[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: sponsor upload aghermann-0.7.0.1-1 please

Hi Yaroslav,

Somehow your last email slipped into my archive mail folder unnoticed and
remained there for a week, unread (blame my fetchmail setup and the new
job I've started last Monday).  So here's the new dsc link:
http://johnhommer.com//academic/code/aghermann/source/deb/aghermann_0.7.0.1-1.dsc.

Wrt -fPIE -pie flags, after a weekend of seeking the truth I give up.

The problem is that, with -pie, linking libsigfile.la fails miserably:

libtool: link: g++  -fPIC -DPIC -shared -nostdlib /usr/lib/gcc/x86_64-linux-gnu/4.7/../../../x86_64-linux-gnu/Scrt1.o /usr/lib/gcc/x86_64-linux-gnu/4.7/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/4.7/crtbeginS.o  .libs/channel.o .libs/source-base.o .libs/source.o .libs/edf.o .libs/page.o .libs/page-metrics-base.o .libs/psd.o .libs/mc.o   -lfftw3 -L/usr/lib/gcc/x86_64-linux-gnu/4.7 -L/usr/lib/gcc/x86_64-linux-gnu/4.7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/4.7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/4.7/../../.. -lstdc++ -lm -lc -lgcc_s -lgcc /usr/lib/gcc/x86_64-linux-gnu/4.7/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/4.7/../../../x86_64-linux-gnu/crtn.o  -fopenmp -O2 -Wl,-z -Wl,relro   -fopenmp -Wl,-soname -Wl,libsigfile.so -o .libs/libsigfile.so
/usr/lib/x86_64-linux-gnu/libc_nonshared.a(elf-init.oS): In function `__libc_csu_init':
(.text+0x1d): undefined reference to `__init_array_end'
/usr/bin/ld.bfd.real: /usr/lib/x86_64-linux-gnu/libc_nonshared.a(elf-init.oS): relocation R_X86_64_PC32 against undefined hidden symbol `__init_array_end' can not be used when making a shared object
/usr/bin/ld.bfd.real: final link failed: Bad value
collect2: error: ld returned 1 exit status

(Odd thing here is that there appears libc_nonshared.a whereas linking is done
with -shared.)

I've googled the matter extensively, and none of the supposed solutions
were helping (see, for example, http://gcc.gnu.org/ml/gcc-help/2005-07/msg00168.html
and this thread: http://www.mail-archive.com/automake-patches@gnu.org/msg00318.html).
There are some "insightful" comments I left in src/libsigfile/Makefile.am.

Eventually, I "fixed" the problem by omitting -pie from the hardening flags
(I note that -fPIE remains, as well as -D_FORTIFY_SOURCE=2 and all others).
This, again, proves to be enough to make lintian happy.

I would like, for now, to get it released with this interim "solution".
Otherwise it's going to be mired in, oh so very interesting but largely
gratuitous, exercise in Makefile.am-fu.

As usual :}, builds verified with nd_build:

aghermann_0.7.0.1-1~nd70+2_i386.build   OK      6:15.07 real, 173.55 user, 15.88 sys, 0 out
aghermann_0.7.0.1-1~nd70+2_amd64.build  OK      6:23.82 real, 174.63 user, 19.36 sys, 0 out
aghermann_0.7.0.1-1~nd+2_i386.build     OK      6:45.78 real, 197.76 user, 16.56 sys, 0 out
aghermann_0.7.0.1-1~nd+2_amd64.build    OK      6:44.47 real, 194.86 user, 20.68 sys, 0 out

It also builds on ubuntu precise.  (Honestly, nd_build was a great idea.)

Cheers,
Andrei

On Mon, 2 Jul 2012 10:06:44 -0400
Yaroslav Halchenko <debian@onerussian.com> wrote:


> Hi Andrei,
> 
> Since wheezy is frozen now, all fresh uploads with substantial changes
> (e.g. new upstream release) should target 'experimental' instead of
> 'unstable' in debian/changelog.  I will upload backports to NeuroDebian
> anyways ;-)
> 
> now hardening, which I am not much of an expert unfortunately:
> 
> 
> > Recently lintian has grown clever enough to require -D_FORTIFY_SOURCE
> 
> ;-) mention that those are just warnings, so theoretically could be
> ignored (unless it is a daemon app etc), but it is indeed great to have
> them addressed
> 
> > and other nifty things as described here:
> > http://wiki.debian.org/Hardening. I now duly added the recommended flags
> > to CXXFLAGS, which is not representing an issue to write about per se
> > except for the fact that I had to omit -fPIE and -pie.  With these latter
> > two, my private libsigfile.so fails to build.
> 
> interesting... as far as I see it  *pie* hardening  is even more
> optional and surprised that the dyn library doesn't  build for you with
> fPIC?
> 
> > However, adding the following to my debian/rules happens to be enough to
> > silence lintian:
> 
> ;-) per se you don't need to "silence" it (yet) for these
> 
> >  export DEB_BUILD_HARDENING=1
> 
> >  CXXFLAGS=$(shell dpkg-buildflags --get CFLAGS)
> >  LDFLAGS=$(shell dpkg-buildflags --get LDFLAGS)
> >  # CXXFLAGS+=$(HARDENING_CFLAGS)
> >  # LDFLAGS+=$(HARDENING_LDFLAGS)
> >  ## hardening-wrapper doesn't seem to be available
> >  ## on all target arches yet, so try adding these flags manually
> >  export CXXFLAGS += -Wformat -Wformat-security -Werror=format-security
> > -D_FORTIFY_SOURCE=2 -fstack-protector --param ssp-buffer-size=4 export
> > LDFLAGS += -z relro -z now
> 
> well -- if you just care to "silence lintian", i.e. to introduce
> hardening only where supported, you could do smth like what I have done
> for freeipmi:
> 
> override_dh_auto_configure:
>     dh_auto_configure -- $(shell dpkg-buildflags --export=configure | grep
> CFLAGS )
> 
> so, where dpkg-buildflags  provides those hardening flags -- they would
> be used.  and would build just fine otherwise
> 
> > Here's the link to .DSC file:
> > http://johnhommer.com/academic/code/aghermann/source/deb/aghermann_0.7.0-1.dsc.
> > Hope all will build well.
> 
> does it for you? ;-) so tune up release to experimental and may be give it a
> 2nd thought on how to treat hardening args and reupload .dsc 
> 
> Cheers!
Reply to: