Re: Bug#845193: dpkg: recent -specs PIE changes break openssl

To: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Cc: Guillem Jover <guillem@debian.org>, Thorsten Glaser <tg@mirbsd.de>, James Clarke <jrtc27@jrtc27.com>, 845193@bugs.debian.org, dpkg@packages.debian.org, gcc@packages.debian.org, gcc-6@packages.debian.org
Subject: Re: Bug#845193: dpkg: recent -specs PIE changes break openssl
From: Bálint Réczey <balint@balintreczey.hu>
Date: Thu, 24 Nov 2016 17:17:48 +0100
Message-id: <[🔎] CAK0OdpzOw6Nook9m4m6tvw2hG3SE7z3yPpsnVQ8HkAasAC1NUw@mail.gmail.com>
Reply-to: balint@balintreczey.hu
In-reply-to: <[🔎] ead93876-fb1c-d876-a4b4-352273a82bc2@physik.fu-berlin.de>
References: <147972608120.12621.14131069245369514758.reportbug@tglase.lan.tarent.de> <20161124042923.dnr2c3cdyanqtv7w@gaara.hadrons.org> <[🔎] Pine.BSM.4.64L.1611241441130.15899@herc.mirbsd.org> <[🔎] 20161124153528.eienizvzh7fyfdta@gaara.hadrons.org> <[🔎] ead93876-fb1c-d876-a4b4-352273a82bc2@physik.fu-berlin.de>

Hi Guillem,

2016-11-24 17:00 GMT+01:00 John Paul Adrian Glaubitz
<glaubitz@physik.fu-berlin.de>:
> On 11/24/2016 04:35 PM, Guillem Jover wrote:
>> Hi!
>>
>> On Thu, 2016-11-24 at 14:52:33 +0000, Thorsten Glaser wrote:
>>> clone 845193 -1
>>> reassign -1 dpkg
>>> retitle -1 dpkg: please do not add -specs= flags only on some architectures
>>> thanks
>>
>> I'm afraid I'll have to wontfix this because it is not really
>> implementable. See below… :/

I appreciate that you would like to do the *right thing*, but the original
proposal for syncing with gcc was the following:

If GCC uses PIE by default then +pie and -pie are noops.
If GCC does not use PIE by default -pie is a noop, +pie sets PIE flags.

This has been tested archive-wide and does not involve risks due to
manipulating specs.

See:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=835149

I do admit that this does not allow easily disabling PIE, but
1. Upstreams already need to adapt to GCC-s setting PIE by
default since Ubuntu 16.10 already ships such a GCC.
2. Disabling PIE does not have to be easy. I for myself prefer
making disabling protection hard in any system which include
systems outside of the software world.

I believe the proposal which does not involve setting specs is
tested better, less risky and compatible with more compilers.

Cheers,
Balint

>
> Fixing the issue in a similar way as it was fixed on sparc64 [1] is
> not possible?
>
> Adrian
>
>> [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=843826
>
> --
>  .''`.  John Paul Adrian Glaubitz
> : :' :  Debian Developer - glaubitz@debian.org
> `. `'   Freie Universitaet Berlin - glaubitz@physik.fu-berlin.de
>   `-    GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913

Reply to:

References:
- Re: Bug#845193: dpkg: recent -specs PIE changes break openssl
  - From: Thorsten Glaser <tg@mirbsd.de>
- Re: Bug#845193: dpkg: recent -specs PIE changes break openssl
  - From: Guillem Jover <guillem@debian.org>
- Re: Bug#845193: dpkg: recent -specs PIE changes break openssl
  - From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>

Prev by Date: Re: Bug#845193: dpkg: recent -specs PIE changes break openssl
Next by Date: Bug#845461: gcc-6: Please build with --with-cpu=ultrasparc on sparc
Previous by thread: Re: Bug#845193: dpkg: recent -specs PIE changes break openssl
Next by thread: Re: Bug#845193: dpkg: recent -specs PIE changes break openssl
Index(es):
- Date
- Thread