[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#837478: debian-policy: Allow (encourage?) PIC static libraries



Package: debian-policy
Severity: important

Dear Maintainer,

Current (3.9.8.0) Policy mandates non-PIC static libraries with a few
exceptions:

---
10.2 Libraries
... (paragraph about shared libs)

As to the static libraries, the common case is not to have relocatable
code, since there is no benefit, unless in specific cases; therefore the
static version must not be compiled with the -fPIC flag. Any exception
to this rule should be discussed on the mailing list
debian-devel@lists.debian.org, and the reasons for compiling with the
-fPIC flag must be recorded in the file README.Debian. [86]

In other words, if both a shared and a static library is being built,
each source unit (*.c, for example, for C files) will need to be
compiled twice, for the normal case.

---

I think with the spreading of PIE binaries the "... since there is no
benefit ..." claim does not stand anymore. Non-PIC static libraries
can't be linked to PIE binaries thus they are less useful for code
sharing among packages.

There is also a plan to use a specially configured GCC on several
architectures which builds PIE binaries by default and that needs PIC
static libraries for not statically linked binaries. [1]

Planned archive-wide enabling of bindnow (-Wl,-z,now) hardening setting
in dpkg [3] also decreases the speed advantage of non-PIC static libraries.

I would like to suggest revising the Policy text and at least allowing
shipping PIC static libraries without broader discussion and
documentation. I would be in favor of even encouraging PIC for static
libraries because that would allow compiling them to PIE binaries.

I have already filed many bugs [4] related to the transition to PIE by
defauld where the problem can be solved easily by providing PIC static
libraries. Note that many packages ship only static libs.

Thanks,
Balint


[1] https://wiki.debian.org/Hardening/PIEByDefaultTransition
[2] https://lists.debian.org/debian-devel/2016/05/msg00309.html
[3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=835146
[4]
https://udd.debian.org/cgi-bin/bts-usertags.cgi?tag=pie-bindnow-20160906&user=balint%40balintreczey.hu


Reply to: