortage). No other requirements are made on the
> data format of the cache directories."

I have tested unstable's forked-daapd and if I remove cache files they
get recreated but the directory structure is not.

IMO it is unreasonable to think that removing the whole
/var/cache/forked-daapd directory can be deleted and is expected to be
recreated because many services drop root privileges thus can't create
dirs in /var/cache:

total 64
drwxr-xr-x 16 root  root 4096 Oct  6 20:56 .
drwxr-xr-x 11 root  root 4096 Sep  5 23:27 ..
drwxr-xr-x  3 root  root 4096 Sep  7 14:08 app-info
drwxr-xr-x  3 root  root 4096 Oct  6 20:56 apt
drwxr-xr-x  2 root  root 4096 Sep  7 14:08 cracklib
drwxr-xr-x  2 root  root 4096 Oct  5 09:25 debconf
drwxr-xr-x  2 root  root 4096 Sep  5 23:28 dictionaries-common
drwxr-xr-x  2 root  root 4096 Sep  8 20:40 fontconfig
drwxr-xr-x  2 root  root 4096 Feb 22  2016 fonts
drwxr-xr-x  2 daapd root 4096 Oct  6 21:01 forked-daapd
drwxr-xr-x  2 root  root 4096 Aug 31 08:28 gdm
drwx--  2 root  root 4096 Oct  6 20:56 ldconfig
drwx--x--x  3 root  root 4096 Sep  7 15:39 lightdm
drwxr-sr-x 37 man   root 4096 Oct  6 21:00 man
drwxr-xr-x  3 root  root 4096 Sep  7 14:08 PackageKit
drwxr-xr-x  2 root  root 4096 Aug 15 11:17 realmd

In my interpretation of the FHS the _files_ can be removed and are
expected to be recreated, while _directory structures_ need to be kept
for applications to operate.

Cheers,
Balint

Bug#837447: p8-platform: should not include prctl.h on non-linux

2016-10-08 Thread Balint Reczey

Hi Samuel,

On Sun, 11 Sep 2016 19:36:17 +0200 Samuel Thibault
 wrote:
> Source: p8-platform
> Version: 2.0.1+dfsg1-2
> Severity: important
> Tags: patch upstream
> User: debian-h...@lists.debian.org
> User-tags: hurd
> 
> Hello,
> 
> p8-platform inconditionally includes , which is a
> linux-only header. The attached patch makes it only include it on Linux,
> thus fixing debian package builds using p8-platforms, e.g. libcec, on
> kfreebsd & hurd.

According to build status last time it built fine:

 https://buildd.debian.org/status/package.php?p=p8-platform&suite=sid

Has Hurd changed since then?

I'm OK with applying the patch, but would like to know that first.

Cheers,
Balint

Bug#835146: dpkg: please enable bindow hardening flag by default

2016-10-10 Thread Balint Reczey

Dear Guillem,

On Tue, 23 Aug 2016 00:14:25 +0200 Balint Reczey  wrote:
...
> Dear Guillem,
> 
> As a continuation of the discussions [1][2] on debian-devel I'm
> attaching the simple patch that implements enabling the bindnow
> hardening flags.
> 
> I'm continuing with the rebuild/autopkgtest tests according to
> the Dpkg FAQ, hence the moreinfo tag.

The rebuild (with PIE and bindnow enabled) resulted ~1000 FTBFS
cases from which all seem to be related to enabling PIE by
default [3].

~70 of the filed related bugs [4] are still open.

Since the rebuild was run with tests enabled this seems to be a
good indication that we can expect very few breakages from
enabling bindnow by default.

Running autopkgtest would need more work as AFAIK there is no
automated method for doing it like rebuilds [5].

I'm wondering if you find the autopkgtest round necessary for
this change.

Cheers,
Balint

> 
> Cheers,
> Balint
> 
> [1] https://lists.debian.org/debian-devel/2016/05/msg00228.html
> [2] https://lists.debian.org/debian-devel/2016/08/msg00324.html

[3] https://wiki.debian.org/Hardening/PIEByDefaultTransition
[4] 
https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=pie-bindnow-20160906&users=balint%40balintreczey.hu;dist=unstable
[5] https://wiki.debian.org/qa.debian.org/ArchiveTesting

Bug#835149: dpkg: please adapt setting the default pie hardening flag to gcc's new defaults

2016-09-03 Thread Balint Reczey

Hi Guillem,

Many packages fail to build due to gcc ... -shared -no-pie ... failing.
I have reported the issue to GCC but they don't seem to fix that:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=77464

The proposed workarounds don't seem to be viable in Debian thus I
propose making the -pie dpkg hardening flag a noop instead of passing
-no-pie and friends as compiler/ flags like in the proposed patch.
This is not symmetric but consistent with Ubuntu's way of enabling PIE.

What do you think?

Cheers,
Balint

On Tue, 23 Aug 2016 00:29:00 +0200 Balint Reczey
 wrote:
> Package: dpkg
> Version: 1.18.10
> Severity: wishlist
> Tags: patch moreinfo
> 
> Dear Guillem,
> 
> As a continuation of the discussions [1][2] on debian-devel I'm
> attaching the simple patch that changes dpkg's pie hardening flag
> to adapt to GCC's new default settings proposed in #835148.
> 
> I'm continuing with the rebuild/autopkgtest tests according to
> the Dpkg FAQ, hence the moreinfo tag.
> 
> Cheers,
> Balint
> 
> [1] https://lists.debian.org/debian-devel/2016/05/msg00228.html
> [2] https://lists.debian.org/debian-devel/2016/08/msg00324.html
>

Bug#836849: libtesseract-dev: Please depend on libleptonica-dev

2016-09-06 Thread Balint Reczey

Package: libtesseract-dev
Version: 3.04.01-4
Severity: wishlist


Dear Maintainers,

I faced the following error while building ffmpeg with tesseract support:

...
Package lept was not found in the pkg-config search path.
Perhaps you should add the directory containing `lept.pc'
to the PKG_CONFIG_PATH environment variable
Package 'lept', required by 'tesseract', not found
ERROR: tesseract not found using pkg-config
...

Installing libleptonica-dev fixed the problem, thus please include it
among libtesseract-dev's dependencies.

Thanks,
Balint

Bug#818201: marked as pending

2016-10-25 Thread Balint Reczey

Hi,

On Sat, 24 Sep 2016 13:36:07 + Balint Reczey
 wrote:
> tag 818201 pending
> thanks
> 
> Hello,
> 
> Bug #818201 reported by you has been fixed in the Git repository. You can
> see the changelog below, and you can check the diff of the fix at:
> 
> http://git.debian.org/?p=pkg-multimedia/kodi.git;a=commitdiff;h=a979624

I plan uploading kodi 17 beta4 to unstable next week which will fix this
bug.

Cheers,
Balint

Bug#837350: binutils: Please build libbfd.a with -fPIC

2016-09-10 Thread Balint Reczey

Source: binutils
Version: 2.27-8
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: makes ocaml FTBFS on amd64 with extra hardening
Tags: patch
Affects: ocaml

Dear Maintainers,

During a rebuild of all packages in sid, ocaml failed to build on
amd64 with patched GCC and dpkg. The root cause seems to be that
libbfd.a is shipped as a non-PIC library.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransitio

Relevant part of ocaml's build log:
...
gcc -o objinfo_helper -O -fno-defer-pop -Wall -D_FILE_OFFSET_BITS=64 
-D_REENTRANT \
  objinfo_helper.c -Wl,-Bstatic -lbfd -Wl,-Bdynamic -ldl -liberty -lz
/usr/bin/ld: 
/usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libbfd.a(format.o): 
relocation R_X86_64_32S against symbol `binary_vec' can not be used when making 
a shared object; recompile with -fPIC
/usr/bin/ld: 
/usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libbfd.a(hash.o): 
relocation R_X86_64_32 against `.rodata' can not be used when making a shared 
object; recompile with -fPIC
/usr/bin/ld: 
/usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libbfd.a(libbfd.o): 
relocation R_X86_64_32 against `.rodata' can not be used when making a shared 
object; recompile with -fPIC
...

The full build log is available from:
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/ocaml_4.02.3-7_amd64.build.gz

The attached patch fixed the problem.

Thanks,
Balint

diff -u binutils-2.27/debian/changelog binutils-2.27/debian/changelog
--- binutils-2.27/debian/changelog
+++ binutils-2.27/debian/changelog
@@ -1,3 +1,10 @@
+binutils (2.27-8+rbalint0) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload.
+  * Build libbfd with -fPIC
+
+ -- Balint Reczey   Sat, 10 Sep 2016 15:53:07 +0200
+
 binutils (2.27-8) unstable; urgency=medium
 
   * Fix diversion updates for 32bit x86 targets.
diff -u binutils-2.27/debian/patches/series binutils-2.27/debian/patches/series
--- binutils-2.27/debian/patches/series
+++ binutils-2.27/debian/patches/series
@@ -12,6 +12,7 @@
 130_gold_disable_testsuite_build.patch
 131_ld_bootstrap_testsuite.patch
 135_bfd_version.patch
+136_bfd_pic.patch
 157_ar_scripts_with_tilde.patch
 #158_ld_system_root.patch
 161_gold_dummy_zoption.diff
only in patch2:
unchanged:
--- binutils-2.27.orig/debian/patches/136_bfd_pic.patch
+++ binutils-2.27/debian/patches/136_bfd_pic.patch
@@ -0,0 +1,25 @@
+Author: Balint Reczey 
+Description: Build libbfd with -fPIC to allow linking with PIE binaries
+
+--- ./bfd/Makefile.am.bak	2016-09-10 16:26:46.062371030 +0200
 ./bfd/Makefile.am	2016-09-10 16:27:48.913724681 +0200
+@@ -51,7 +51,7 @@
+ 
+ WARN_CFLAGS = @WARN_CFLAGS@
+ NO_WERROR = @NO_WERROR@
+-AM_CFLAGS = $(WARN_CFLAGS) $(ZLIBINC)
++AM_CFLAGS = $(WARN_CFLAGS) $(ZLIBINC) -fPIC
+ AM_CPPFLAGS = -DBINDIR='"$(bindir)"'
+ if PLUGINS
+ bfdinclude_HEADERS += $(INCDIR)/plugin-api.h
+--- ./bfd/Makefile.in.bak	2016-09-10 16:26:53.009857349 +0200
 ./bfd/Makefile.in	2016-09-10 16:27:31.886983240 +0200
+@@ -387,7 +387,7 @@
+ # case both are empty.
+ ZLIB = @zlibdir@ -lz
+ ZLIBINC = @zlibinc@
+-AM_CFLAGS = $(WARN_CFLAGS) $(ZLIBINC)
++AM_CFLAGS = $(WARN_CFLAGS) $(ZLIBINC) -fPIC
+ AM_CPPFLAGS = -DBINDIR='"$(bindir)"'
+ @PLUGINS_TRUE@LIBDL = @lt_cv_dlopen_libs@
+

Bug#837359: ocaml: Please build libasmrun.a with -fPIC

2016-09-10 Thread Balint Reczey

Source: ocaml
Version: 4.02.3-7
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: makes other ocaml packages FTBFS with extra hardening
Tags: patch
Affects: advi alt-ergo approx ara atdgen ben biniou bin-prot caml2html 
caml-crush camlimages camlmix camlp5 camomile cduce coccinelle coinst 
comparelib confluence coq cppo cryptokit cudf custom-printf dochelp dose3 eliom 
enumerate extlib fieldslib freetennis geneweb gmetadom haxe herelib janest-core 
janest-core-extended janest-core-kernel js-build-tools js-of-ocaml jsonm 
kalzium laby lambda-term libguestfs liquidsoap marionnet matita menhir 
mingw-ocaml misery mlpost monotone-viz mtasc oasis obus ocaml-atd ocaml-base64 
ocaml-batteries ocaml-benchmark ocamlbricks ocamlcreal ocaml-csv 
ocaml-data-notation ocaml-deriving-ocsigen ocamldsort ocaml-estring 
ocaml-expect ocaml-extunix ocaml-fileutils ocaml-gettext ocamlgraph ocamlgsl 
ocaml-ipaddr ocaml-libvirt ocaml-melt ocamlmod ocaml-re ocaml-re2 ocaml-reins 
ocaml-res ocamlrss ocaml-sqlexpr ocaml-sqlite3 ocaml-textutils ocaml-usb 
ocamlviz ocaml-zarith ocp-indent ocsigenserver opam optcomp orpie ounit 
pa-bench pagodacf pa-ounit pa-structural-sexp pa-test pcre-ocaml pdfsandwich 
perl4caml pgocaml pipebang postgresql-ocaml ppx-core ppx-deriving ppx-driver 
ppx-optcomp ppx-sexp-conv ppx-type-conv prooftree scilab sexplib310 spamoracle 
supermin type-conv typerep tyxml unison utop uuidm variantslib virt-top why3 
wyrd xml-light xmlm yojson zed

Dear Maintainers,

During a rebuild of all packages in sid, many ocaml packages
failed to build on amd64 with patched GCC and dpkg. The root cause
seems to be that libasmrun.a is shipped as a non-PIC library.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
https://wiki.debian.org/Hardening/PIEByDefaultTransitio

Relevant part of advi's build log:
...
/usr/bin/ocamlopt -o advi \
 -I /usr/lib/ocaml/camlimages  \
events.o grwm.o grY11.o /usr/lib/ocaml/camlimages/camlimages_core.cmxa 
/usr/lib/ocaml/graphics
.cmxa /usr/lib/ocaml/camlimages/camlimages_graphics.cmxa 
/usr/lib/ocaml/camlimages/camlimages_ps.cmxa 
/usr/lib/ocaml/camlimages/camlimages_freetype.cmxa unix.cmxa str.cmxa 
config.cmx misc.cmx timeout.cmx 
ageometry.cmx options.cmx rc.cmx userfile.cmx graphicsY11.cmx 
global_options.cmx busy.cmx gradient.cmx gterm.cmx launch.cmx dvicolor.cmx 
shot.cmx laser_pointer.cmx symbol.cmx input.cmx table.cmx pkfont.cmx ttfont.cmx 
jfm.cmx search.cmx font.cmx glyph.cmx devfont.cmx adviUnits.cmx dimension.cmx 
dvi.cmx drawimage.cmx gs.cmx transimpl.cmx embed.cmx grdev.cmx addons.cmx 
scratch.cmx cdvi.cmx driver.cmx thumbnails.cmx dviview.cmx main.cmx \
-cclib -lXinerama -cclib -lcamlimages_freetype
/usr/bin/ld: /usr/lib/ocaml/libasmrun.a(startup.o): relocation R_X86_64_32 
against `.rodata.str1.1' can not be used when making a shared object; recompile 
with -fPIC
/usr/bin/ld: /usr/lib/ocaml/libasmrun.a(fail.o): relocation R_X86_64_32 against 
symbol `caml_exn_Failure' can not be used when making a shared object; 
recompile with -fPIC
...

The full build log is available from:
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/advi_1.10.2-2_amd64.build.gz

The attached patch fixed the problem.

Thanks,
Balint


diff -Nru ocaml-4.02.3/debian/patches/0012-Use-pic.patch ocaml-4.02.3/debian/patches/0012-Use-pic.patch
--- ocaml-4.02.3/debian/patches/0012-Use-pic.patch	1970-01-01 01:00:00.0 +0100
+++ ocaml-4.02.3/debian/patches/0012-Use-pic.patch	2016-09-10 13:38:10.0 +0200
@@ -0,0 +1,17 @@
+Description: Generate Position Independent Code
+ This is needed for building Position Independent Executables
+Author: Balint Reczey 
+
+--- ocaml-4.02.3.orig/configure
 ocaml-4.02.3/configure
+@@ -1015,6 +1015,10 @@ fi
+ bytecccompopts="$bytecccompopts -D_FILE_OFFSET_BITS=64"
+ nativecccompopts="$nativecccompopts -D_FILE_OFFSET_BITS=64"
+ 
++# Use PIC
++
++nativecccompopts="$nativecccompopts -fPIC"
++
+ # Check the semantics of signal handlers
+ 
+ if sh ./hasgot sigaction sigprocmask; then
diff -Nru ocaml-4.02.3/debian/patches/series ocaml-4.02.3/debian/patches/series
--- ocaml-4.02.3/debian/patches/series	2016-07-15 22:20:10.0 +0200
+++ ocaml-4.02.3/debian/patches/series	2016-09-10 13:36:09.0 +0200
@@ -9,3 +9,4 @@
 0010-Enable-ocamldoc-to-build-reproducible-manpages.patch
 0010-Add-a-.file-directive-to-generated-.s-files.patch
 0011-Compatibility-with-x32-architecture.patch
+0012-Use-pic.patch

Bug#837363: cpputest: Please build libCppUTest.a with -fPIC

2016-09-10 Thread Balint Reczey

Source: cpputest
Version: 3.8-3
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: makes other packages FTBFS with extra hardening
Tags: patch
Affects: bzflag


Dear Maintainers,

During a rebuild of all packages in sid, other packages
failed to build on amd64 with patched GCC and dpkg. The root cause
seems to be that libCppUTest.a is shipped as a non-PIC library.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part of bzflag's build log:
...
/bin/bash ../libtool --silent  --tag=CXX  --silent --mode=link g++ -lCppUTest 
-g -O2 -fdebug-prefix-map=/<>=. -fstack-protector-strong -Wformat 
-Werror=format-security  -Wl,-z,relro -Wl,-z,now -Wl,--as-needed  -o unittests 
unittests-tests.o unittests-bans.o unittests-AccessControlList.o 
../src/common/libCommon.la -lc -lm  -lpthread
/usr/bin/ld: 
/usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libCppUTest.a(lib_libCppUTest_a-CommandLineTestRunner.o):
 relocation R_X86_64_32S against symbol `_ZTV21CommandLineTestRunner' can not 
be used when making a shared object; recompile with -fPIC
...

The full build log is available from:
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/bzflag_2.4.6-1_amd64.build.gz

Thanks,
Balint

Bug#712228: Your mail

2016-09-10 Thread Balint Reczey

Control: severity -1 important
Control: user bal...@balintreczey.hu
Control: usertags -1 pie-bindnow-20160906
Control: tags -1 patch

Hi,

I'm facing this issue, too, preparing the transition to PIE be
enabled by default on many architectures, like in Ubuntu.

https://wiki.debian.org/Hardening/PIEByDefaultTransition

Ubuntu carries a bigger patch disabling PIE for amd64 and
other architectures where PIE is enabled in GCC by default:

https://patches.ubuntu.com/g/ghc/ghc_7.10.3-9ubuntu1.patch

Please merge the patch to make PIE disabled in d/rules for
the architectures it will be enabled by default in GCC.

The proposed patch for GCC lists all of those architectures
in #835148.

An other option would be bootstrapping GHC in Debian with
-fPIC, but I'm not sure if this is viable.

Thanks,
Balint

PS: Around 70% of the packages which FTBFS with PIE by default
are failing due to this bug thus it would be nice if the fix
could be applied soon.

On Thu, 2 Jan 2014 18:24:48 + (GMT) Gianfranco Costamagna
 wrote:
> Hi Joachim and Thomas,
> 
>  
> this bug [1] seems to be really similar to that one
> https://ghc.haskell.org/trac/ghc/ticket/3668
> 
> maybe somewhere debian is overriding the GHC flags and pie is added?
> Bests,
> 
> Gianfranco

Bug#837359: ocaml: Please build libasmrun.a with -fPIC

2016-09-11 Thread Balint Reczey

Control: retitle -1 ocaml: Please build libasmrun.a and libcamlrun.a with -fPIC 
Control: affects -1 + findlib galax mlgmp nss-passwords ocamlnet ocurl omake

On Sat, 10 Sep 2016 23:27:05 +0200 Balint Reczey  wrote:
> Source: ocaml
> Version: 4.02.3-7
> Severity: important
> User: bal...@balintreczey.hu
> Usertags: pie-bindnow-20160906
> Justification: makes other ocaml packages FTBFS with extra hardening
> Tags: patch
> Affects: advi alt-ergo approx ara atdgen ben biniou bin-prot caml2html 
> caml-crush camlimages camlmix camlp5 camomile cduce coccinelle coinst 
> comparelib confluence coq cppo cryptokit cudf custom-printf dochelp dose3 
> eliom enumerate extlib fieldslib freetennis geneweb gmetadom haxe herelib 
> janest-core janest-core-extended janest-core-kernel js-build-tools 
> js-of-ocaml jsonm kalzium laby lambda-term libguestfs liquidsoap marionnet 
> matita menhir mingw-ocaml misery mlpost monotone-viz mtasc oasis obus 
> ocaml-atd ocaml-base64 ocaml-batteries ocaml-benchmark ocamlbricks ocamlcreal 
> ocaml-csv ocaml-data-notation ocaml-deriving-ocsigen ocamldsort ocaml-estring 
> ocaml-expect ocaml-extunix ocaml-fileutils ocaml-gettext ocamlgraph ocamlgsl 
> ocaml-ipaddr ocaml-libvirt ocaml-melt ocamlmod ocaml-re ocaml-re2 ocaml-reins 
> ocaml-res ocamlrss ocaml-sqlexpr ocaml-sqlite3 ocaml-textutils ocaml-usb 
> ocamlviz ocaml-zarith ocp-indent ocsigenserver opam optcomp orpie ounit 
> pa-bench pagodacf pa-ounit pa-structural-sexp pa-test pcre-ocaml pdfsandwich 
> perl4caml pgocaml pipebang postgresql-ocaml ppx-core ppx-deriving ppx-driver 
> ppx-optcomp ppx-sexp-conv ppx-type-conv prooftree scilab sexplib310 
> spamoracle supermin type-conv typerep tyxml unison utop uuidm variantslib 
> virt-top why3 wyrd xml-light xmlm yojson zed
> 
> Dear Maintainers,
> 
> During a rebuild of all packages in sid, many ocaml packages
> failed to build on amd64 with patched GCC and dpkg. The root cause
> seems to be that libasmrun.a is shipped as a non-PIC library.
> 

Also affects some packages through libasmrun.a.

All the build logs can be found in 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/

Cheers,
Balint

Bug#837393: aespipe: FTBFS with bindnow and PIE enabled

2016-09-11 Thread Balint Reczey

Source: aespipe
Version: 2.4c-1
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: FTBFS on amd64 with extra hardening

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64 with patched GCC and dpkg.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part (hopefully):
...
x86_64-linux-gnu-gcc  -o aespipe aespipe.o aes-amd64.o md5-amd64.o
md5-2x-amd64.o aes-intel64.o sha512.o rmd160.o
/usr/bin/ld: aes-amd64.o: relocation R_X86_64_32S against `.rodata' can
not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: final link failed: Nonrepresentable section on output
collect2: error: ld returned 1 exit status
Makefile:26: recipe for target 'aespipe' failed
make[1]: *** [aespipe] Error 1
make[1]: Leaving directory '/<>'
debian/rules:45: recipe for target 'build-stamp' failed
make: *** [build-stamp] Error 2
dpkg-buildpackage: error: debian/rules build gave error exit status 2
...

The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/aespipe_2.4c-1_amd64.build.gz


Thanks,
Balint

Bug#837394: angband: FTBFS with bindnow and PIE enabled

2016-09-11 Thread Balint Reczey

Source: angband
Version: 3.5.1-2.1
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Tags: patch
Justification: FTBFS on amd64 with extra hardening

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64 with patched GCC and dpkg.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part (hopefully):
...
ESC[KESC[33mCompiling
ESC[1mz-textblock.cESC[m^OESC[33m...ESC[m^O^MESC[KESC[32mSuccessfully
compiled
ESC[1mz-textblock.cESC[m^OESC[32m.ESC[m^O
/usr/bin/ld: -r and -pie may not be used together
collect2: error: ld returned 1 exit status
...

The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/angband_3.5.1-2.1_amd64.build.gz

The issue is fixed in Ubuntu:
https://patches.ubuntu.com/a/angband/angband_1:3.5.1-2.1ubuntu1.patch

Thanks,
Balint

Bug#837399: antpm: FTBFS with bindnow and PIE enabled

2016-09-11 Thread Balint Reczey

Source: antpm
Version: 1.18-1
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: FTBFS on amd64 with extra hardening

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64 with patched GCC and dpkg.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part (hopefully):
...
make[4]: Entering directory '/<>/cmake-build'
[ 83%] Building CXX object
CMakeFiles/antpm-usbmon2ant.dir/antpm-usbmon2ant.cpp.o
[ 83%] Building CXX object
CMakeFiles/antpm-downloader.dir/antpm-downloader.cpp.o
[ 87%] Building CXX object CMakeFiles/antpm-fit2gpx.dir/antpm-fit2gpx.cpp.o
[ 91%] Linking CXX executable antpm-usbmon2ant
/usr/bin/ld:
/usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libboost_program_options.a(cmdline.o):
relocation R_X86_64_32 against `.rodata.str1.8' can not be used when
making a shared object; recompile with -fPIC
/usr/bin/ld:
/usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libboost_program_options.a(options_description.o):
relocation R_X86_64_32 against `.rodata.str1.8' can not be used when
making a shared object; recompile with -fPIC
...


The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/antpm_1.18-1_amd64.build.gz

Dynamic linking to boost would probably fix the problem.

Thanks,
Balint

Bug#837400: bwctl: FTBFS with bindnow and PIE enabled

2016-09-11 Thread Balint Reczey

Source: bwctl
Version: 1.5.4+dfsg1-1
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: FTBFS on amd64 with extra hardening

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64 with patched GCC and dpkg.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part (hopefully):
...
checking whether optreset is declared... no
checking whether fseeko is declared... yes
checking for library containing I2AddrByNode... no
configure: error: Couldn't find I2util library
"tail -v -n +0 config.log"
==> config.log <==
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.

It was created by bwctl configure 1.5.4, which was
generated by GNU Autoconf 2.63.  Invocation command line was

  $ ./configure --build=x86_64-linux-gnu --prefix=/usr
--includedir=${prefix}/include --mandir=${prefi
x}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc
--localstatedir=/var --disable-silent-ru
les --libdir=${prefix}/lib/x86_64-linux-gnu
--libexecdir=${prefix}/lib/x86_64-linux-gnu --disable-main
tainer-mode --disable-dependency-tracking --with-thrulay=no
--enable-iperf --enable-nuttcp
...

The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/bwctl_1.5.4+dfsg1-1_amd64.build.gz

Thanks,
Balint

Bug#837402: condor: FTBFS with bindnow and PIE enabled

2016-09-11 Thread Balint Reczey

Source: condor
Version: 8.4.8~dfsg.1-1
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: FTBFS on amd64 with extra hardening

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64 with patched GCC and dpkg.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part (hopefully):
...
[ 34%] Linking CXX executable condor_mips
cd "/<>/obj-x86_64-linux-gnu/src/condor_sysapi" &&
/usr/bin/cmake -E cmake_link_script CM
akeFiles/condor_mips.dir/link.txt --verbose=1
/usr/bin/c++   -g -O2 -fdebug-prefix-map=/<>=.
-fstack-protector-strong -Wformat -Werror=
format-security -Wdate-time -D_FORTIFY_SOURCE=2  -std=c++11 -DWITH_IPV6
-g -O2 -fdebug-prefix-map=/<>=. -fstack-protector-strong -Wformat -Werror=format-security
-Wdate-time -D_FORTIFY_SOURCE
=2  -fPIC -Wall -W -Wextra -Wfloat-equal -Wendif-labels -Wpointer-arith
-Wcast-qual -Wcast-align -Wvol
atile-register-var -Wno-error=unused-local-typedefs
-Wdeprecated-declarations -Wno-error=deprecated-de
clarations -fstack-protector -rdynamic -g   -Wl,-z,relro -Wl,-z,now
-Wl,-z,relro -Wl,--warn-once -Wl,-
-warn-common -ldl -pthread CMakeFiles/condor_mips.dir/mips_main.cpp.o
CMakeFiles/condor_mips.dir/dhry21a.cpp.o
CMakeFiles/condor_mips.dir/__/condor_utils/utc_time.cpp.o
CMakeFiles/condor_mips.dir/__/condor_utils/condor_version.cpp.o  -o
condor_mips -rdynamic -Wl,-rpath,/usr/lib:/usr/lib/condor
/usr/bin/ld: CMakeFiles/condor_mips.dir/dhry21a.cpp.o: relocation
R_X86_64_32 against symbol `Arr_2_Glob' can not be used when making a
shared object; recompile with -fPIC
/usr/bin/ld: final link failed: Nonrepresentable section on output
collect2: error: ld returned 1 exit status
src/condor_sysapi/CMakeFiles/condor_mips.dir/build.make:172: recipe for
target 'src/condor_sysapi/condor_mips' failed

...

The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/condor_8.4.8~dfsg.1-1_amd64.build.gz

Thanks,
Balint

Bug#837403: connectome-workbench: FTBFS with bindnow and PIE enabled

2016-09-11 Thread Balint Reczey

Source: connectome-workbench
Version: 1.2.3-1
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: FTBFS on amd64 with extra hardening

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64 with patched GCC and dpkg.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part (hopefully):
...
/usr/bin/c++   -fopenmp -g -O2 -fdebug-prefix-map=/<>=.
-fstack-protector-strong -Wformat
 -Werror=format-security -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
-Wl,-z,relro -Wl,-z,now -Wl,--as
-needed CMakeFiles/wb_command.dir/wb_command.cxx.o
CMakeFiles/wb_command.dir/qrc_resources.cxx.o  -o w
b_command -rdynamic ../Commands/libCommands.a
../Operations/libOperations.a ../Algorithms/libAlgorithm
s.a ../OperationsBase/libOperationsBase.a ../Brain/libBrain.a -lftgl
../Files/libFiles.a ../Annotation
s/libAnnotations.a ../Palette/libPalette.a ../Gifti/libGifti.a
../Cifti/libCifti.a ../Nifti/libNifti.a
 ../Charting/libCharting.a ../FilesBase/libFilesBase.a
../Scenes/libScenes.a ../Xml/libXml.a ../Common/libCommon.a
../Quazip/libQuazip.a -lfreetype -lQtGui -lQtXml -lQtNetwork -lQtCore
-lOSMesa -lGL -Wl,-Bstatic -lGLU -Wl,-Bdynamic -lz
/usr/bin/ld:
/usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libGLU.a(error.o):
relocation R_X86_64_32 against `.rodata' can not be used when making a
shared object; recompile with -fPIC
/usr/bin/ld:
/usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libGLU.a(glue.o):
relocation R_X86_64_32S against `.rodata' can not be used when making a
shared object; recompile with -fPIC
/usr/bin/ld:
/usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libGLU.a(mipmap.o):
relocation R_X86_64_32 against `.text' can not be used when making a
shared object; recompile with -fPIC
/usr/bin/ld:
/usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libGLU.a(tess.o):
relocation R_X86_64_32S against `.text' can not be used when making a
shared object; recompile with -fPIC
/usr/bin/ld:
/usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libGLU.a(render.o):
relocation R_X86_64_32S against `.text' can not be used when making a
shared object; recompile with -fPIC
/usr/bin/ld:
/usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libGLU.a(sweep.o):
relocation R_X86_64_32S against hidden symbol `__gl_noCombineData' can
not be used when making a shared object
/usr/bin/ld: final link failed: Nonrepresentable section on output
collect2: error: ld returned 1 exit status
CommandLine/CMakeFiles/wb_command.dir/build.make:419: recipe for target
'CommandLine/wb_command' failed

...

The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/connectome-workbench_1.2.3-1_amd64.build.gz

Dynamically linking to libGLU would probably fix the problem.

Thanks,
Balint

Bug#837404: cvm: FTBFS with bindnow and PIE enabled

2016-09-11 Thread Balint Reczey

Source: cvm
Version: 0.96-1.2
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: FTBFS on amd64 with extra hardening

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64 with patched GCC and dpkg.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part (hopefully):
...
./ltload cvm-pwfile libcvm-module.la -lbg /usr/lib/bglibs/libpwcmp.a
`cat crypt.lib` `cat socket.lib`
/usr/bin/ld: /usr/lib/bglibs/libpwcmp.a(client.o): relocation
R_X86_64_32 against `.rodata.str1.1' can not be used when making a
shared object; recompile with -fPIC
/usr/bin/ld: final link failed: Nonrepresentable section on output
collect2: error: ld returned 1 exit status
Makefile:110: recipe for target 'cvm-pwfile' failed
make[1]: *** [cvm-pwfile] Error 1
...

The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/cvm_0.96-1.2_amd64.build.gz

Dynamic linking against libbg would probably solve the problem.

Thanks,
Balint

Bug#586572: libdpkg-dev: libdpkg is not built position-independent (-fPIC)

2016-09-11 Thread Balint Reczey

Control: affects -1 debsig-verify

Hi Guillem,

On Tue, 22 Jun 2010 14:32:27 +0200 Guillem Jover  wrote:

> Hi!
> 
> On Sun, 2010-06-20 at 19:12:46 +0200, Denis Washington wrote:
> > Package: libdpkg-dev
> > Version: 1.15.7.2
> > Severity: normal
> > Tags: patch
> > 
> > I am trying to build a shared library where libdpkg.a (from libdpkg-dev
> > 1.15.7.2, installed on Ubuntu 10.04) should be linked into. I get the
> > following error, though:
> > 
> > /usr/bin/ld: /usr/lib/dpkg/libdpkg.a(database.o): relocation R_X86_64_32S 
> > against `.bss' can not be used when making a shared object; recompile with 
> > -fPIC
> > 
> > This is because the objects in libdpkg.a are not compiled to
> > position-independent code (with gcc -fPIC). I believe that should be
> > done, though, to make using libdpkg.a in shared libraries possible.
> 
> As explained on the mailing list, this will not be enough for your
> purposes anyway.
> 
> > Attached is a trivial patch that adds -fPIC to CFLAGS.
> 
> But then if we were to provide a PIC enabled library, we'd have to
> build it twice w/ and w/o PIC (to something like libdpkg-pic.a), as
> the normal static library should not be PIC enabled. But right now
> I'd rather not, as other libraries might start exposing libdpkg through
> other shared libraries, when there's no guarantees of stability at all.

Recent discussion on debian devel suggests that it is a better
practice to use -fPIC even for static libraries:
https://lists.debian.org/debian-devel/2016/05/msg00309.html

I faced this issue while testing enabling PIE (and bindnow) for
whole ports.

Please see debsig-verify's build log here:
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/debsig-verify_0.15_amd64.build.gz

At the moment there is now way to enable PIE for debsig-verify
due to this bug.

I understand that you don't want to ship a shared library thus
please build libdpkg.a with -fPIC.

Thanks,
Balint

Bug#837417: ctn: Please build libctn.a with -fPIC

2016-09-11 Thread Balint Reczey

Source: ctn
Version: 3.2.0~dfsg-3
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: makes dicomnifti FTBFS on amd64 with extra hardening
Affects: dicomnifti

Dear Maintainers,

During a rebuild of all packages in sid, dicomnifti failed to build on
amd64 with patched GCC and dpkg. The root cause seems to be that
libbfd.a is shipped as a non-PIC library.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransitio

Relevant part of dicomnifti's build log:
...
[ 57%] Linking CXX executable dinifti
/usr/bin/cmake -E cmake_link_script CMakeFiles/dinifti.dir/link.txt
--verbose=1
/usr/bin/c++   -g -O2 -fdebug-prefix-map=/<>=.
-fstack-protector-strong -Wformat -Werror=
format-security -Wdate-time -D_FORTIFY_SOURCE=2-Wl,-z,relro
-Wl,-z,now CMakeFiles/dinifti.dir/src/
dinifti.cc.o CMakeFiles/dinifti.dir/src/dicomInfo.cc.o
CMakeFiles/dinifti.dir/src/niftiout.cc.o  -o di
nifti -rdynamic /usr/lib/ctn/libctn.a -lniftiio -lznz
/usr/bin/ld: /usr/lib/ctn/libctn.a(condition.o): relocation R_X86_64_32
against `.bss' can not be used
 when making a shared object; recompile with -fPIC

...

The full build log is available from:
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/dicomnifti_2.32.1-1_amd64.build.gz

The attached patch fixed the problem.

Thanks,
Balint


diff -u binutils-2.27/debian/changelog binutils-2.27/debian/changelog
--- binutils-2.27/debian/changelog
+++ binutils-2.27/debian/changelog
@@ -1,3 +1,10 @@
+binutils (2.27-8+rbalint0) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload.
+  * Build libbfd with -fPIC
+
+ -- Balint Reczey   Sat, 10 Sep 2016 15:53:07 +0200
+
 binutils (2.27-8) unstable; urgency=medium
 
   * Fix diversion updates for 32bit x86 targets.
diff -u binutils-2.27/debian/patches/series binutils-2.27/debian/patches/series
--- binutils-2.27/debian/patches/series
+++ binutils-2.27/debian/patches/series
@@ -12,6 +12,7 @@
 130_gold_disable_testsuite_build.patch
 131_ld_bootstrap_testsuite.patch
 135_bfd_version.patch
+136_bfd_pic.patch
 157_ar_scripts_with_tilde.patch
 #158_ld_system_root.patch
 161_gold_dummy_zoption.diff
only in patch2:
unchanged:
--- binutils-2.27.orig/debian/patches/136_bfd_pic.patch
+++ binutils-2.27/debian/patches/136_bfd_pic.patch
@@ -0,0 +1,25 @@
+Author: Balint Reczey 
+Description: Build libbfd with -fPIC to allow linking with PIE binaries
+
+--- ./bfd/Makefile.am.bak	2016-09-10 16:26:46.062371030 +0200
 ./bfd/Makefile.am	2016-09-10 16:27:48.913724681 +0200
+@@ -51,7 +51,7 @@
+ 
+ WARN_CFLAGS = @WARN_CFLAGS@
+ NO_WERROR = @NO_WERROR@
+-AM_CFLAGS = $(WARN_CFLAGS) $(ZLIBINC)
++AM_CFLAGS = $(WARN_CFLAGS) $(ZLIBINC) -fPIC
+ AM_CPPFLAGS = -DBINDIR='"$(bindir)"'
+ if PLUGINS
+ bfdinclude_HEADERS += $(INCDIR)/plugin-api.h
+--- ./bfd/Makefile.in.bak	2016-09-10 16:26:53.009857349 +0200
 ./bfd/Makefile.in	2016-09-10 16:27:31.886983240 +0200
+@@ -387,7 +387,7 @@
+ # case both are empty.
+ ZLIB = @zlibdir@ -lz
+ ZLIBINC = @zlibinc@
+-AM_CFLAGS = $(WARN_CFLAGS) $(ZLIBINC)
++AM_CFLAGS = $(WARN_CFLAGS) $(ZLIBINC) -fPIC
+ AM_CPPFLAGS = -DBINDIR='"$(bindir)"'
+ @PLUGINS_TRUE@LIBDL = @lt_cv_dlopen_libs@
+

Bug#837420: dietlibc: FTBFS with bindnow and PIE enabled

2016-09-11 Thread Balint Reczey

Source: dietlibc
Version: 0.34~cvs20160606-2
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: FTBFS on amd64 with extra hardening

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64 with patched GCC and dpkg.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part (hopefully):
...
gcc -D__dietlibc__ -isystem include -Os -fstrict-aliasing
-momit-leaf-frame-pointer -mfancy-math-387  -g -W -Wall -Wextra
-Wchar-subscripts -Wmissing-prototypes -Wmissing-declarations
-Wno-switch -Wno-unused -Wredundant-decls -Wshadow
-fstack-protector-strong -nostdlib -o bin-x86_64/diet bin-x86_64/start.o
bin-x86_64/dyn_start.o diet.c bin-x86_64/dietlibc.a
bin-x86_64/dyn_stop.o -DDIETHOME=\"/<>\"
-DVERSION=\"0.34~cvs20160606-2\" -lgcc
/usr/bin/ld: bin-x86_64/dietlibc.a(stackgap.o): relocation R_X86_64_32
against `.rodata.str1.1' can not be used when making a shared object;
recompile with -fPIC
/usr/bin/ld: final link failed: Nonrepresentable section on output
collect2: error: ld returned 1 exit status
Makefile:362: recipe for target 'bin-x86_64/diet' failed

...

The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/dietlibc_0.34~cvs20160606-2_amd64.build.gz

Thanks,
Balint

Bug#837421: emacs24: FTBFS with bindnow and PIE enabled

2016-09-11 Thread Balint Reczey

Source: emacs24
Version: 24.5+1-6
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Tags: patch upstream
Justification: FTBFS on amd64 with extra hardening

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64 with patched GCC and dpkg.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part (hopefully):
...
else \
  ./temacs --batch --load loadup bootstrap || exit 1; \
  test "X" = X ||  -zex emacs; \
  mv -f emacs bootstrap-emacs; \
fi
/bin/bash: line 7: 26680 Segmentation fault  ./temacs --batch --load
loadup bootstrap
Makefile:815: recipe for target 'bootstrap-emacs' failed
make[3]: *** [bootstrap-emacs] Error 1
...

The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/emacs24_24.5+1-6_amd64.build.gz

Ubuntu already fixed the issue by disabling PIE:
https://patches.ubuntu.com/e/emacs24/emacs24_24.5+1-6ubuntu3.patch

It would be even better to build with PIE, but apparently
upstream knows about the problem but could not find a fix yet:
https://lists.gnu.org/archive/html/bug-gnu-emacs/2015-03/msg01059.html

Thanks,
Balint

Bug#837423: jack-audio-connection-kit: Please build libjack.a with -fPIC

2016-09-11 Thread Balint Reczey

Source: jack-audio-connection-kit
Version: 1:0.124.1+20140122git5013bed0-3
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: makes espeakup FTBFS on amd64 with extra hardening
Affects: espeakup

Dear Maintainers,

During a rebuild of all packages in sid, espeakup failed to build on
amd64 with patched GCC and dpkg. The root cause seems to be that
libjack.a is shipped as a non-PIC library.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransitio

Relevant part of espeakup's build log:
...
cc -g -O2 -fdebug-prefix-map=/<>=. -fstack-protector-strong
-Wformat -Werror=format-secur
ity -Os -MMD -Wall   -c -o stringhandling.o stringhandling.c
cc -u _Unwind_Resume -u __gcc_personality_v0 -u _Unwind_ForcedUnwind -u
_Unwind_GetCFA -u _Unwind_GetB
SP -lgcc_s  espeakup.o cli.o espeak.o queue.o signal.o softsynth.o
stringhandling.o  /usr/lib/x86_64-l
inux-gnu/libespeak.a /usr/lib/x86_64-linux-gnu/libsonic.a
/usr/lib/x86_64-linux-gnu/libportaudio.a /us
r/lib/x86_64-linux-gnu/libjack.a -lm -lpthread -lasound -lrt -o espeakup
/usr/bin/ld: /usr/lib/x86_64-linux-gnu/libportaudio.a(pa_front.o):
relocation R_X86_64_32 against `.ro
data.str1.8' can not be used when making a shared object; recompile with
-fPIC
/usr/bin/ld: /usr/lib/x86_64-linux-gnu/libportaudio.a(pa_unix_util.o):
relocation R_X86_64_32 against
`.rodata' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: /usr/lib/x86_64-linux-gnu/libportaudio.a(pa_linux_alsa.o):
relocation R_X86_64_32 against
 `.rodata.str1.8' can not be used when making a shared object; recompile
with -fPIC
/usr/bin/ld: /usr/lib/x86_64-linux-gnu/libportaudio.a(pa_jack.o):
relocation R_X86_64_32 against `.rod
ata' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: /usr/lib/x86_64-linux-gnu/libportaudio.a(pa_unix_oss.o):
relocation R_X86_64_32 against `.rodata.str1.8' can not be used when
making a shared object; recompile with -fPIC
/usr/bin/ld: /usr/lib/x86_64-linux-gnu/libportaudio.a(pa_converters.o):
relocation R_X86_64_32S against `.rodata' can not be used when making a
shared object; recompile with -fPIC
/usr/bin/ld: /usr/lib/x86_64-linux-gnu/libportaudio.a(pa_cpuload.o):
relocation R_X86_64_32 against `.rodata' can not be used when making a
shared object; recompile with -fPIC
/usr/bin/ld: /usr/lib/x86_64-linux-gnu/libportaudio.a(pa_process.o):
relocation R_X86_64_32 against `.rodata' can not be used when making a
shared object; recompile with -fPIC
/usr/bin/ld: /usr/lib/x86_64-linux-gnu/libjack.a(libjack_la-client.o):
relocation R_X86_64_32 against `.rodata.str1.1' can not be used when
making a shared object; recompile with -fPIC
/usr/bin/ld:
/usr/lib/x86_64-linux-gnu/libjack.a(libjack_la-messagebuffer.o):
relocation R_X86_64_32S against `.bss' can not be used when making a
shared object; recompile with -fPIC
/u
...

The full build log is available from:
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/espeakup_0.80-1_amd64.build.gz

Thanks,
Balint


diff -u binutils-2.27/debian/changelog binutils-2.27/debian/changelog
--- binutils-2.27/debian/changelog
+++ binutils-2.27/debian/changelog
@@ -1,3 +1,10 @@
+binutils (2.27-8+rbalint0) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload.
+  * Build libbfd with -fPIC
+
+ -- Balint Reczey   Sat, 10 Sep 2016 15:53:07 +0200
+
 binutils (2.27-8) unstable; urgency=medium
 
   * Fix diversion updates for 32bit x86 targets.
diff -u binutils-2.27/debian/patches/series binutils-2.27/debian/patches/series
--- binutils-2.27/debian/patches/series
+++ binutils-2.27/debian/patches/series
@@ -12,6 +12,7 @@
 130_gold_disable_testsuite_build.patch
 131_ld_bootstrap_testsuite.patch
 135_bfd_version.patch
+136_bfd_pic.patch
 157_ar_scripts_with_tilde.patch
 #158_ld_system_root.patch
 161_gold_dummy_zoption.diff
only in patch2:
unchanged:
--- binutils-2.27.orig/debian/patches/136_bfd_pic.patch
+++ binutils-2.27/debian/patches/136_bfd_pic.patch
@@ -0,0 +1,25 @@
+Author: Balint Reczey 
+Description: Build libbfd with -fPIC to allow linking with PIE binaries
+
+--- ./bfd/Makefile.am.bak	2016-09-10 16:26:46.062371030 +0200
 ./bfd/Makefile.am	2016-09-10 16:27:48.913724681 +0200
+@@ -51,7 +51,7 @@
+ 
+ WARN_CFLAGS = @WARN_CFLAGS@
+ NO_WERROR = @NO_WERROR@
+-AM_CFLAGS = $(WARN_CFLAGS) $(ZLIBINC)
++AM_CFLAGS = $(WARN_CFLAGS) $(ZLIBINC) -fPIC
+ AM_CPPFLAGS = -DBINDIR='"$(bindir)"'
+ if PLUGINS
+ bfdinclude_HEADERS += $(INCDIR)/plugin-api.h
+--- ./bfd/Makefile.in.bak	2016-09-10 16:26:53.009857349 +0200
 ./bfd/Makefile.in	2016-09-10 16:27:31.886983240 +0200
+@@ -387,7 +387,7 @@
+ # case both are empty.
+ ZLIB = @zlibdir@ -lz
+ ZLIBINC = @zlibinc@
+-AM_CFLAGS = $(WARN_CFLAGS) $(ZLIB

Bug#837425: deets: FTBFS with bindnow and PIE enabled

2016-09-11 Thread Balint Reczey

Source: deets
Version: 0.2.1-4
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: FTBFS on amd64 with extra hardening

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64 with patched GCC and dpkg.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part (hopefully):
...
gcc -DHAVE_CONFIG_H -I. -I..   -Wdate-time -D_FORTIFY_SOURCE=2
-I/usr/include/lua5.1 -DDEETS_LUADIR=\"
/usr/share/deets\" -g -O2 -fdebug-prefix-map=/<>=.
-fstack-protector-strong -Wformat -Wer
ror=format-security -c -o luau-luau.o `test -f 'luau.c' || echo '../'`luau.c
../luau.c: In function 'dpkg_status':
../luau.c:88:7: error: 'stat_notinstalled' undeclared (first use in this
function)
  case stat_notinstalled:
   ^
../luau.c:88:7: note: each undeclared identifier is reported only once
for each function it appears in
../luau.c:91:7: error: 'stat_configfiles' undeclared (first use in this
function)
  case stat_configfiles:
   ^~~~
../luau.c:94:7: error: 'stat_halfinstalled' undeclared (first use in
this function)
  case stat_halfinstalled:
   ^~
../luau.c:97:7: error: 'stat_unpacked' undeclared (first use in this
function)
  case stat_unpacked:
   ^
../luau.c:100:7: error: 'stat_halfconfigured' undeclared (first use in
this function)
  case stat_halfconfigured:
   ^~~
../luau.c:103:7: error: 'stat_triggersawaited' undeclared (first use in
this function)
  case stat_triggersawaited:
   ^~~~
../luau.c:106:7: error: 'stat_triggerspending' undeclared (first use in
this function)
  case stat_triggerspending:
   ^~~~
../luau.c:109:7: error: 'stat_installed' undeclared (first use in this
function)
  case stat_installed:
   ^~
Makefile:364: recipe for target 'luau-luau.o' failed
make[2]: *** [luau-luau.o] Error 1
...

The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/deets_0.2.1-4_amd64.build.gz

Thanks,
Balint

Bug#837424: portaudio19: Please build libportaudio.a with -fPIC

2016-09-11 Thread Balint Reczey

Source: portaudio19
Version: 19+svn20140130-1
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: makes espeakup FTBFS on amd64 with extra hardening
Affects: espeakup

Dear Maintainers,

During a rebuild of all packages in sid, espeakup failed to build on
amd64 with patched GCC and dpkg. The root cause seems to be that
libportaudio.a is shipped as a non-PIC library.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransitio

Relevant part of espeakup's build log:
...
cc -g -O2 -fdebug-prefix-map=/<>=. -fstack-protector-strong
-Wformat -Werror=format-secur
ity -Os -MMD -Wall   -c -o stringhandling.o stringhandling.c
cc -u _Unwind_Resume -u __gcc_personality_v0 -u _Unwind_ForcedUnwind -u
_Unwind_GetCFA -u _Unwind_GetB
SP -lgcc_s  espeakup.o cli.o espeak.o queue.o signal.o softsynth.o
stringhandling.o  /usr/lib/x86_64-l
inux-gnu/libespeak.a /usr/lib/x86_64-linux-gnu/libsonic.a
/usr/lib/x86_64-linux-gnu/libportaudio.a /us
r/lib/x86_64-linux-gnu/libjack.a -lm -lpthread -lasound -lrt -o espeakup
/usr/bin/ld: /usr/lib/x86_64-linux-gnu/libportaudio.a(pa_front.o):
relocation R_X86_64_32 against `.ro
data.str1.8' can not be used when making a shared object; recompile with
-fPIC
/usr/bin/ld: /usr/lib/x86_64-linux-gnu/libportaudio.a(pa_unix_util.o):
relocation R_X86_64_32 against
`.rodata' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: /usr/lib/x86_64-linux-gnu/libportaudio.a(pa_linux_alsa.o):
relocation R_X86_64_32 against
 `.rodata.str1.8' can not be used when making a shared object; recompile
with -fPIC
...

The full build log is available from:
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/espeakup_0.80-1_amd64.build.gz

Thanks,
Balint



diff -u binutils-2.27/debian/changelog binutils-2.27/debian/changelog
--- binutils-2.27/debian/changelog
+++ binutils-2.27/debian/changelog
@@ -1,3 +1,10 @@
+binutils (2.27-8+rbalint0) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload.
+  * Build libbfd with -fPIC
+
+ -- Balint Reczey   Sat, 10 Sep 2016 15:53:07 +0200
+
 binutils (2.27-8) unstable; urgency=medium
 
   * Fix diversion updates for 32bit x86 targets.
diff -u binutils-2.27/debian/patches/series binutils-2.27/debian/patches/series
--- binutils-2.27/debian/patches/series
+++ binutils-2.27/debian/patches/series
@@ -12,6 +12,7 @@
 130_gold_disable_testsuite_build.patch
 131_ld_bootstrap_testsuite.patch
 135_bfd_version.patch
+136_bfd_pic.patch
 157_ar_scripts_with_tilde.patch
 #158_ld_system_root.patch
 161_gold_dummy_zoption.diff
only in patch2:
unchanged:
--- binutils-2.27.orig/debian/patches/136_bfd_pic.patch
+++ binutils-2.27/debian/patches/136_bfd_pic.patch
@@ -0,0 +1,25 @@
+Author: Balint Reczey 
+Description: Build libbfd with -fPIC to allow linking with PIE binaries
+
+--- ./bfd/Makefile.am.bak	2016-09-10 16:26:46.062371030 +0200
 ./bfd/Makefile.am	2016-09-10 16:27:48.913724681 +0200
+@@ -51,7 +51,7 @@
+ 
+ WARN_CFLAGS = @WARN_CFLAGS@
+ NO_WERROR = @NO_WERROR@
+-AM_CFLAGS = $(WARN_CFLAGS) $(ZLIBINC)
++AM_CFLAGS = $(WARN_CFLAGS) $(ZLIBINC) -fPIC
+ AM_CPPFLAGS = -DBINDIR='"$(bindir)"'
+ if PLUGINS
+ bfdinclude_HEADERS += $(INCDIR)/plugin-api.h
+--- ./bfd/Makefile.in.bak	2016-09-10 16:26:53.009857349 +0200
 ./bfd/Makefile.in	2016-09-10 16:27:31.886983240 +0200
+@@ -387,7 +387,7 @@
+ # case both are empty.
+ ZLIB = @zlibdir@ -lz
+ ZLIBINC = @zlibinc@
+-AM_CFLAGS = $(WARN_CFLAGS) $(ZLIBINC)
++AM_CFLAGS = $(WARN_CFLAGS) $(ZLIBINC) -fPIC
+ AM_CPPFLAGS = -DBINDIR='"$(bindir)"'
+ @PLUGINS_TRUE@LIBDL = @lt_cv_dlopen_libs@
+

Bug#837433: cargo: FTBFS with bindnow and PIE enabled

2016-09-11 Thread Balint Reczey

Source: cargo
Version: 0.11.0-2
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: FTBFS on amd64 with extra hardening

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64 with patched GCC and dpkg.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part (hopefully):
...
   Compiling strsim v0.3.0 (registry file:///<>/vendor/index)
 Running `rustc 
.cargohome/registry/src/-797c7c204f0503ca/strsim-0.3.0/src/lib.rs --crate-name 
str
sim --crate-type lib -C opt-level=3 -C metadata=17a8c122310cffc9 -C 
extra-filename=-17a8c122310cffc9 -
-out-dir /<>/target/x86_64-unknown-linux-gnu/release/deps 
--emit=dep-info,link --target x
86_64-unknown-linux-gnu -L 
dependency=/<>/target/x86_64-unknown-linux-gnu/release/deps -L
 dependency=/<>/target/x86_64-unknown-linux-gnu/release/deps 
--cap-lints allow -C link-ar
gs=-Wl,-z,relro -Wl,-z,now`
error: unknown lint: `l,_z,now`
note: requested on the command line with `-W l,_z,now`
error: aborting due to previous error
Build failed, waiting for other jobs to finish...
error: unknown lint: `l,_z,now`
note: requested on the command line with `-W l,_z,now`
error: aborting due to previous error
error: unknown lint: `l,_z,now`
note: requested on the command line with `-W l,_z,now`
error: aborting due to previous error
error: unknown lint: `l,_z,now`
note: requested on the command line with `-W l,_z,now`
error: aborting due to previous error
error: Could not compile `matches`.
...

The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/cargo_0.11.0-2_amd64.build.gz

Thanks,
Balint

Bug#837434: binpac: Please build libbinpac.a with -fPIC

2016-09-11 Thread Balint Reczey

ent/libplugin-Bro-BitTorrent.a
analyzer/protocol/conn-size/libplugin-Bro-ConnSize.a
analyzer/protocol/dce-rpc/libplugin-Bro-DCE_RPC.a analyzer/protocol/d
hcp/libplugin-Bro-DHCP.a analyzer/protocol/dnp3/libplugin-Bro-DNP3.a
analyzer/protocol/dns/libplugin-Bro-DNS.a
analyzer/protocol/file/libplugin-Bro-File.a
analyzer/protocol/finger/libplugin-Bro-Finger.a an
alyzer/protocol/ftp/libplugin-Bro-FTP.a
analyzer/protocol/gnutella/libplugin-Bro-Gnutella.a
analyzer/protocol/gtpv1/libplugin-Bro-GTPv1.a
analyzer/protocol/http/libplugin-Bro-HTTP.a analyzer/protocol/icmp/
libplugin-Bro-ICMP.a analyzer/protocol/ident/libplugin-Bro-Ident.a
analyzer/protocol/interconn/libplugin-Bro-InterConn.a
analyzer/protocol/irc/libplugin-Bro-IRC.a
analyzer/protocol/krb/libplugin-Bro-KRB.a
analyzer/protocol/login/libplugin-Bro-Login.a
analyzer/protocol/mime/libplugin-Bro-MIME.a
analyzer/protocol/modbus/libplugin-Bro-Modbus.a
analyzer/protocol/mysql/libplugin-Bro-MySQL.a analyzer/protocol/ncp
/libplugin-Bro-NCP.a analyzer/protocol/netbios/libplugin-Bro-NetBIOS.a
analyzer/protocol/ntp/libplugin-Bro-NTP.a
analyzer/protocol/pia/libplugin-Bro-PIA.a
analyzer/protocol/pop3/libplugin-Bro-POP3.a analyz
er/protocol/radius/libplugin-Bro-RADIUS.a
analyzer/protocol/rdp/libplugin-Bro-RDP.a
analyzer/protocol/rpc/libplugin-Bro-RPC.a
analyzer/protocol/sip/libplugin-Bro-SIP.a
analyzer/protocol/snmp/libplugin-Bro-SNMP.a
analyzer/protocol/smb/libplugin-Bro-SMB.a
analyzer/protocol/smtp/libplugin-Bro-SMTP.a
analyzer/protocol/socks/libplugin-Bro-SOCKS.a
analyzer/protocol/ssh/libplugin-Bro-SSH.a
analyzer/protocol/ssl/libplugin-Bro-SSL.a
analyzer/protocol/stepping-stone/libplugin-Bro-SteppingStone.a
analyzer/protocol/syslog/libplugin-Bro-Syslog.a
analyzer/protocol/tcp/libplugin-Bro-TCP.a
analyzer/protocol/teredo/libplugin-Bro-Teredo.a
analyzer/protocol/udp/libplugin-Bro-UDP.a
analyzer/protocol/zip/libplugin-Bro-ZIP.a
file_analysis/analyzer/data_event/libplugin-Bro-FileDataEvent.a
file_analysis/analyzer/extract/libplugin-Bro-FileExtract.a
file_analysis/analyzer/hash/libplugin-Bro-FileHash.a
file_analysis/analyzer/pe/libplugin-Bro-PE.a
file_analysis/analyzer/unified2/libplugin-Bro-Unified2.a
file_analysis/analyzer/x509/libplugin-Bro-X509.a
input/readers/ascii/libplugin-Bro-AsciiReader.a
input/readers/benchmark/libplugin-Bro-BenchmarkReader.a
input/readers/binary/libplugin-Bro-BinaryReader.a
input/readers/raw/libplugin-Bro-RawReader.a
input/readers/sqlite/libplugin-Bro-SQLiteReader.a
iosource/pcap/libplugin-Bro-Pcap.a
logging/writers/ascii/libplugin-Bro-AsciiWriter.a
logging/writers/none/libplugin-Bro-NoneWriter.a
logging/writers/sqlite/libplugin-Bro-SQLiteWriter.a
broker-dummy/libbro_broker_dummy.a probabilistic/libbro_probabilistic.a
logging/libbro_logging.a iosource/libbro_iosource.a input/libbro_input.a
file_analysis/libbro_file_analysis.a broxygen/libbro_broxygen.a
analyzer/libbro_analyzer.a -Wl,-Bstatic -lbinpac -Wl,-Bdynamic -lpcap
-lssl -lcrypto -lresolv -lz -lsqlite3 -lGeoIP -ltcmalloc -lpthread -ldl
/usr/bin/ld:
/usr/lib/gcc/x86_64-linux-gnu/6/../../../../lib/libbinpac.a(binpac_buffer.cc.o):
relocation R_X86_64_32S against symbol `_ZTVN6binpac10FlowBufferE' can
not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: final link failed: Nonrepresentable section on output
collect2: error: ld returned 1 exit status
src/CMakeFiles/bro.dir/build.make:3140: recipe for target 'src/bro' failed
...

The full build log is available from:
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/bro_2.4.1+dfsg-2_amd64.build.gz

Thanks,
Balint



diff -u binutils-2.27/debian/changelog binutils-2.27/debian/changelog
--- binutils-2.27/debian/changelog
+++ binutils-2.27/debian/changelog
@@ -1,3 +1,10 @@
+binutils (2.27-8+rbalint0) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload.
+  * Build libbfd with -fPIC
+
+ -- Balint Reczey   Sat, 10 Sep 2016 15:53:07 +0200
+
 binutils (2.27-8) unstable; urgency=medium
 
   * Fix diversion updates for 32bit x86 targets.
diff -u binutils-2.27/debian/patches/series binutils-2.27/debian/patches/series
--- binutils-2.27/debian/patches/series
+++ binutils-2.27/debian/patches/series
@@ -12,6 +12,7 @@
 130_gold_disable_testsuite_build.patch
 131_ld_bootstrap_testsuite.patch
 135_bfd_version.patch
+136_bfd_pic.patch
 157_ar_scripts_with_tilde.patch
 #158_ld_system_root.patch
 161_gold_dummy_zoption.diff
only in patch2:
unchanged:
--- binutils-2.27.orig/debian/patches/136_bfd_pic.patch
+++ binutils-2.27/debian/patches/136_bfd_pic.patch
@@ -0,0 +1,25 @@
+Author: Balint Reczey 
+Description: Build libbfd with -fPIC to allow linking with PIE binaries
+
+--- ./bfd/Makefile.am.bak	2016-09-10 16:26:46.062371030 +0200
 ./bfd/Makefile.am	2016-09-10 16:27:48.913724681 +0200
+@@ -51,7 +51,7 @@
+ 
+ WARN_CFLAGS = @WARN_CFLAGS@
+ NO_WERROR = @NO_WERROR@
+-AM_CFLAGS = $(WARN_CFLAGS) $(ZLIBINC)
++AM_CFLAGS = $(WARN_CFLAGS) $(ZLIBINC) -fPIC
+ AM_CPPFLAGS = -DBINDIR='"$(bindir)"'
+ if

Bug#837445: check: Please build libcheck.a with -fPIC

2016-09-11 Thread Balint Reczey

Source: check
Version: 0.10.0-3
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: makes several packages FTBFS on amd64 with extra hardening
Affects: ettercap galera-3 gubbins netcfg vnstat

Dear Maintainers,

During a rebuild of all packages in sid, several packages
failed to build on amd64 with patched GCC and dpkg. The root
cause seems to be that libcheck.a is shipped as a non-PIC library.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransitio

Relevant part of ettercap's build log:
...
[100%] Linking C executable test_ec_decode
cd /<>/obj-text-only/tests && /usr/bin/cmake -E cmake_link_script 
CMakeFiles/test_ec_deco
de.dir/link.txt --verbose=1
/usr/bin/cc  -g -O2 -fdebug-prefix-map=/<>=. 
-fstack-protector-strong -Wformat -Werror=fo
rmat-security -Wdate-time -D_FORTIFY_SOURCE=2  -O2 -g -DNDEBUG   -Wl,-z,relro 
-Wl,-z,now CMakeFiles/te
st_ec_decode.dir/test_ec_decode.c.o  -o test_ec_decode -rdynamic 
../src/libettercap.so.0.0.0 ../src/in
terfaces/libec_interfaces.a -Wl,-Bstatic -lcheck -Wl,-Bdynamic -lpthread 
-lcheck_pic -lrt -lm -lsubuni
t -lssl -lcrypto -lz -ldl -lbsd -lpcap -lnet -lresolv -lpcre 
../src/lua/libec_lua.a -lluajit-5.1 -lpth
read -Wl,-rpath,/<>/obj-text-only/src /usr/bin/ld: 
/usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libcheck.a(check.o): 
relocation
 R_X86_64_32 against `.rodata.str1.1' can not be used when making a shared 
object; recompile with -fPI
C
/usr/bin/ld: 
/usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libcheck.a(check_error.o):
 relo
cation R_X86_64_32 against `.rodata.str1.1' can not be used when making a 
shared object; recompile wit
h -fPIC
...

The full build log is available from:
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/ettercap_0.8.2-2_amd64.build.gz

I'm aware of the provided libcheck_pic.a file, but I think
there is little value in providing the non-PIC library
thus I suggest providing only one, libcheck.a with PIC.

Thanks,
Balint

Bug#804254: publib-dev: publib does not provide a .a file with PIC objects

2016-09-11 Thread Balint Reczey

Control: severity -1 important

On Fri, 06 Nov 2015 16:05:03 + Daniel Silverstone
 wrote:
...

> 
> Dear Maintainer,
> 
> It would be super-useful if publib-dev provided a PIC compiled variant of the
> ar file.  This would allow the use of publib functions when preparing shared
> objects such as modules to be loaded into interpreters.
...

During a rebuild of all packages in sid, several packages
failed to build on amd64 with patched GCC and dpkg. The root
cause seems to be that libpub.a is shipped as a non-PIC library.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransitio

Relevant part of falselogin's build log:
...
make[1]: Entering directory '/<>'
gcc -W -Wall -g -O2 -c falselogin.c
gcc -o falselogin falselogin.o -lpub
/usr/bin/ld:
/usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libpub.a(strgsub.o):
relocation R_X86_64_32 against `.rodata' can not be used when making a
shared object; recompile with -fPIC
/usr/bin/ld:
/usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libpub.a(strsub.o):
relocation R_X86_64_32 against `.rodata' can not be used when making a
shared object; recompile with -fPIC
/usr/bin/ld: final link failed: Nonrepresentable section on output
...

The full build log is available from:
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/falselogin_0.3-4_amd64.build.gz

Thanks,
Balint

Bug#837448: farstream-0.2: FTBFS with bindnow and PIE enabled

2016-09-11 Thread Balint Reczey

Source: farstream-0.2
Version: 0.2.8-1
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: FTBFS on amd64 with extra hardening

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64 with patched GCC and dpkg.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part (hopefully):
...
(lt-farstream-plugins-scan:26687): GLib-GObject-WARNING **: cannot
register existing type 'FsMsnConference'

(lt-farstream-plugins-scan:26687): GLib-CRITICAL **: g_once_init_leave:
assertion 'result != 0' failed
** Message: fs_msn_conference_get_type () didn't return a valid type
Segmentation fault
Scan failed:
Makefile:823: recipe for target 'scanobj-build.stamp' failed
make[4]: *** [scanobj-build.stamp] Error 1
make[4]: Leaving directory '/<>/docs/plugins'
Makefile:479: recipe for target 'all-recursive' failed
make[3]: *** [all-recursive] Error 1
make[3]: Leaving directory '/<>/docs'
Makefile:616: recipe for target 'all-recursive' failed
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory '/<>'

...

The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/farstream-0.2_0.2.8-1_amd64.build.gz

Thanks,
Balint

Bug#837450: faumachine: FTBFS with bindnow and PIE enabled

2016-09-11 Thread Balint Reczey

Source: faumachine
Version: 20160511-1
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: FTBFS on amd64 with extra hardening

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64 with patched GCC and dpkg.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part (hopefully):
...
./dyngen -p chip_intel_80286_op_ -o cpu_286_jit_op_gen.h
libqemu_gen_286_a-cpu_286_jit_op.o
dyngen: unsupported X86_64 relocation (4)
Makefile:892: recipe for target 'cpu_286_jit_op_gen.h' failed
make[5]: *** [cpu_286_jit_op_gen.h] Error 1
make[5]: Leaving directory '/<>/chips/qemu'
Makefile:2010: recipe for target 'all-recursive' failed
make[4]: *** [all-recursive] Error 1
make[4]: Leaving directory '/<>/chips'
Makefile:560: recipe for target 'all' failed
make[3]: *** [all] Error 2
make[3]: Leaving directory '/<>/chips'
Makefile:523: recipe for target 'all-recursive' failed
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory '/<>'

...

The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/faumachine_20160511-1_amd64.build.gz

Thanks,
Balint

Bug#837452: simgear: Please build libSimGearCore.a and libSimGearScene.a with -fPIC

2016-09-11 Thread Balint Reczey

Source: simgear
Version: 1:2016.2.1+dfsg-6
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: makes several packages FTBFS with extra hardening
Affects:fgrun flightgear

Dear Maintainers,

During a rebuild of all packages in sid, several packages
failed to build on amd64 with patched GCC and dpkg. The root
cause seems to be that libSimGearCore.a is shipped as a non-PIC library.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransitio

Relevant part of fgrun's build log:
...
/usr/bin/c++   -g -O2 -fdebug-prefix-map=/<>=.
-fstack-protector-strong -Wformat -Werror=
format-security -Wdate-time -D_FORTIFY_SOURCE=2   -D_REENTRANT
-DENABLE_NLS -g -DNDEBUG   -Wl,-z,relro
 -Wl,-z,now  CMakeFiles/fgrun.dir/wizard_funcs.cxx.o
CMakeFiles/fgrun.dir/advanced_funcs.cxx.o CMakeFi
les/fgrun.dir/AirportBrowser.cxx.o
CMakeFiles/fgrun.dir/AirportTable.cxx.o CMakeFiles/fgrun.dir/Fl_Tab
le.cxx.o CMakeFiles/fgrun.dir/Fl_Table_Row.cxx.o
CMakeFiles/fgrun.dir/Fl_OSG.cxx.o CMakeFiles/fgrun.di
r/Fl_Heading_Dial.cxx.o CMakeFiles/fgrun.dir/main.cxx.o
CMakeFiles/fgrun.dir/io.cxx.o CMakeFiles/fgrun
.dir/fgfsrc.cxx.o CMakeFiles/fgrun.dir/logwin.cxx.o
CMakeFiles/fgrun.dir/parkingloader.cxx.o CMakeFile
s/fgrun.dir/settings.cxx.o CMakeFiles/fgrun.dir/util.cxx.o
CMakeFiles/fgrun.dir/run_posix.cxx.o CMakeF
iles/fgrun.dir/fgrun_pty.cxx.o  -o fgrun -rdynamic libWizard.a
libAdvanced.a -Wl,-Bstatic -lSimGearSce
ne -lSimGearCore -lSimGearCore -Wl,-Bdynamic -losgText -losgDB
-losgParticle -losgUtil -losgViewer -lo
sgGA -losg -lOpenThreads /usr/lib/x86_64-linux-gnu/libfltk_forms.so
/usr/lib/x86_64-linux-gnu/libfltk_
gl.so /usr/lib/x86_64-linux-gnu/libfltk_images.so
/usr/lib/x86_64-linux-gnu/libfltk.so -ldl -ldl -lz -
lutil -lGLU -lGL -ldl -lpthread -lexpat -lz -lutil -lGLU -lGL -lpthread
-lexpat
/usr/bin/ld:
/usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libSimGearScene.a(ModelRegistry
.cxx.o): relocation R_X86_64_32 against `.rodata' can not be used when
making a shared object; recompi
le with -fPIC
...

The full build log is available from:
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/fgrun_3.4.0.final-3_amd64.build.gz

Thanks,
Balint

Bug#837453: flint: FTBFS with bindnow and PIE enabled

2016-09-11 Thread Balint Reczey

Source: flint
Version: 2.5.2-8
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: FTBFS on amd64 with extra hardening
Tags: patch

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64 with patched GCC and dpkg.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part (hopefully):
...
gcc -fPIC -Wdate-time -D_FORTIFY_SOURCE=2 -g -O2
-fdebug-prefix-map=/<>=. -fstack-protect
or-strong -Wformat -Werror=format-security -I/<> -c
factor_trial_partial.c -o ../build/ul
ong_extras/factor_trial_partial.lo -MMD -MP -MF
"../build/ulong_extras/factor_trial_partial.d" -MT "..
/build/ulong_extras/factor_trial_partial.d" -MT
"../build/ulong_extras/factor_trial_partial.lo"
gcc -Wl,-z,relro -Wl,-z,now -Wl,-r ../build/ulong_extras/sizeinbase.lo
../build/ulong_extras/mulmod_pr
ecomp.lo ../build/ulong_extras/is_square.lo
../build/ulong_extras/euler_phi.lo ../build/ulong_extras/d
ivrem2_precomp.lo ../build/ulong_extras/mulmod2_preinv.lo
../build/ulong_extras/factor_SQUFOF.lo ../bu
ild/ulong_extras/powmod2_preinv.lo
../build/ulong_extras/primitive_root_prime.lo ../build/ulong_extras
/randlimb.lo ../build/ulong_extras/discrete_log_bsgs.lo
../build/ulong_extras/lll_mod_preinv.lo ../bui
ld/ulong_extras/factor_partial.lo ../build/ulong_extras/mod2_precomp.lo
../build/ulong_extras/flog.lo
../build/ulong_extras/factor_pp1.lo
../build/ulong_extras/factorial_mod2_preinv.lo ../build/ulong_extr
as/root.lo ../build/ulong_extras/mulmod_preinv.lo
../build/ulong_extras/gcdinv.lo ../build/ulong_extra
s/prime_inverses_arr_readonly.lo
../build/ulong_extras/is_probabprime_BPSW.lo ../build/ulong_extras/po
wmod_preinv.lo ../build/ulong_extras/inlines.lo
../build/ulong_extras/cleanup_primes.lo ../build/ulong
_extras/jacobi.lo ../build/ulong_extras/powmod_precomp.lo
../build/ulong_extras/is_prime_pseudosquare.
lo ../build/ulong_extras/primes_extend_small.lo
../build/ulong_extras/primes_sieve_range.lo ../build/u
long_extras/mod2_preinv.lo ../build/ulong_extras/is_perfect_power235.lo
../build/ulong_extras/moebius_
mu.lo ../build/ulong_extras/sqrtrem.lo ../build/ulong_extras/revbin.lo
../build/ulong_extras/mod_preco
mp.lo ../build/ulong_extras/cbrt_estimate.lo
../build/ulong_extras/gcd.lo ../build/ulong_extras/factor
.lo ../build/ulong_extras/factor_trial.lo
../build/ulong_extras/is_strong_probabprime2_preinv.lo ../bu
ild/ulong_extras/ll_mod_preinv.lo ../build/ulong_extras/primes_clear.lo
../build/ulong_extras/rootrem.
lo ../build/ulong_extras/factor_power235.lo
../build/ulong_extras/sqrt.lo ../build/ulong_extras/remove
2_precomp.lo ../build/ulong_extras/sqrtmodn.lo
../build/ulong_extras/cbrt_binary_search.lo ../build/ul
ong_extras/is_prime.lo ../build/ulong_extras/factor_insert.lo
../build/ulong_extras/clog.lo ../build/u
long_extras/nth_prime_bounds.lo ../build/ulong_extras/factor_one_line.lo
../build/ulong_extras/prime_p
i.lo ../build/ulong_extras/sqrtmod_primepow.lo
../build/ulong_extras/cbrtrem.lo ../build/ulong_extras/
sqrtmod.lo ../build/ulong_extras/factorial_fast_mod2_preinv.lo
../build/ulong_extras/cbrt.lo ../build/
ulong_extras/invmod.lo ../build/ulong_extras/cbrt_newton_iteration.lo
../build/ulong_extras/is_oddprim
e_binary.lo ../build/ulong_extras/is_probabprime.lo
../build/ulong_extras/is_squarefree.lo ../build/ul
ong_extras/is_probabprime_fermat.lo ../build/ulong_extras/randtest.lo
../build/ulong_extras/primes_arr
_readonly.lo ../build/ulong_extras/primes_jump_after.lo
../build/ulong_extras/pow.lo ../build/ulong_ex
tras/randint.lo ../build/ulong_extras/is_probabprime_lucas.lo
../build/ulong_extras/root_estimate.lo .
./build/ulong_extras/nth_prime.lo
../build/ulong_extras/prime_pi_bounds.lo ../build/ulong_extras/facto
r_lehman.lo ../build/ulong_extras/is_strong_probabprime_precomp.lo
../build/ulong_extras/primes_init.l
o ../build/ulong_extras/cbrt_chebyshev_approximation.lo
../build/ulong_extras/nextprime.lo ../build/ul
ong_extras/is_prime_pocklington.lo
../build/ulong_extras/factor_trial_range.lo
../build/ulong_extras/compute_primes.lo ../build/ulong_extras/xgcd.lo
../build/ulong_extras/is_oddprime_small.lo
../build/ulong_extras/is_probabprime_fibonacci.lo
../build/ulong_extras/remove.lo ../build/ulong_extras/randbits.lo
../build/ulong_extras/randprime.lo
../build/ulong_extras/factor_trial_partial.lo -o
../build/ulong_extras/../ulong_extras.lo -nostdlib
/usr/bin/ld: -r and -pie may not be used together
collect2: error: ld returned 1 exit status

...

The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/flint_2.5.2-8_amd64.build.gz

The patch used in Ubuntu fixes the issue:
https://patches.ubuntu.com/f/flint/flint_2.5.2-9ubuntu1.patch

Thanks,
Balint

Bug#837454: flint-arb: FTBFS with bindnow and PIE enabled

2016-09-11 Thread Balint Reczey

Source: flint-arb
Version: 2.8.1-2
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: FTBFS on amd64 with extra hardening

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64 with patched GCC and dpkg.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part (hopefully):
...
gcc -Wl,-z,relro -Wl,-z,now -Wdate-time -D_FORTIFY_SOURCE=2 -g -O2
-fdebug-prefix-map=/<>
=. -fstack-protector-strong -Wformat -Werror=format-security -Wl,-r
../build/fmpr/add_naive.lo ../buil
d/fmpr/get_si.lo ../build/fmpr/get_fmpz_2exp.lo ../build/fmpr/get_d.lo
../build/fmpr/set_mpfr.lo ../bu
ild/fmpr/cmp_2exp_si.lo ../build/fmpr/addmul.lo ../build/fmpr/add_eps.lo
../build/fmpr/set_d.lo ../bui
ld/fmpr/set_fmpz_2exp.lo ../build/fmpr/cmpabs_2exp_si.lo
../build/fmpr/divappr_abs_ubound.lo ../build/
fmpr/log.lo ../build/fmpr/add_fmpz.lo ../build/fmpr/mul_naive.lo
../build/fmpr/ulp.lo ../build/fmpr/ex
p.lo ../build/fmpr/check_ulp.lo ../build/fmpr/sum.lo
../build/fmpr/root.lo ../build/fmpr/cmp.lo ../bui
ld/fmpr/set_round.lo ../build/fmpr/set_round_uiui_2exp_fmpz.lo
../build/fmpr/mul.lo ../build/fmpr/get_
fmpz_fixed.lo ../build/fmpr/cmpabs.lo ../build/fmpr/printd.lo
../build/fmpr/get_fmpq.lo ../build/fmpr/
get_fmpz.lo ../build/fmpr/randtest.lo ../build/fmpr/rsqrt.lo
../build/fmpr/set_round_mpn.lo ../build/fmpr/pow_sloppy.lo
../build/fmpr/submul.lo ../build/fmpr/add.lo ../build/fmpr/mul_1x1.lo
../build/fmpr/mul_fmpz.lo ../build/fmpr/sqrt.lo ../build/fmpr/add_si.lo
../build/fmpr/cmpabs_ui.lo ../build/fmpr/div.lo
../build/fmpr/normalise.lo ../build/fmpr/set_fmpq.lo
../build/fmpr/abs_bound_lt_2exp_si.lo ../build/fmpr/print.lo
../build/fmpr/get_mpfr.lo ../build/fmpr/sub.lo ../build/fmpr/add_ui.lo
../build/fmpr/mul_mpn.lo ../build/fmpr/add_mpn.lo
../build/fmpr/set_round_ui_2exp_fmpz.lo -o ../build/fmpr/../fmpr.lo
-nostdlib
/usr/bin/ld: -r and -pie may not be used together
collect2: error: ld returned 1 exit status
...

The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/flint-arb_2.8.1-2_amd64.build.gz

The patch used in Ubuntu fixes the issue:
https://patches.ubuntu.com/f/flint-arb/flint-arb_2.8.1-2ubuntu1.patch

Thanks,
Balint

Bug#837456: frama-c: FTBFS with bindnow and PIE enabled

2016-09-11 Thread Balint Reczey

Source: frama-c
Version: 20151002+magnesium+dfsg-1
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: FTBFS on amd64 with extra hardening

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64 with patched GCC and dpkg.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part (hopefully):
...
configure: switching to OcamlGraph provided by Frama-C
checking for ocamlgraph... no
checking for ocamlgraph.tar.gz... no
configure: error: cannot find OcamlGraph in the current directory.
   Quite strange: would your Frama-C distribution be corrupted?
   Anyway:
   1. download the latest version from http://ocamlgraph.lri.fr/download
   2. install it by './configure && make && make install'
   3. rerun ./configure here
debian/rules:13: recipe for target 'override_dh_auto_configure' failed
make[1]: *** [override_dh_auto_configure] Error 1
make[1]: Leaving directory '/<>/frama-c-20151002+magnesium+dfsg'
debian/rules:71: recipe for target 'build' failed
...

The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/frama-c_20151002+magnesium+dfsg-1_amd64.build.gz

Thanks,
Balint

Bug#837478: debian-policy: Allow (encourage?) PIC static libraries

2016-09-11 Thread Balint Reczey

Package: debian-policy
Severity: important

Dear Maintainer,

Current (3.9.8.0) Policy mandates non-PIC static libraries with a few
exceptions:

---
10.2 Libraries
... (paragraph about shared libs)

As to the static libraries, the common case is not to have relocatable
code, since there is no benefit, unless in specific cases; therefore the
static version must not be compiled with the -fPIC flag. Any exception
to this rule should be discussed on the mailing list
debian-de...@lists.debian.org, and the reasons for compiling with the
-fPIC flag must be recorded in the file README.Debian. [86]

In other words, if both a shared and a static library is being built,
each source unit (*.c, for example, for C files) will need to be
compiled twice, for the normal case.

---

I think with the spreading of PIE binaries the "... since there is no
benefit ..." claim does not stand anymore. Non-PIC static libraries
can't be linked to PIE binaries thus they are less useful for code
sharing among packages.

There is also a plan to use a specially configured GCC on several
architectures which builds PIE binaries by default and that needs PIC
static libraries for not statically linked binaries. [1]

Planned archive-wide enabling of bindnow (-Wl,-z,now) hardening setting
in dpkg [3] also decreases the speed advantage of non-PIC static libraries.

I would like to suggest revising the Policy text and at least allowing
shipping PIC static libraries without broader discussion and
documentation. I would be in favor of even encouraging PIC for static
libraries because that would allow compiling them to PIE binaries.

I have already filed many bugs [4] related to the transition to PIE by
defauld where the problem can be solved easily by providing PIC static
libraries. Note that many packages ship only static libs.

Thanks,
Balint


[1] https://wiki.debian.org/Hardening/PIEByDefaultTransition
[2] https://lists.debian.org/debian-devel/2016/05/msg00309.html
[3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=835146
[4]
https://udd.debian.org/cgi-bin/bts-usertags.cgi?tag=pie-bindnow-20160906&user=balint%40balintreczey.hu

Bug#837480: gb: FTBFS with bindnow and PIE enabled

2016-09-11 Thread Balint Reczey

Source: gb
Version: 0.4.2-1
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: FTBFS on amd64 with extra hardening

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64 with patched GCC and dpkg.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part (hopefully):
...
=== RUN   TestReadFailuresIgnored
--- PASS: TestReadFailuresIgnored (0.00s)
PASS
ok  github.com/constabulary/gb/importer 0.004s
=== RUN   TestTest
a
a
b
a
d.v1
c
f
e
cmd/f
extest
extest
external_only_test
notestfiles
/usr/bin/ld: -r and -pie may not be used together
collect2: error: ld returned 1 exit status
# cgoonlynotest
testonly
extestonly
g
g
ldflags
/usr/bin/ld: -r and -pie may not be used together
collect2: error: ld returned 1 exit status
# cgotest
testflags
main
--- FAIL: TestTest (3.16s)
test_test.go:96: Test(cgoonlynotest): want , got exit status 1
test_test.go:84: skipping test, goversion 1.60 is above
maxgoversion 1.50
test_test.go:96: Test(cgotest): want , got exit status 1
=== RUN   TestTestPackage
--- PASS: TestTestPackage (0.09s)

...

The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/gb_0.4.2-1_amd64.build.gz

Thanks,
Balint

Bug#837481: gcl: FTBFS with bindnow and PIE enabled

2016-09-11 Thread Balint Reczey

Source: gcl
Version: 2.6.12-33
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: FTBFS on amd64 with extra hardening
Tags: patch

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64 with patched GCC and dpkg.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part (hopefully):
...
touch raw_pre_gcl_map
gcc -Wl,-z,relro -Wl,-z,now -Wl,-T ../unixport/gcl.script -o raw_pre_gcl
 -L.  -Wl,-Map raw_pre_gcl_map  -lpre_gcl -lX11-lm  -pg -lgmp
-lreadline -lc -lgclp
PATH=/usr/bin:$PATH gcc msys.c -o msys # Unix binary if running wine
cp sys_init.lsp foo
echo "(unless si::*quit-tags* (in-package \"USER\")(system:save-system
\"saved_pre_gcl\"))" >>foo
ar x libpre_gcl.a $(ar t libpre_gcl.a |grep ^gcl_)
/<>/unixport/raw_pre_gcl /<>/unixport/ -libdir
/<>/ < foo
GCL (GNU Common Lisp)  April 1994  22913624631 pages
Building symbol table for /<>/unixport/raw_pre_gcl ..
The assertion (sec=get_section( ".rel.plt",sec1,sece,sn)) ||
(sec=get_section(".rela.plt",sec1,sece,sn)) on line 387 of sfaslelf.c in
function set_symbol_stubs failed: SuccessAborted
makefile:93: recipe for target 'saved_pre_gcl' failed
make[2]: *** [saved_pre_gcl] Error 134
rm raw_pre_gcl

...

The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/gcl_2.6.12-33_amd64.build.gz

The patch used at Ubuntu fixes the issue by disabling PIE:
https://patches.ubuntu.com/g/gcl/gcl_2.6.12-33ubuntu1.patch

Thanks,
Balint

Bug#837485: golang-1.6: FTBFS with bindnow and PIE enabled

2016-09-11 Thread Balint Reczey

Source: golang-1.6
Version: 1.6.3-1
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: FTBFS on amd64 with extra hardening
Tags: patch

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64 with patched GCC and dpkg.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part (hopefully):
...
# Testing race detector
ok  runtime/race2.396s
ok  flag1.005s
ok  os/exec 2.014s
==3637==ERROR: ThreadSanitizer failed to allocate 0x271 (4096)
bytes at address 175c5ff8b0b00
(errno: 12)
unexpected fault address 0x0
fatal error: fault
[signal 0x7 code=0x80 addr=0x0 pc=0x55717f9dd245]

goroutine 1 [running, locked to thread]:
runtime.throw(0x0, 0x55717f808e88)
/<>/src/runtime/panic.go:547 +0x90
fp=0x7fff183185a0 sp=0x7fff18318588

goroutine 17 [syscall, locked to thread]:
runtime.goexit()
/<>/src/runtime/asm_amd64.s:1998 +0x1
fp=0xc820038fb8 sp=0xc820038fb0
exit status 2
FAIL_/<>/misc/cgo/test 0.005s
2016/09/05 20:38:54 Failed: exit status 1
==2753==ERROR: ThreadSanitizer failed to allocate 0x26e8000 (40796160)
bytes at address 17818149c4680
(errno: 12)
unexpected fault address 0x0
fatal error: fault
[signal 0x7 code=0x80 addr=0x0 pc=0x560604f0c0e5]

goroutine 1 [running, locked to thread]:
runtime.throw(0x0, 0x560604de0378)
/<>/src/runtime/panic.go:547 +0x90
fp=0x7ffe958b44c0 sp=0x7ffe958b44a8

goroutine 17 [syscall, locked to thread]:
runtime.goexit()
/<>/src/runtime/asm_amd64.s:1998 +0x1
FAILflag0.005s
==3009==ERROR: ThreadSanitizer failed to allocate 0x272 (41025536)
bytes at address 175e931970700
(errno: 12)
unexpected fault address 0x0
fatal error: fault
[signal 0x7 code=0x80 addr=0x0 pc=0x557a4c0f6405]

goroutine 1 [running, locked to thread]:
runtime.throw(0x0, 0x557a4bd46fa8)
/<>/src/runtime/panic.go:547 +0x90
fp=0x7ffdd2b7e910 sp=0x7ffdd2b7e8f8

goroutine 17 [syscall, locked to thread]:
runtime.goexit()
/<>/src/runtime/asm_amd64.s:1998 +0x1
FAILos/exec 0.006s
2016/09/05 20:38:54 Failed: exit status 1


...

The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/golang-1.6_1.6.3-1_amd64.build.gz

Ubuntu fixed the issue by disabling PIE for that test-case:
https://patches.ubuntu.com/g/golang-1.6/golang-1.6_1.6.3-1ubuntu1.patch

Thanks,
Balint

Bug#837486: golang: FTBFS with bindnow and PIE enabled

2016-09-11 Thread Balint Reczey

Source: golang
Version: 1.6.1-2
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: FTBFS on amd64 with extra hardening
Tags: patch

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64 with patched GCC and dpkg.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part (hopefully):
...
# Testing race detector
ok  runtime/race2.396s
ok  flag1.005s
ok  os/exec 2.014s
==3637==ERROR: ThreadSanitizer failed to allocate 0x271 (4096)
bytes at address 175c5ff8b0b00
(errno: 12)
unexpected fault address 0x0
fatal error: fault
[signal 0x7 code=0x80 addr=0x0 pc=0x55717f9dd245]

goroutine 1 [running, locked to thread]:
runtime.throw(0x0, 0x55717f808e88)
/<>/src/runtime/panic.go:547 +0x90
fp=0x7fff183185a0 sp=0x7fff18318588

goroutine 17 [syscall, locked to thread]:
runtime.goexit()
/<>/src/runtime/asm_amd64.s:1998 +0x1
fp=0xc820038fb8 sp=0xc820038fb0
exit status 2
FAIL_/<>/misc/cgo/test 0.005s
2016/09/05 20:38:54 Failed: exit status 1
==2753==ERROR: ThreadSanitizer failed to allocate 0x26e8000 (40796160)
bytes at address 17818149c4680
(errno: 12)
unexpected fault address 0x0
fatal error: fault
[signal 0x7 code=0x80 addr=0x0 pc=0x560604f0c0e5]

goroutine 1 [running, locked to thread]:
runtime.throw(0x0, 0x560604de0378)
/<>/src/runtime/panic.go:547 +0x90
fp=0x7ffe958b44c0 sp=0x7ffe958b44a8

goroutine 17 [syscall, locked to thread]:
runtime.goexit()
/<>/src/runtime/asm_amd64.s:1998 +0x1
FAILflag0.005s
==3009==ERROR: ThreadSanitizer failed to allocate 0x272 (41025536)
bytes at address 175e931970700
(errno: 12)
unexpected fault address 0x0
fatal error: fault
[signal 0x7 code=0x80 addr=0x0 pc=0x557a4c0f6405]

goroutine 1 [running, locked to thread]:
runtime.throw(0x0, 0x557a4bd46fa8)
/<>/src/runtime/panic.go:547 +0x90
fp=0x7ffdd2b7e910 sp=0x7ffdd2b7e8f8

goroutine 17 [syscall, locked to thread]:
runtime.goexit()
/<>/src/runtime/asm_amd64.s:1998 +0x1
FAILos/exec 0.006s
2016/09/05 20:38:54 Failed: exit status 1
...

The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/golang_1.6.1-2_amd64.build.gz

Thanks,
Ubuntu fixed the issue by disabling PIE for that test-case:
https://patches.ubuntu.com/g/golang-1.6/golang-1.6_1.6.3-1ubuntu1.patch

Thanks,
Balint

Bug#837487: gprolog: FTBFS with bindnow and PIE enabled

2016-09-11 Thread Balint Reczey

Source: gprolog
Version: 1.3.0-6.1
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: FTBFS on amd64 with extra hardening

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64 with patched GCC and dpkg.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part (hopefully):
...
gplc -o pl2wam --no-fd-lib --min-bips pl2wam.o read_file.o bip_list.o
syn_sugar.o internal.o code_gen.
o reg_alloc.o inst_codif.o first_arg.o indexing.o wam_emit.o
/usr/bin/ld: pl2wam.o: relocation R_predicate(<86>/64)_32S against
`.text' can not be used when making
 a shared object; recompile with -fPIC
/usr/bin/ld: read_file.o: relocation R_predicate(<86>/64)_32S against
`.text' can not be used when mak
ing a shared object; recompile with -fPIC
...

The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/gprolog_1.3.0-6.1_amd64.build.gz

Thanks,
Balint

Bug#837489: antlr: Please build libantlr.a with -fPIC

2016-09-11 Thread Balint Reczey

Source: antlr
Version: 2.7.7+dfsg-7
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: makes gpt FTBFS with extra hardening
Affects: gpt sqlitebrowser

Dear Maintainers,

During a rebuild of all packages in sid, gpt
failed to build on amd64 with patched GCC and dpkg. The root
cause seems to be that libantlr.a is shipped as a non-PIC library.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64 (and selected architectures).

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part of gpt's build log:
...
g++ -DHAVE_CONFIG_H -I. -I. -I.. -I../. -I../src -I../src/modules
-I../src/modules/c_translator -I../s
rc/modules/interpreter -I../src/modules/parser -I../src/modules/parser
-I../src/modules/c_translator -
I../src/modules/interpreter -I../src/modules/c_translator
-I../src/modules/x86 -I../src/modules/x86 -I
/usr/include -O2  -c -o GPT.o GPT.cpp
/bin/bash ../libtool --tag=CXX --mode=link g++  -O2-o gpt  main.o
GPT.o ../src/modules/libgportugo
l.la /usr/lib/libantlr.a -L/usr/lib -lpcrecpp
libtool: link: g++ -O2 -o .libs/gpt main.o GPT.o
../src/modules/.libs/libgportugol.so /usr/lib/libant
lr.a -L/usr/lib -lpcrecpp
/usr/bin/ld: /usr/lib/libantlr.a(ASTFactory.o): relocation R_X86_64_32S
against symbol `_ZTVN5antlr10A
STFactoryE' can not be used when making a shared object; recompile with
-fPIC
/usr/bin/ld: /usr/lib/libantlr.a(BaseAST.o): relocation R_X86_64_32S
against symbol `_ZNK5antlr7BaseAS
T13getFirstChildEv' can not be used when making a shared object;
recompile with -fPIC
/usr/bin/ld: /usr/lib/libantlr.a(BitSet.o): relocation R_X86_64_32
against `.rodata.str1.1' can not be
 used when making a shared object; recompile with -fPIC

...

The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/gpt_1.1-2_amd64.build.gz

Thanks,
Balint

Bug#837490: libpapyrus3-dev: Please build libPapyrus3.a with -fPIC

2016-09-11 Thread Balint Reczey

Source: libpapyrus3-dev
Version: 3.7.1-1
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: makes gdcm FTBFS with extra hardening
Affects: gdcm

Dear Maintainers,

During a rebuild of all packages in sid, gdcm
failed to build on amd64 with patched GCC and dpkg. The root
cause seems to be that libPapyrus3.a is shipped as a non-PIC library.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64 (and selected architectures).

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part of gdcm's build log:
...
/usr/bin/c++   -g -O2 -fdebug-prefix-map=/<>=.
-fstack-protector-strong -Wformat -Werror=
format-security -Wdate-time -D_FORTIFY_SOURCE=2-Wl,-z,relro
-Wl,-z,now -Wl,--as-needed CMakeFiles/
gdcmpap3.dir/gdcmpap3.cxx.o  -o ../../bin/gdcmpap3 -rdynamic
../../bin/libgdcmMSFF.so.2.6.5 -Wl,-Bstat
ic -lPapyrus3 -Wl,-Bdynamic ../../bin/libgdcmDICT.so.2.6.5
../../bin/libgdcmIOD.so.2.6.5 ../../bin/lib
gdcmDSED.so.2.6.5 ../../bin/libgdcmCommon.so.2.6.5
-Wl,-rpath-link,/<>/obj-x86_64-linux-g
nu/bin
/usr/bin/ld:
/usr/lib/gcc/x86_64-linux-gnu/6/../../../../lib/libPapyrus3.a(PapyError3.c.o):
relocation
 R_X86_64_32 against `.rodata.str1.8' can not be used when making a
shared object; recompile with -fPI
C
...

The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/gdcm_2.6.5-2_amd64.build.gz

Thanks,
Balint

Bug#837491: libgadap-dev: Please build libgadap.a with -fPIC

2016-09-11 Thread Balint Reczey

Source: libgadap-dev
Version: 2.0-6
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: makes grads FTBFS with extra hardening
Affects: grads

Dear Maintainers,

During a rebuild of all packages in sid, grads
failed to build on amd64 with patched GCC and dpkg. The root
cause seems to be that libgadap.a is shipped as a non-PIC library.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64 (and selected architectures).

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part of grads's build log:
...
g++  -g -O2 -fdebug-prefix-map=/<>=.
-fstack-protector-strong -Wformat -Werror=format-security -rdynamic
-Wl,-z,relro -Wl,-z,now -L/usr/lib/x86_64-linux-gnu/hdf5/serial
-Lyes/lib -Wl,--as-needed -o grads grads.o gxsubs.o gxmeta.o gxchpl.o
gxcntr.o gxstrm.o gxwmap.o gxshad.o gxshad2.o gaexpr.o gafunc.o gautil.o
gagx.o gscrpt.o gamach.o bufrstn.o gabufr.o gabufrtbl.o gxdxwd.o
galloc.o  dodstn.o gaddes.o gaio.o gacfg.o gauser.o gasdf.o gatxt.o
gxX.o gxC.o gxprint.o -L/usr/lib-lX11 -lXext -lreadline  -ltermcap
-lgd -lpng16 -lz -ljpeg -lgrib2c -lmfhdfalt -ldfalt -ludunits2 -lsz
-ljpeg -lz -lhdf5 -ljpeg -lz -lsz -lnetcdf -ludunits2  -ltiff -lgeotiff
-lshp -lgadap -ldapclient -ldap -lcurl -lxml2 -lz -lpthread -lm -ldl
-lrt -lcairo -lXrender -lfontconfig -lfreetype -lpixman-1 -lpng16 -lxml2
-lz -lm  -lcairo -lfreetype
/usr/bin/ld:
/usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libgadap.a(gadap.o):
relocation R_X86_64_32 against `.rodata.str1.1' can not be used when
making a shared object; recompile with -fPIC

...

The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/grads_2.1.a3-3_amd64.build.gz

Thanks,
Balint

Bug#837493: grub2: FTBFS with bindnow and PIE enabled

2016-09-11 Thread Balint Reczey

Source: grub2
Version: 2.02~beta2-36
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: FTBFS on amd64 with extra hardening

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64 with patched GCC and dpkg.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part (hopefully):
...
g++  -g -O2 -Wl,-z,relro -Wl,-z,now-o priority_queue_unit_test
tests/priority_queue_unit_test-prio
rity_queue_unit_test.o tests/lib/priority_queue_unit_test-unit_test.o
grub-core/kern/priority_queue_un
it_test-list.o grub-core/kern/priority_queue_unit_test-misc.o
grub-core/tests/lib/priority_queue_unit_
test-test.o grub-core/lib/priority_queue_unit_test-priority_queue.o
libgrubmods.a libgrubgcry.a libgr
ubkern.a grub-core/gnulib/libgnu.a -ldevmapper
/usr/bin/ld: grub-core/kern/priority_queue_unit_test-misc.o: relocation
R_X86_64_32 against `.rodata.str1.1' can not be used when making a
shared object; recompile with -fPIC
/usr/bin/ld: grub-core/tests/lib/priority_queue_unit_test-test.o:
relocation R_X86_64_32 against `.rodata.str1.1' can not be used when
making a shared object; recompile with -fPIC
/usr/bin/ld: libgrubkern.a(libgrubkern_a-misc.o): relocation R_X86_64_32
against `.rodata.str1.1' can not be used when making a shared object;
recompile with -fPIC
...

The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/grub2_2.02~beta2-36_amd64.build.gz

Thanks,
Balint

Bug#837492: grub: FTBFS with bindnow and PIE enabled

2016-09-11 Thread Balint Reczey

Source: grub
Version: 0.97-71
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: FTBFS on amd64 with extra hardening

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64 with patched GCC and dpkg.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part (hopefully):
...
checking if C symbols get an underscore after compilation... no
checking whether objcopy works for absolute addresses... no
configure: error: GRUB requires a working absolute objcopy; upgrade your
binutils
"tail -v -n +0 config.log"
==> config.log <==
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.

It was created by GRUB configure 0.97, which was
generated by GNU Autoconf 2.69.  Invocation command line was

  $ ./configure --build=x86_64-linux-gnu --prefix=/usr
--includedir=${prefix}/include --mandir=${prefix}/share/man
--infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var
--disable-silent-rules --libdir=${prefix}/lib/x86_64-linux-gnu
--libexecdir=${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode
--disable-dependency-tracking --libdir=${prefix}/lib
--disable-auto-linux-mem-opt


...

The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/grub_0.97-71_amd64.build.gz

Thanks,
Balint

Bug#837494: gtk-d: FTBFS with bindnow and PIE enabled

2016-09-11 Thread Balint Reczey

Source: gtk-d
Version: 3.3.1-2
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: FTBFS on amd64 with extra hardening

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64 with patched GCC and dpkg.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part (hopefully):
...
make[3]: Leaving directory '/<>'
ldc2 demos/gtkD/TestWindow/TEditableCells.o
demos/gtkD/TestWindow/TestIdle.o demos/gtkD/TestWindow/Tes
tImage.o demos/gtkD/TestWindow/TTextView.o
demos/gtkD/TestWindow/TestEntries.o demos/gtkD/TestWindow/T
estTreeView1.o demos/gtkD/TestWindow/TestStock.o
demos/gtkD/TestWindow/TestThemes.o demos/gtkD/TestWin
dow/TestScales.o demos/gtkD/TestWindow/TestTreeView.o
demos/gtkD/TestWindow/TestText.o demos/gtkD/Test
Window/TestDrawingArea.o demos/gtkD/TestWindow/TestWindow.o
demos/gtkD/TestWindow/TestAspectFrame.o  -
ofTestWindow -L-L. -L-lgtkd-3  -L-ldl
/usr/bin/ld: demos/gtkD/TestWindow/TEditableCells.o: relocation
R_X86_64_32S against hidden symbol `ld
c.dso_slot' can not be used when making a shared object
/usr/bin/ld: demos/gtkD/TestWindow/TestIdle.o: relocation R_X86_64_32
against symbol `_D8TestIdle8Test
Idle11TestDrawing7__ClassZ' can not be used when making a shared object;
recompile with -fPIC
/usr/bin/ld: demos/gtkD/TestWindow/TestImage.o: relocation R_X86_64_32
against symbol `_D3gtk14Scrolle
dWindow14ScrolledWindow7__ClassZ' can not be used when making a shared
object; recompile with -fPIC
/usr/bin/ld: demos/gtkD/TestWindow/TTextView.o: relocation R_X86_64_32
against `.rodata.str1.1' can no
t be used when making a shared object; recompile with -fPIC

...

The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/gtk-d_3.3.1-2_amd64.build.gz

Thanks,
Balint

Bug#837498: ldc: FTBFS with bindnow and PIE enabled

2016-09-11 Thread Balint Reczey

Source: ldc
Version: 1.1.0-2
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: FTBFS on amd64 with extra hardening

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64 with patched GCC and dpkg.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part (hopefully):
...
[  0%] Generating ddmd/idgen
cd /<> && /usr/bin/ldmd2 -wi -O -inline -release
-J/<>/ddmd -I/<>/ddmd
-of/<>/build-static/ddmd/idgen ddmd/idgen.d
/usr/bin/ld: /<>/build-static/ddmd/idgen.o: relocation
R_X86_64_32 against `.rodata.str1.1' can not be used when making a
shared object; recompile with -fPIC
/usr/bin/ld: final link failed: Nonrepresentable section on output
collect2: error: ld returned 1 exit status
Error: /usr/bin/gcc failed with status: 1
CMakeFiles/LDCShared.dir/build.make:68: recipe for target 'ddmd/idgen'
failed
make[3]: *** [ddmd/idgen] Error 1
...

The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/ldc_1.1.0-2_amd64.build.gz

Thanks,
Balint

Bug#837541: gambas3: FTBFS with bindnow and PIE enabled

2016-09-12 Thread Balint Reczey

Source: gambas3
Version: 3.8.4-6
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: FTBFS on amd64 with extra hardening

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64 with patched GCC and dpkg.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part (hopefully):
...
Installing gb.dbus.trayicon...
/<>/debian/tmp/usr/bin/gbi3: symbol lookup error:
/<>/debian/tmp/usr/lib/gam
bas3/gb.sdl2.so: undefined symbol: SDL_GetWindowId
make[4]: Nothing to be done for 'install-data-am'.
make[4]: Leaving directory '/<>/comp'
make[3]: Leaving directory '/<>/comp'
Making install in app
make[3]: Entering directory '/<>/app'
make[4]: Entering directory '/<>/app'
[Installing with DESTDIR=/<>/debian/tmp]
Installing the development environment...
Compiling gambas3...
OK
Installing gambas3...
Compiling gbs3...
OK
Installing gbs3...
Installing the scripter...
Registering Gambas script mimetype
mkdir: cannot create directory '/sbuild-nonexistent': Permission denied
touch: cannot touch
'/sbuild-nonexistent/.local/share/icons/hicolor/.xdg-icon-resource-dummy':
No such
 file or directory
mkdir: cannot create directory '/sbuild-nonexistent': Permission denied
Registering Gambas server page mimetype
mkdir: cannot create directory '/sbuild-nonexistent': Permission denied
touch: cannot touch
'/sbuild-nonexistent/.local/share/icons/hicolor/.xdg-icon-resource-dummy':
No such file or directory
mkdir: cannot create directory '/sbuild-nonexistent': Permission denied
Installing the Gambas appdata file
Installing the Gambas template projects
/usr/bin/install -c -d
/<>/debian/tmp/usr/share/gambas3/template;
cp -R ./template/* /<>/debian/tmp/usr/share/gambas3/template;
make[4]: Nothing to be done for 'install-data-am'.
make[4]: Leaving directory '/<>/app'
make[3]: Leaving directory '/<>/app'
Making install in .
make[3]: Entering directory '/<>'
make[4]: Entering directory '/<>'
make[4]: Nothing to be done for 'install-data-am'.
make[4]: Leaving directory '/<>'
make[3]: Leaving directory '/<>'
make[2]: Leaving directory '/<>'
chmod 644 /<>/debian/tmp/usr/share/appdata/gambas3.appdata.xml
find /<>/debian/tmp/usr -name "*.la" -delete
find /<>/debian/tmp/usr -type d -empty -delete
find /<>/debian/tmp/usr -name *.png -perm /ugo+x -exec
chmod 644 \{} \;
make[1]: Leaving directory '/<>'
   debian/rules override_dh_install
make[1]: Entering directory '/<>'
dh_install -XCOPYING -XLicense --list-missing
dh_install: Cannot find (any matches for)
"usr/share/gambas3/info/gb.sdl2.info" (tried in "." and "debian/tmp")

...

The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/gambas3_3.8.4-6_amd64.build.gz

Thanks,
Balint

Bug#837543: hardening-wrapper: FTBFS with bindnow and PIE enabled

2016-09-12 Thread Balint Reczey

Source: hardening-wrapper
Version: 2.8+nmu2
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: FTBFS on amd64 with extra hardening

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64 with patched GCC and dpkg.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part (hopefully):
...
if perl ../build-tree/hardening-check
../build-tree/includes-test-none.a; then exit 1; fi
../build-tree/includes-test-none.a:
 Position Independent Executable: no, object archive (ignored)
 Stack protected: no, not found!
 Fortify Source functions: no, only unprotected functions found!
 Read-only relocations: no, non-ELF (ignored)
 Immediate binding: no, non-ELF (ignored)
# Disable PIE
cc \
 -g -O2 -fdebug-prefix-map=/<>/hardening-wrapper-2.8+nmu2=.
-fstack-protector-strong -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
-Werror=format-security -O2 \
 -Wl,-z,relro -Wl,-z,now \
 -o ../build-tree/includes-disabled hello.c
if perl ../build-tree/hardening-check  ../build-tree/includes-disabled;
then exit 1; fi
../build-tree/includes-disabled:
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: yes
Makefile.includes:14: recipe for target
'../build-tree/includes-disabled' failed
make[3]: *** [../build-tree/includes-disabled] Error 1
make[3]: Leaving directory '/<>/hardening-wrapper-2.8+nmu2/tests'
Makefile:6: recipe for target 'check' failed
m
...

The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/hardening-wrapper_2.8+nmu2_amd64.build.gz

I know about hardening-wrapper being scheduled for removal and this bug
will probably be closed with the removal instead of being fixed.

Thanks,
Balint

Bug#837545: kvmtool: FTBFS with bindnow and PIE enabled

2016-09-12 Thread Balint Reczey

Source: kvmtool
Version: 0.20160419-1
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: FTBFS on amd64 with extra hardening

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64 with patched GCC and dpkg.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part (hopefully):
...
  CC   x86/bios.o
In file included from x86/bios.c:9:0:
x86/bios/bios-rom.h:12:27: error: ISO C99 requires whitespace after the
macro name [-Werror]
 #define BIOS_OFFSETx86.get_pc_thunk.bx 0x02ea
   ^
cc1: all warnings being treated as errors
Makefile:426: recipe for target 'x86/bios.o' failed
make[1]: *** [x86/bios.o] Error 1
make[1]: Leaving directory '/<>'
dh_auto_build: make -j1 returned exit code 2
debian/rules:3: recipe for target 'build' failed
make: *** [build] Error 2

...

The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/kvmtool_0.20160419-1_amd64.build.gz

Thanks,
Balint

Bug#837562: libembperl-perl: FTBFS with bindnow and PIE enabled

2016-09-12 Thread Balint Reczey

Source: libembperl-perl
Version: 2.5.0-8
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: FTBFS on amd64 with extra hardening

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64 with patched GCC and dpkg.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part (hopefully):
...
Writing Embperl.bs
chmod 644 "Embperl.bs"
PERL_DL_NONLAZY=0 PERL_USE_UNSAFE_INC=1 "/usr/bin/perl" "-Iblib/lib"
"-Iblib/arch" test.pl
loading...Can't load
'/<>/blib/arch/auto/Embperl/Embperl.so' for module Embperl:
/<>/blib/arch/auto/Embperl/Embperl.so: undefined symbol:
ap_hook_open_logs at /usr/lib/x86_64-linux-gnu/perl/5.22/DynaLoader.pm
line 187.
 at test.pl line 1916.
Compilation failed in require at test.pl line 1916.
BEGIN failed--compilation aborted at test.pl line 1916.

Test terminated with fatal error
Use of uninitialized value $EPHTTPD in string ne at test.pl line 1300.
Makefile:1619: recipe for target 'test_dynamic' failed
make[1]: *** [test_dynamic] Error 1
make[1]: Leaving directory '/<>'
dh_auto_test: make -j1 test TEST_VERBOSE=1 returned exit code 2
...

The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/libembperl-perl_2.5.0-8_amd64.build.gz

Thanks,
Balint

Bug#837564: llvm-toolchain-3.8: FTBFS with bindnow and PIE enabled

2016-09-12 Thread Balint Reczey

Source: llvm-toolchain-3.8
Version: 3.8.1-9
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: FTBFS on amd64 with extra hardening

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64 with patched GCC and dpkg.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part (hopefully):
...
-- Testing: 15541 tests, 4 threads --
Testing: 0 .. 10.. 20.. 30.. 40.. 50.. 60.. 70.. 80..
FAIL: LLVM :: tools/llvm-symbolizer/print_context.c (14205 of 15541)
 TEST 'LLVM ::
tools/llvm-symbolizer/print_context.c' FAILED 
Script:
--
/usr/bin/gcc-6  -O0 -g
/<>/test/tools/llvm-symbolizer/print_context.c -o
/<>/build-llvm/test/tools/llvm-symbolizer/Output/print_context.c.tmp
2>&1
/<>/build-llvm/test/tools/llvm-symbolizer/Output/print_context.c.tmp
2>&1 | /<>/build-llvm/./bin/llvm-symbolizer
-print-source-context-lines=5
-obj=/<>/build-llvm/test/tools/llvm-symbolizer/Output/print_context.c.tmp
| /<>/build-llvm/./bin/FileCheck
/<>/test/tools/llvm-symbolizer/print_context.c
--check-prefix=CHECK
--
Exit Code: 1

Command Output (stderr):
--
/<>/test/tools/llvm-symbolizer/print_context.c:16:11:
error: expected string not found in input
// CHECK: inc
...

The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/llvm-toolchain-3.8_3.8.1-9_amd64.build.gz

Thanks,
Balint

Bug#837563: libsecret: FTBFS with bindnow and PIE enabled

2016-09-12 Thread Balint Reczey

Source: libsecret
Version: 0.18.5-1
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: FTBFS on amd64 with extra hardening

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64 with patched GCC and dpkg.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part (hopefully):
...
PASS: test-vala-lang 6 /vala/clear/sync
PASS: test-vala-lang 7 /vala/clear/async
FAIL: test-vala-unstable 1 /vala/unstable/read-alias
ERROR: test-vala-unstable process failed: 245

Testsuite summary for libsecret 0.18.5

# TOTAL: 199
# PASS:  197
# SKIP:  0
# XFAIL: 0
# FAIL:  1
# XPASS: 0
# ERROR: 1

See ./test-suite.log
Please report to http://bugzilla.gnome.org/enter_bug.cgi?product=libsecret

Makefile:1966: recipe for target 'test-suite.log' failed
...

The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/libsecret_0.18.5-1_amd64.build.gz

Thanks,
Balint

Bug#837561: kvmtool: FTBFS with bindnow and PIE enabled

2016-09-12 Thread Balint Reczey

Source: kvmtool
Version: 0.20160419-1
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: FTBFS on amd64 with extra hardening

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64 with patched GCC and dpkg.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part (hopefully):
...
  CC   x86/bios.o
In file included from x86/bios.c:9:0:
x86/bios/bios-rom.h:12:27: error: ISO C99 requires whitespace after the
macro name [-Werror]
 #define BIOS_OFFSETx86.get_pc_thunk.bx 0x02ea
   ^
cc1: all warnings being treated as errors
Makefile:426: recipe for target 'x86/bios.o' failed
...

The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/kvmtool_0.20160419-1_amd64.build.gz

Thanks,
Balint

Bug#837565: liblpsolve55-dev: Please build liblpsolve55.a with -fPIC

2016-09-12 Thread Balint Reczey

Source: liblpsolve55-dev
Version: 5.5.0.15-4
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: makes mccs FTBFS with extra hardening
Affects: mccs libreoffice

Dear Maintainers,

During a rebuild of all packages in sid, mccs
failed to build on amd64 with patched GCC and dpkg. The root
cause seems to be that liblpsolve55.a is shipped as a non-PIC library.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64 (and selected architectures).

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part of mccs's build log:
...
g++ -Wall -O6 -Wl,-z,relro -Wl,-z,now  -DUSELPSOLVE -o mccs objs/cudf.o
objs/constraint_generation.o objs/lp_solver.o objs/pblib_solver.o
objs/removed_criteria.o objs/changed_criteria.o objs/new_criteria.o
objs/notuptodate_criteria.o objs/nunsat_criteria.o objs/count_criteria.o
objs/unaligned_criteria.o objs/lexicographic_combiner.o
objs/lexagregate_combiner.o objs/agregate_combiner.o
objs/lexsemiagregate_combiner.o objs/leximin_combiner.o
objs/leximax_combiner.o objs/lexleximin_combiner.o
objs/lexleximax_combiner.o objs/cudf_reductions.o objs/lpsolve_solver.o
-lfl -L. -lccudf \
 \
 \
-L/usr/lib -llpsolve55 -ldl -lcolamd \
/usr/bin/ld: /usr/lib/liblpsolve55.a(lp_lib.o): relocation
R_X86_64_32 against `.rodata.str1.1' can not be used when making a
shared object; recompile with -fPIC
...

The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/mccs_1.1-3_amd64.build.gz

Thanks,
Balint

Bug#837566: mjpegtools: FTBFS with bindnow and PIE enabled

2016-09-12 Thread Balint Reczey

Source: mjpegtools
Version: 2.1.0+debian-4
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: FTBFS on amd64 with extra hardening

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64 with patched GCC and dpkg.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part (hopefully):
...
gcc -DHAVE_CONFIG_H -I. -I..  -I.. -I../utils -Wdate-time
-D_FORTIFY_SOURCE=2 -fno-PIC -g -O2
-fdebug-prefix-map=/<>/mjpegtools-2.1.0+debian=.
-fstack-protector-strong -Wformat -Werror=format-security -pthread -Wall
-Wunused -c -o yuvscaler-yuvscaler_resample.o `test -f
'yuvscaler_resample.c' || echo './'`yuvscaler_resample.c
gcc -DHAVE_CONFIG_H -I. -I..  -I.. -I../utils -Wdate-time
-D_FORTIFY_SOURCE=2 -fno-PIC -g -O2
-fdebug-prefix-map=/<>/mjpegtools-2.1.0+debian=.
-fstack-protector-strong -Wformat -Werror=format-security -pthread -Wall
-Wunused -c -o yuvscaler-yuvscaler_bicubic.o `test -f
'yuvscaler_bicubic.c' || echo './'`yuvscaler_bicubic.c
/bin/bash ../libtool  --tag=CC   --mode=link gcc -fno-PIC -g -O2
-fdebug-prefix-map=/<>/mjpegtools-2.1.0+debian=.
-fstack-protector-strong -Wformat -Werror=format-security -pthread -Wall
-Wunused  -Wl,-z,relro -Wl,-z,now -o yuvscaler yuvscaler-yuvscaler.o
yuvscaler-yuvscaler_resample.o yuvscaler-yuvscaler_bicubic.o
../utils/libmjpegutils.la  -lm  -lm libtool: link: gcc -fno-PIC -g -O2
-fdebug-prefix-map=/<>/mjpegtools-2.1.0+debian=.
-fstack-protector-strong -Wformat -Werror=format-security -pthread -Wall
-Wunused -Wl,-z -Wl,relro -Wl,-z -Wl,now -o .libs/yuvscaler
yuvscaler-yuvscaler.o yuvscaler-yuvscaler_resample.o
yuvscaler-yuvscaler_bicubic.o  ../utils/.libs/libmjpegutils.so -lm -pthread
/usr/bin/ld: yuvscaler-yuvscaler.o: relocation R_X86_64_32 against
`.rodata.str1.8' can not be used when making a shared object; recompile
with -fPIC
/usr/bin/ld: yuvscaler-yuvscaler_resample.o: relocation R_X86_64_32
against `.rodata.str1.8' can not be used when making a shared object;
recompile with -fPIC
/usr/bin/ld: yuvscaler-yuvscaler_bicubic.o: relocation R_X86_64_32
against `.rodata.str1.8' can not be used when making a shared object;
recompile with -fPIC
/usr/bin/ld: final link failed: Nonrepresentable section on output
collect2: error: ld returned 1 exit status
Makefile:441: recipe for target 'yuvscaler' failed
make[3]: *** [yuvscaler] Error 1
make[3]: Leaving directory '/<>/mjpegtools-2.1.0+debian/yuvscaler'
Makefile:572: recipe for target 'all-recursive' failed
make[2]: *** [all-recursive] Error 1
...

The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/mjpegtools_2.1.0+debian-4_amd64.build.gz

Thanks,
Balint

Bug#837570: msrtool: FTBFS with bindnow and PIE enabled

2016-09-12 Thread Balint Reczey

Source: msrtool
Version: 20141027-1
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: FTBFS on amd64 with extra hardening

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64 with patched GCC and dpkg.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part (hopefully):
...
gcc -o msrtool msrtool.o msrutils.o sys.o linux.o darwin.o freebsd.o
geodegx2.o geodelx.o cs5536.o k8.o intel_pentium3_early.o
intel_pentium3.o intel_pentium4_early.o intel_pentium4_later.o
intel_core1.o intel_core2_early.o intel_core2_later.o intel_nehalem.o
intel_atom.o -Wl,-z,relro -Wl,-z,now -lpci
/usr/bin/ld: msrtool.o: relocation R_X86_64_32 against `.rodata.str1.1'
can not be used when making a shared object; recompile with -fPIC
...

The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/msrtool_20141027-1_amd64.build.gz

Thanks,
Balint

Bug#837568: libctl-dev: Please build libctlgeom.a with -fPIC

2016-09-12 Thread Balint Reczey

Source: libctl-dev
Version: 3.2.2-2
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: makes mpb FTBFS with extra hardening
Affects: mpb

Dear Maintainers,

During a rebuild of all packages in sid, mpb
failed to build on amd64 with patched GCC and dpkg. The root
cause seems to be that libctlgeom.a is shipped as a non-PIC library.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64 (and selected architectures).

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part of mpb's build log:
...
libtool: link: mpicc -g -O2 -fdebug-prefix-map=/<>=.
-fstack-protector-strong -Wformat -W
error=format-security -Wall -W -Wbad-function-cast -Wcast-qual
-Wpointer-arith -Wcast-align -pedantic
-Wl,-z -Wl,relro -Wl,-z -Wl,now
-Wl,-L/usr/lib/x86_64-linux-gnu/hdf5/openmpi -o normal_vectors normal_
vectors.o  -lctlgeom ../src/.libs/libmpb.a
-L/usr/lib/gcc/x86_64-linux-gnu/6 -L/usr/lib/gcc/x86_64-lin
ux-gnu/6/../../../x86_64-linux-gnu
-L/usr/lib/gcc/x86_64-linux-gnu/6/../../../../lib -L/lib/x86_64-lin
ux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib
-L/usr/lib/gcc/x86_64-linux-gnu/6/.
./../.. -L/usr/lib/x86_64-linux-gnu/hdf5/openmpi -lctl -lguile-2.0 -lgc
-lhdf5 -lz -llapack -lblas -lf
ftw3 -lgfortran -lm -lquadmath
/usr/bin/ld:
/usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libctlgeom.a(geom.o):
relocation R_X86_64_32 against `.rodata.str1.1' can not be used when
making a shared object; recompile with -fPIC
...

The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/mpb_1.5-2_amd64.build.gz

Thanks,
Balint

Bug#837567: mlton: FTBFS with bindnow and PIE enabled

2016-09-12 Thread Balint Reczey

Source: mlton
Version: 20100608-5.1
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: FTBFS on amd64 with extra hardening
Affects: urweb

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64 with patched GCC and dpkg.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part (hopefully):
...
"/<>/bin/upgrade-basis"
'/<>/build/bin:/<>/build/bin:/<>/bin:/<>/build/bin:/<>/bin:/<>/build/bin:/<>/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games'
"amd64" "linux" >upgrade-basis.sml
/usr/bin/ld: /usr/lib/mlton/targets/self/libmlton.a(platform.o):
relocation R_X86_64_32 against `.rodata.str1.8' can not be used when
making a shared object; recompile with -fPIC
/usr/bin/ld: /usr/lib/mlton/targets/self/libmlton.a(gc.o): relocation
R_X86_64_32 against `.rodata.str1.8' can not be used when making a
shared object; recompile with -fPIC
...

The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/mlton_20100608-5.1_amd64.build.gz

Not shipping libmilton.a as PIC also makes urweb FTBFS:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/urweb_20160805+dfsg-1_amd64.build.gz

Thanks,
Balint

Bug#837569: mpqc3: FTBFS with bindnow and PIE enabled

2016-09-12 Thread Balint Reczey

Source: mpqc3
Version: 0.0~git20160216-3
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: FTBFS on amd64 with extra hardening

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64 with patched GCC and dpkg.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part (hopefully):
...
-- Found OpenBabel2:
--  OPENBABEL2_LIBRARIES: /usr/lib/libopenbabel.so
--  OPENBABEL2_INCLUDE_DIR: /usr/include/openbabel-2.0
-- Performing Test PSI3_COMPILES
-- Performing Test PSI3_COMPILES - Failed
CMake Error at external/Psi3:56 (message):
  Could not compile Psi3 test program
Call Stack (most recent call first):
  external/External:16 (include)
  CMakeLists.txt:301 (include)
...

The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/mpqc3_0.0~git20160216-3_amd64.build.gz

Thanks,
Balint

Bug#837571: libbmusb-dev: Please build libbmusb.a with -fPIC

2016-09-12 Thread Balint Reczey

Source: libbmusb-dev
Version: 0.5.1-1
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: makes nageru FTBFS with extra hardening
Affects: nageru

Dear Maintainers,

During a rebuild of all packages in sid, nageru
failed to build on amd64 with patched GCC and dpkg. The root
cause seems to be that libbmusb.a is shipped as a non-PIC library.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64 (and selected architectures).

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part of nageru's build log:
...
g++ -o nageru glwidget.o main.o mainwindow.o vumeter.o lrameter.o
vu_common.o correlation_meter.o abou
tdialog.o glwidget.moc.o mainwindow.moc.o vumeter.moc.o lrameter.moc.o
correlation_meter.moc.o aboutdi
alog.moc.o mixer.o pbo_frame_allocator.o context.o ref_counted_frame.o
theme.o resampling_queue.o httpd.o ebu_r128_proc.o flags.o image_input.o
stereocompressor.o filter.o alsa_output.o correlation_measurer.o
quicksync_encoder.o x264_encoder.o x264_speed_control.o video_encoder.o
metacube2.o mux.o audio_encoder.o ffmpeg_raii.o decklink_capture.o
decklink/DeckLinkAPIDispatch.o -Wl,-z,relro -Wl,-z,now
-lQt5OpenGLExtensions -lQt5OpenGL -lQt5Widgets -lQt5Gui -lQt5Core
-lusb-1.0 -lmovit -llua5.2 -lmicrohttpd -lepoxy -lx264 -lbmusb -pthread
-lva -lva-drm -lva-x11 -lX11 -lavformat -lavcodec -lavutil -lswscale
-lavresample -lzita-resampler -lasound -ldl
/usr/bin/ld:
/usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libbmusb.a(bmusb.o):
relocation R_X86_64_32 against `.rodata.str1.8' can not be used when
making a shared object; recompile with -fPIC
...

The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/nageru_1.3.4-2_amd64.build.gz

Thanks,
Balint

Bug#837572: open-coarrays: FTBFS with bindnow and PIE enabled

2016-09-12 Thread Balint Reczey

Source: open-coarrays
Version: 1.6.2-2
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: FTBFS on amd64 with extra hardening

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64 with patched GCC and dpkg.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part (hopefully):
...
[ 33%] Linking Fortran executable coarray_navier_stokes
cd
/<>/obj-x86_64-linux-gnu/src/tests/integration/pde_solvers/navier-stokes
&& /usr/bin/c
make -E cmake_link_script CMakeFiles/coarray_navier_stokes.dir/link.txt
--verbose=1
/usr/bin/mpifort-Wl,-z,relro -Wl,-z,now -g -O2
-fdebug-prefix-map=/<>=. -fstack-prote
ctor-strong
CMakeFiles/coarray_navier_stokes.dir/coarray-shear_coll.F90.o  -o
coarray_navier_stokes
../../../../../../src/tests/integration/pde_solvers/navier-stokes/libfft_sse.a
../../../../mpi/libcaf_
mpi.so.0d -Wl,-rpath,/<>/obj-x86_64-linux-gnu/src/mpi
/usr/bin/ld:
../../../../../../src/tests/integration/pde_solvers/navier-stokes/libfft_sse.a(trig.o):
r
elocation R_X86_64_32 against `.rodata' can not be used when making a
shared object; recompile with -fPIC

...

The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/open-coarrays_1.6.2-2_amd64.build.gz

Thanks,
Balint

Bug#837574: qemu: FTBFS with bindnow and PIE enabled

2016-09-12 Thread Balint Reczey

Source: qemu
Version: 2.6+dfsg-3
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: FTBFS on amd64 with extra hardening

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64 with patched GCC and dpkg.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part (hopefully):
...
cc -I/<>/qemu-2.6+dfsg/tcg
-I/<>/qemu-2.6+dfsg/tcg/i386
-I/<>/qemu-2.6+dfsg/linux-headers
-I/<>/qemu-2.6+dfsg/qemu-build/linux-headers -I.
-I/<>/qemu-2.6+dfsg -I/<>/qemu-2.6+dfsg/include
-I/<>/qemu-2.6+dfsg/block -Iblock -I/usr/include/pixman-1
-DHAS_LIBSSH2_SFTP_FSYNC -fPIE -DPIE -m64 -D_GNU_SOURCE
-D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -Wstrict-prototypes
-Wredundant-decls -Wall -Wundef -Wwrite-strings -Wmissing-prototypes
-fno-strict-aliasing -fno-common  -g -O2
-fdebug-prefix-map=/<>/qemu-2.6+dfsg=.
-fstack-protector-strong -Wformat -Werror=format-security -Wdate-time
-D_FORTIFY_SOURCE=2
-DCONFIG_QEMU_DATAPATH='"/usr/share/qemu:/usr/share/seabios:/usr/lib/ipxe/qemu"'
-DVENDOR_DEBIAN -Wendif-labels -Wmissing-include-dirs -Wempty-body
-Wnested-externs -Wformat-security -Wformat-y2k -Winit-self
-Wignored-qualifiers -Wold-style-declaration -Wold-style-definition
-Wtype-limits -fstack-protector-strong  -I/usr/include/p11-kit-1
-I/usr/include/libpng16 -I/usr/include/spice-server
-I/usr/include/spice-1 -I/usr/include/cacard -I/usr/include/libusb-1.0
-I/<>/qemu-2.6+dfsg/tests -MMD -MP -MT block/iscsi.o -MF
block/iscsi.d -O2 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -pthread
-I/usr/include/glib-2.0 -I/usr/lib/x86_64-linux-gnu/glib-2.0/include
-pthread -I/usr/include/glib-2.0
-I/usr/lib/x86_64-linux-gnu/glib-2.0/include -g  -fPIC -DBUILD_DSO  -c
-o block/iscsi.o /<>/qemu-2.6+dfsg/block/iscsi.c
cc -nostdlib -Wl,-r  -o block/iscsi.mo block/iscsi.o
/usr/bin/ld: -r and -pie may not be used together
collect2: error: ld returned 1 exit status
/<>/qemu-2.6+dfsg/rules.mak:99: recipe for target
'block/iscsi.mo' failed
...

The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/qemu_2.6+dfsg-3_amd64.build.gz

Thanks,
Balint

Bug#837573: picolisp: FTBFS with bindnow and PIE enabled

2016-09-12 Thread Balint Reczey

Source: picolisp
Version: 16.6-2
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: FTBFS on amd64 with extra hardening

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64 with patched GCC and dpkg.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part (hopefully):
...
cc -o ../bin/picolisp x86-64.linux.base.o -Wl,--no-as-needed -rdynamic
-lc -lm -ldl -Wl,-z,relro -Wl,-z,now
/usr/bin/ld: x86-64.linux.base.o: relocation R_X86_64_32S against symbol
`Nil' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: final link failed: Nonrepresentable section on output
collect2: error: ld returned 1 exit status
Makefile:177: recipe for target '../bin/picolisp' failed
make[2]: *** [../bin/picolisp] Error 1
...

The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/picolisp_16.6-2_amd64.build.gz

Thanks,
Balint

Bug#837576: sbcl: FTBFS with bindnow and PIE enabled

2016-09-12 Thread Balint Reczey

Source: sbcl
Version: 1.3.8-1
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: FTBFS on amd64 with extra hardening

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64 with patched GCC and dpkg.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part (hopefully):
...
cc -g -Wall -Wsign-compare -O3 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE
-D_FILE_OFFSET_BITS=64 -fno-omit-frame-pointer -I.
-DSBCL_PREFIX=\"'/<>/stage1'\"  -c -o ldso-stubs.o ldso-stubs.S
cc -g -Wl,--export-dynamic -o sbcl alloc.o backtrace.o breakpoint.o
coreparse.o dynbind.o funcall.o gc-common.o globals.o interr.o
interrupt.o largefile.o monitor.o os-common.o parse.o print.o purify.o
pthread-futex.o regnames.o run-program.o runtime.o safepoint.o save.o
search.o thread.o time.o util.o validate.o vars.o wrap.o x86-64-arch.o
linux-os.o x86-64-linux-os.o gencgc.o x86-64-assem.o ldso-stubs.o -ldl
-lpthread -lz -lm
/usr/bin/ld: x86-64-assem.o: relocation R_X86_64_32S against undefined
symbol `all_threads' can not be used when making a shared object;
recompile with -fPIC
/usr/bin/ld: final link failed: Nonrepresentable section on output
...

The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/sbcl_1.3.8-1_amd64.build.gz

Thanks,
Balint

Bug#837580: xenomai: FTBFS with bindnow and PIE enabled

2016-09-12 Thread Balint Reczey

Source: xenomai
Version: 2.6.4+dfsg-0.2
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: FTBFS on amd64 with extra hardening

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64 with patched GCC and dpkg.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part (hopefully):
...
make[4]: Entering directory
'/<>/xenomai-2.6.4+dfsg/src/testsuite/clocktest'
gcc -DHAVE_CONFIG_H -I. -I../../../src/include  -I../../../include/posix
-O2 -D_GNU_SOURCE -D_REENTRANT -Wall
-Werror-implicit-function-declaration -pipe -D__XENO__ -D__IN_XENO__
-Wstrict-prototypes -fstrict-aliasing -Wno-strict-aliasing
-I../../../include -Wdate-time -D_FORTIFY_SOURCE=2  -g -O2
-fdebug-prefix-map=/<>/xenomai-2.6.4+dfsg=.
-fstack-protector-strong -Wformat -Werror=format-security -Wdate-time
-D_FORTIFY_SOURCE=2 -fno-omit-frame-pointer -c -o clocktest-clocktest.o
`test -f 'clocktest.c' || echo './'`clocktest.c
/bin/bash ../../../libtool  --tag=CC   --mode=link
../../../scripts/wrap-link.sh gcc  -g -O2
-fdebug-prefix-map=/<>/xenomai-2.6.4+dfsg=.
-fstack-protector-strong -Wformat -Werror=format-security -Wdate-time
-D_FORTIFY_SOURCE=2 -fno-omit-frame-pointer
-Wl,@/<>/xenomai-2.6.4+dfsg/src/skins/posix/posix.wrappers
-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -o clocktest
clocktest-clocktest.o ../../skins/posix/libpthread_rt.la
../../skins/common/libxenomai.la -lpthread -lrt libtool: link:
../../../scripts/wrap-link.sh gcc -g -O2
-fdebug-prefix-map=/<>/xenomai-2.6.4+dfsg=.
-fstack-protector-strong -Wformat -Werror=format-security -Wdate-time
-D_FORTIFY_SOURCE=2 -fno-omit-frame-pointer
-Wl,@/<>/xenomai-2.6.4+dfsg/src/skins/posix/posix.wrappers
-Wl,-z -Wl,relro -Wl,-z -Wl,now -Wl,--as-needed -o .libs/clocktest
clocktest-clocktest.o  ../../skins/posix/.libs/libpthread_rt.so
../../skins/common/.libs/libxenomai.so -lpthread -lrt
/usr/bin/ld: -r and -pie may not be used together
collect2: error: ld returned 1 exit status
Makefile:435: recipe for target 'clocktest' failed
make[4]: *** [clocktest] Error 1
...

The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/xenomai_2.6.4+dfsg-0.2_amd64.build.gz

Thanks,
Balint

Bug#837582: yabause: FTBFS with bindnow and PIE enabled

2016-09-12 Thread Balint Reczey

Source: yabause
Version: 0.9.14-1
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: FTBFS on amd64 with extra hardening

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64 with patched GCC and dpkg.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part (hopefully):
...
[ 38%] Linking C executable yabause-gtk
cd /<>/obj-x86_64-linux-gnu/src/gtk && /usr/bin/cmake -E
cmake_link_script CMakeFiles/yabause-gtk.dir/link.txt --verbose=1
/usr/bin/cc  -g -O2 -fdebug-prefix-map=/<>=.
-fstack-protector-strong -Wformat -Werror=format-security -Wdate-time
-D_FORTIFY_SOURCE=2 -Wdate-time -D_FORTIFY_SOURCE=2
-Wdeclaration-after-statement -I/usr/include/gdk-pixbuf-2.0
-Wl,-z,relro -Wl,-z,now -Wl,-z,defs -Wl,--as-needed
CMakeFiles/yabause-gtk.dir/gtk-compat.c.o
CMakeFiles/yabause-gtk.dir/gtkglwidget.c.o
CMakeFiles/yabause-gtk.dir/main.c.o CMakeFiles/yabause-gtk.dir/menu.c.o
CMakeFiles/yabause-gtk.dir/pergtk.c.o
CMakeFiles/yabause-gtk.dir/settings.c.o
CMakeFiles/yabause-gtk.dir/yuicheckbutton.c.o
CMakeFiles/yabause-gtk.dir/yuifileentry.c.o
CMakeFiles/yabause-gtk.dir/yuiinputentry.c.o
CMakeFiles/yabause-gtk.dir/yuim68k.c.o
CMakeFiles/yabause-gtk.dir/yuimem.c.o
CMakeFiles/yabause-gtk.dir/yuipage.c.o
CMakeFiles/yabause-gtk.dir/yuirange.c.o
CMakeFiles/yabause-gtk.dir/yuiresolution.c.o
CMakeFiles/yabause-gtk.dir/yuiscreenshot.c.o
CMakeFiles/yabause-gtk.dir/yuiscsp.c.o
CMakeFiles/yabause-gtk.dir/yuiscudsp.c.o
CMakeFiles/yabause-gtk.dir/yuish.c.o
CMakeFiles/yabause-gtk.dir/yuitransfer.c.o
CMakeFiles/yabause-gtk.dir/yuivdp1.c.o
CMakeFiles/yabause-gtk.dir/yuivdp2.c.o
CMakeFiles/yabause-gtk.dir/yuiviewer.c.o
CMakeFiles/yabause-gtk.dir/yuiwindow.c.o  -o yabause-gtk -rdynamic
../libyabause.a -lm -lGLU -lGL -lglut -lXmu -lXi -Wl,-Bstatic -lSDLmain
-Wl,-Bdynamic -lSDL -lpthread -lopenal -lpthread -lmini18n -lXrandr
-lX11 -lglib-2.0 -lgobject-2.0 -latk-1.0 -lgio-2.0 -lgthread-2.0
-lgmodule-2.0 -lgdk_pixbuf-2.0 -lcairo -lpango-1.0 -lpangocairo-1.0
-lpangoft2-1.0 -lpangoxft-1.0 -lgdk-x11-2.0 -lgtk-x11-2.0
-lgtkglext-x11-1.0 -lgdkglext-x11-1.0 -lopenal -lmini18n -lXrandr -lX11
-lglib-2.0 -lgobject-2.0 -latk-1.0 -lgio-2.0 -lgthread-2.0 -lgmodule-2.0
-lgdk_pixbuf-2.0 -lcairo -lpango-1.0 -lpangocairo-1.0 -lpangoft2-1.0
-lpangoxft-1.0 -lgdk-x11-2.0 -lgtk-x11-2.0 -lgtkglext-x11-1.0
-lgdkglext-x11-1.0 /usr/bin/ld: ../libyabause.a(linkage_x64.s.o):
relocation R_X86_64_32S against undefined symbol `master_ip' can not be
used when making a shared object; recompile with -fPIC
/usr/bin/ld: final link failed: Nonrepresentable section on output
collect2: error: ld returned 1 exit status
src/gtk/CMakeFiles/yabause-gtk.dir/build.make:713: recipe for target
'src/gtk/yabause-gtk' failed
make[3]: *** [src/gtk/yabause-gtk] Error 1
...

The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/yabause_0.9.14-1_amd64.build.gz

Thanks,
Balint

Bug#837583: unicon-imc2: Please build libimmclient.a with -fPIC

2016-09-12 Thread Balint Reczey

Source: unicon-imc2
Version: 3.0.4-14+b1
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: makes zhcon FTBFS with extra hardening
Affects: zhcon

Dear Maintainers,

During a rebuild of all packages in sid, zhcon
failed to build on amd64 with patched GCC and dpkg. The root
cause seems to be that libimmclient.a is shipped as a non-PIC library.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64 (and selected architectures).

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part of zhcon's build log:
...
g++  -g -O2 -fdebug-prefix-map=/<>=.
-fstack-protector-strong -Wformat -Werror=format-security
-funsigned-char -O2 -DNDEBUG -Wall  -Wl,-z,relro -Wl,-z,now -o zhcon
basefont.o big52gbdecoder.o big5decoder.o configfile.o console.o
gb2big5decoder.o gbdecoder.o gbkdecoder.o graphdev.o hzdecoder.o
jisdecoder.o kscdecoder.o main.o window.o winime.o zhcon.o
overspotclient.o nativeinputserver.o inputclient.o inputmanager.o
inputserver.o candilist.o uniconinputserver.o nativebarclient.o mouse.o
encfilter.o iconv_string.o cmdline.o display/libdisplay.a -lgpm
-L/usr/lib/unicon -limm_server -limmclient -lpth -ldl -lcurses -lutil
/usr/bin/ld:
/usr/lib/gcc/x86_64-linux-gnu/6/../../../../lib/libimmclient.a(TLC_LibImmClient.o):
relocation R_X86_64_PC32 against symbol `TCP_Connect' can not be used
when making a shared object; recompile with -fPIC
/usr/bin/ld: final link failed: Bad value
...

The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/zhcon_0.2.6-11_amd64.build.gz

Thanks,
Balint

Bug#837579: user-mode-linux: FTBFS with bindnow and PIE enabled

2016-09-12 Thread Balint Reczey

Source: user-mode-linux
Version: 4.6-1um-1
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: FTBFS on amd64 with extra hardening

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64 with patched GCC and dpkg.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part (hopefully):
...
  LD  init/built-in.o
/usr/bin/ld: arch/um/drivers/built-in.o: relocation R_X86_64_32 against
`.rodata.str1.1' can not be used when making a shared object; recompile
with -fPIC
/usr/bin/ld: final link failed: Nonrepresentable section on output
...

The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/user-mode-linux_4.6-1um-1_amd64.build.gz

Thanks,
Balint

Bug#837581: xfsdump: FTBFS with bindnow and PIE enabled

2016-09-12 Thread Balint Reczey

Source: xfsdump
Version: 3.1.6+nmu1
Severity: important
User: bal...@balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: FTBFS on amd64 with extra hardening

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64 with patched GCC and dpkg.

The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.

For more information about the changes to sid's dpkg and GCC please
visit:
 https://wiki.debian.org/Hardening/PIEByDefaultTransition

Relevant part (hopefully):
...
checking for xfs/handle.h... yes
checking for open_by_fshandle in -lhandle... no

FATAL ERROR: could not find a current XFS handle library.
Install or upgrade the XFS library package.
Alternatively, run "make install-dev" from the xfsprogs source.
Makefile:78: recipe for target 'include/builddefs' failed
make[1]: *** [include/builddefs] Error 1
...

The full build log is available from:
 
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/xfsdump_3.1.6+nmu1_amd64.build.gz

Thanks,
Balint

< 1 2 3 4 5 6 >

301 - 400 of 573 matches

Mail list logo