Bug#837359: ocaml: Please build libasmrun.a with -fPIC
Hi Stéphane,
Thank you for your prompt reply.
2016-09-13 10:53 GMT+02:00 Stéphane Glondu <glondu@crans.org>:
> On 10/09/2016 23:27, Balint Reczey wrote:
>>
>> During a rebuild of all packages in sid, many ocaml packages
>> failed to build on amd64 with patched GCC and dpkg. The root cause
>> seems to be that libasmrun.a is shipped as a non-PIC library.
>
>
> There is already a version of libasmrun.a compiled with -fPIC:
> libasmrun_pic.a. But to use it, a specific option (-runtime-variant _pic)
> must be used. This is done in sks, for example.
I believe it would be more reasonable to fix that issue in ocaml, than
changing all affected packages and I also think using -fPIC for static libs
is the better option archive-wide (which I detail below).
>
>> The rebuild tested if packages are ready for a transition
>> enabling PIE and bindnow for amd64.
>> [...]
>> The attached patch fixed the problem.
>
>
> Your patch injects -fPIC in all calls to gcc. Is that what we want from now
I believe that would be the best solution.
> on? Why isn't that done inside gcc itself, then?
At Debian we try tend to set flags in dpkg rather than in GCC (unlike Ubuntu).
>
> I read on https://lintian.debian.org/tags/hardening-no-pie.html that -fPIC
> is not compatible with -fPIE. Then, I don't understand why you talk about
> adding -fPIC in this bugreport which is about enabling PIE.
The explanation there is correct but a little terse. The incompatibility here
means that you can't link a PIE static library to a shared library
(compiled with PIC).
There is an ongoing discussion about PIC/PIE on debian-devel:
https://lists.debian.org/debian-devel/2016/05/msg00306.html
https://lists.debian.org/debian-devel/2016/09/msg00217.html
and a request to change the policy:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=837478
I think the outcome will be at least encouraging PIC for
static libraries, too, and this proposed patch is a simple way
of enabling PIC in ocaml.
Reply to: