Hi, I haven't been paying close attention to the "PIE by default" [1] discussions, so I may have missed the memo, but: it seems the transition is underway? I've seen two bugs already claiming "static library foo must be compiled with -fPIC" -- because some reverse dependency now fails to build. But I think this advice is misplaced. The Ubuntu page [2] says that all you need to do is rebuild the library foo with the PIE-enabled compiler, then rebuild the depending code: Relocation Linking Failure A dynamically linked program that pulls in a static library that was not built with -fPIC. These give an error like: relocation R_X86_64_32 against '[SYMBOL]' can not be used when making a shared object; recompile with -fPIC To address these types of issues, the package providing the static object needs to be rebuilt (usually just a no-change rebuild against the pie-by- default compiler) before rebuilding the failed package. So it seems to me that this should be emphasized on the wiki [1]. Secondly, it seems that the proposal to change policy to encourage -fPIC on static libraries [3] is misplaced and should be withdrawn. Are both these statements accurate? Thanks, -Steve [1] https://wiki.debian.org/Hardening/PIEByDefaultTransition [2] https://wiki.ubuntu.com/SecurityTeam/PIE [3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=837478
Attachment:
signature.asc
Description: This is a digitally signed message part.