Re: sponsor upload aghermann-0.7.0.1-1 please
Hi Yaroslav,
Somehow your last email slipped into my archive mail folder unnoticed and
remained there for a week, unread (blame my fetchmail setup and the new
job I've started last Monday). So here's the new dsc link:
http://johnhommer.com//academic/code/aghermann/source/deb/aghermann_0.7.0.1-1.dsc.
Wrt -fPIE -pie flags, after a weekend of seeking the truth I give up.
The problem is that, with -pie, linking libsigfile.la fails miserably:
libtool: link: g++ -fPIC -DPIC -shared -nostdlib /usr/lib/gcc/x86_64-linux-gnu/4.7/../../../x86_64-linux-gnu/Scrt1.o /usr/lib/gcc/x86_64-linux-gnu/4.7/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/4.7/crtbeginS.o .libs/channel.o .libs/source-base.o .libs/source.o .libs/edf.o .libs/page.o .libs/page-metrics-base.o .libs/psd.o .libs/mc.o -lfftw3 -L/usr/lib/gcc/x86_64-linux-gnu/4.7 -L/usr/lib/gcc/x86_64-linux-gnu/4.7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/4.7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/4.7/../../.. -lstdc++ -lm -lc -lgcc_s -lgcc /usr/lib/gcc/x86_64-linux-gnu/4.7/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/4.7/../../../x86_64-linux-gnu/crtn.o -fopenmp -O2 -Wl,-z -Wl,relro -fopenmp -Wl,-soname -Wl,libsigfile.so -o .libs/libsigfile.so
/usr/lib/x86_64-linux-gnu/libc_nonshared.a(elf-init.oS): In function `__libc_csu_init':
(.text+0x1d): undefined reference to `__init_array_end'
/usr/bin/ld.bfd.real: /usr/lib/x86_64-linux-gnu/libc_nonshared.a(elf-init.oS): relocation R_X86_64_PC32 against undefined hidden symbol `__init_array_end' can not be used when making a shared object
/usr/bin/ld.bfd.real: final link failed: Bad value
collect2: error: ld returned 1 exit status
(Odd thing here is that there appears libc_nonshared.a whereas linking is done
with -shared.)
I've googled the matter extensively, and none of the supposed solutions
were helping (see, for example, http://gcc.gnu.org/ml/gcc-help/2005-07/msg00168.html
and this thread: http://www.mail-archive.com/automake-patches@gnu.org/msg00318.html).
There are some "insightful" comments I left in src/libsigfile/Makefile.am.
Eventually, I "fixed" the problem by omitting -pie from the hardening flags
(I note that -fPIE remains, as well as -D_FORTIFY_SOURCE=2 and all others).
This, again, proves to be enough to make lintian happy.
I would like, for now, to get it released with this interim "solution".
Otherwise it's going to be mired in, oh so very interesting but largely
gratuitous, exercise in Makefile.am-fu.
As usual :}, builds verified with nd_build:
aghermann_0.7.0.1-1~nd70+2_i386.build OK 6:15.07 real, 173.55 user, 15.88 sys, 0 out
aghermann_0.7.0.1-1~nd70+2_amd64.build OK 6:23.82 real, 174.63 user, 19.36 sys, 0 out
aghermann_0.7.0.1-1~nd+2_i386.build OK 6:45.78 real, 197.76 user, 16.56 sys, 0 out
aghermann_0.7.0.1-1~nd+2_amd64.build OK 6:44.47 real, 194.86 user, 20.68 sys, 0 out
It also builds on ubuntu precise. (Honestly, nd_build was a great idea.)
Cheers,
Andrei
On Mon, 2 Jul 2012 10:06:44 -0400
Yaroslav Halchenko <debian@onerussian.com> wrote:
> Hi Andrei,
>
> Since wheezy is frozen now, all fresh uploads with substantial changes
> (e.g. new upstream release) should target 'experimental' instead of
> 'unstable' in debian/changelog. I will upload backports to NeuroDebian
> anyways ;-)
>
> now hardening, which I am not much of an expert unfortunately:
>
>
> > Recently lintian has grown clever enough to require -D_FORTIFY_SOURCE
>
> ;-) mention that those are just warnings, so theoretically could be
> ignored (unless it is a daemon app etc), but it is indeed great to have
> them addressed
>
> > and other nifty things as described here:
> > http://wiki.debian.org/Hardening. I now duly added the recommended flags
> > to CXXFLAGS, which is not representing an issue to write about per se
> > except for the fact that I had to omit -fPIE and -pie. With these latter
> > two, my private libsigfile.so fails to build.
>
> interesting... as far as I see it *pie* hardening is even more
> optional and surprised that the dyn library doesn't build for you with
> fPIC?
>
> > However, adding the following to my debian/rules happens to be enough to
> > silence lintian:
>
> ;-) per se you don't need to "silence" it (yet) for these
>
> > export DEB_BUILD_HARDENING=1
>
> > CXXFLAGS=$(shell dpkg-buildflags --get CFLAGS)
> > LDFLAGS=$(shell dpkg-buildflags --get LDFLAGS)
> > # CXXFLAGS+=$(HARDENING_CFLAGS)
> > # LDFLAGS+=$(HARDENING_LDFLAGS)
> > ## hardening-wrapper doesn't seem to be available
> > ## on all target arches yet, so try adding these flags manually
> > export CXXFLAGS += -Wformat -Wformat-security -Werror=format-security
> > -D_FORTIFY_SOURCE=2 -fstack-protector --param ssp-buffer-size=4 export
> > LDFLAGS += -z relro -z now
>
> well -- if you just care to "silence lintian", i.e. to introduce
> hardening only where supported, you could do smth like what I have done
> for freeipmi:
>
> override_dh_auto_configure:
> dh_auto_configure -- $(shell dpkg-buildflags --export=configure | grep
> CFLAGS )
>
> so, where dpkg-buildflags provides those hardening flags -- they would
> be used. and would build just fine otherwise
>
> > Here's the link to .DSC file:
> > http://johnhommer.com/academic/code/aghermann/source/deb/aghermann_0.7.0-1.dsc.
> > Hope all will build well.
>
> does it for you? ;-) so tune up release to experimental and may be give it a
> 2nd thought on how to treat hardening args and reupload .dsc
>
> Cheers!
Reply to: