Exception for shipping shared libraries compiled with -fPIC for multiple packages

To: debian developers <debian-devel@lists.debian.org>
Subject: Exception for shipping shared libraries compiled with -fPIC for multiple packages
From: Balint Reczey <balint@balintreczey.hu>
Date: Wed, 14 Sep 2016 01:02:02 +0200
Message-id: <[🔎] a9b567c9-54f4-1acd-eef8-c6d35970cdc4@balintreczey.hu>

Dear People of Debian-Devel,

Current Policy (3.9.8.0) mandates discussion on debian-devel@d.o
before changing packages to ship static libraries compiled with -fPIC:

---
10.2 Libraries
... (paragraph about shared libs)

As to the static libraries, the common case is not to have relocatable
code, since there is no benefit, unless in specific cases; therefore
the static version must not be compiled with the -fPIC flag. Any
exception to this rule should be discussed on the mailing list
debian-devel@lists.debian.org, and the reasons for compiling with the
-fPIC flag must be recorded in the file README.Debian. [86]

In other words, if both a shared and a static library is being built,
each source unit (*.c, for example, for C files) will need to be
compiled twice, for the normal case.

---

I am hereby asking for exceptions for the following packages:

  Bug              Package                                             Title
#586572 libdpkg-dev                   libdpkg-dev: Please provide a libdpkg shared library
#712228 src:ghc                       Hardening flag -pie breaks compilation with GHC
#804254 publib-dev                    publib-dev: please build libpub.a with -fPIC
#837350 src:binutils                  binutils: Please build libbfd.a with -fPIC
#837359 src:ocaml                     ocaml: Please build libasmrun.a and libcamlrun.a with -fPIC
#837363 src:cpputest                  cpputest: Please build libCppUTest.a with -fPIC
#837417 src:ctn                       ctn: Please build libctn.a with -fPIC
#837423 src:jack-audio-connection-kit jack-audio-connection-kit: Please build libjack.a with -fPIC
#837424 src:portaudio19               portaudio19: Please build libportaudio.a with -fPIC
#837434 src:binpac                    binpac: Please build libbinpac.a with -fPIC
#837445 src:check                     check: Please build libcheck.a with -fPIC
#837452 src:simgear                   simgear: Please build libSimGearCore.a and libSimGearScene.a with -fPIC
#837489 src:antlr                     antlr: Please build libantlr.a with -fPIC
#837490 src:libpapyrus3-dev           libpapyrus3-dev: Please build libPapyrus3.a with -fPIC
#837491 src:libgadap-dev              libgadap-dev: Please build libgadap.a with -fPIC

Converting the mentioned shared libraries to PIC allows rebuilding
reverse build-dependencies with PIE and also enables switching
several architectures to use PIE by default [1].

I have filed a bug [2] to relax/change policy, but to conform to the
current one asking for the exceptions above is needed.

There is an active thread [3] about using PIC/PIE generally for
static libraries on debian-devel. Please keep this one
focusing on the exception.

Thanks,
Balint

[1] https://wiki.debian.org/Hardening/PIEByDefaultTransition
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=837478
[3] https://lists.debian.org/debian-devel/2016/05/msg00306.html
[4] https://lists.debian.org/debian-devel/2016/09/msg00217.html

Reply to:

Follow-Ups:
- Re: Exception for shipping shared libraries compiled with -fPIC for multiple packages
  - From: Raoul Borenius <borenius@dfn.de>

Prev by Date: Re: Use and abuse of the unreproducible tag
Next by Date: Re: Bug#837723: Removing/Disabling the general psuedo package; refering to debian-user@lists.debian.org
Previous by thread: Re: Support for merged-/usr now in debootstrap; default for stretch?
Next by thread: Re: Exception for shipping shared libraries compiled with -fPIC for multiple packages
Index(es):
- Date
- Thread