[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

"PIE by default" transition is underway -- wiki needs updating


I haven't been paying close attention to the "PIE by default" [1] discussions, 
so I may have missed the memo, but: it seems the transition is underway?  

I've seen two bugs already claiming "static library foo must be compiled with 
-fPIC" -- because some reverse dependency now fails to build.  But I think 
this advice is misplaced.  The Ubuntu page [2] says that all you need to do is 
rebuild the library foo with the PIE-enabled compiler, then rebuild the 
depending code:

	Relocation Linking Failure

	A dynamically linked program that pulls in a static library that was not 
	built with -fPIC. These give an error like: 

	    relocation R_X86_64_32 against '[SYMBOL]' can not be used when making a 
		shared object; recompile with -fPIC

	To address these types of issues, the package providing the static object 
	needs to be rebuilt (usually just a no-change rebuild against the pie-by-
	default compiler) before rebuilding the failed package. 

So it seems to me that this should be emphasized on the wiki [1].  Secondly, 
it seems that the proposal to change policy to encourage -fPIC on static 
libraries [3] is misplaced and should be withdrawn.    Are both these 
statements accurate?


[1] https://wiki.debian.org/Hardening/PIEByDefaultTransition
[2] https://wiki.ubuntu.com/SecurityTeam/PIE
[3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=837478

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to: