Re: r-cran-rinside good to go

To: Andreas Tille <andreas@an3as.eu>
Cc: debian-science@lists.debian.org
Subject: Re: r-cran-rinside good to go
From: Dirk Eddelbuettel <edd@debian.org>
Date: Wed, 2 Sep 2015 10:38:47 -0500
Message-id: <[🔎] 21991.6151.906926.599566@max.nulle.part>
In-reply-to: <[🔎] 20150902152644.GD3449@an3as.eu>
References: <55E48380.40206@thon.cc> <[🔎] 20150902101646.GC27533@an3as.eu> <[🔎] 55E6F527.7090703@thon.love> <[🔎] 20150902152644.GD3449@an3as.eu>

On 2 September 2015 at 17:26, Andreas Tille wrote:
| Hi Jonathon,
| 
| On Wed, Sep 02, 2015 at 03:09:59PM +0200, Jonathon Love wrote:
| > > 
| > > I would have loved if the patch would have been discussed - IMHO it is
| > > sensible.
| > 
| > oh ok. still figuring out how much autonomy i'm supposed to exhibit. i
| > do like to lead with a concrete implementation - and was expecting it to
| > spur some discussion.
| 
| I admit I would love to see a simple solution for hardening in R
| packages.

I think the flags should just pass through.  Which bubbles up several levels
to R itself which has them from its configure:

edd@max:~$ grep stack /etc/R/Makeconf 
# configure  '--prefix=/usr' '--with-cairo' '--with-jpeglib' '--with-readline' '--with-tcltk' '--with-system-bzlib' '--with-system-pcre' '--with-system-zlib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--datadir=/usr/share/R/share' '--includedir=/usr/share/R/include' '--with-blas' '--with-lapack' '--enable-R-profiling' '--enable-R-shlib' '--enable-memory-profiling' '--without-recommended-packages' '--build' 'x86_64-linux-gnu' 'build_alias=x86_64-linux-gnu' 'R_PRINTCMD=/usr/bin/lpr' 'R_PAPERSIZE=letter' 'R_BROWSER=xdg-open' 'LIBnn=lib' 'JAVA_HOME=/usr/lib/jvm/default-java' 'CC=gcc -std=gnu99' 'CFLAGS=-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -g' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro' 'CPPFLAGS=' 'F77=gfortran' 'FFLAGS=-g -O2 -fstack-protector-strong' 'CXX=g++' 'CXXFLAGS=-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -g' 'FC=gfortran' 'FCFLAGS=-g -O2 -fstack-protector-strong'
CFLAGS = -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -g $(LTO)
CXXFLAGS = -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -g $(LTO)
CXX1XFLAGS = -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -g
FCFLAGS = -g -O2 -fstack-protector-strong $(LTO)
FFLAGS = -g -O2 -fstack-protector-strong $(LTO)
SAFE_FFLAGS = -g -O2 -fstack-protector-strong -ffloat-store
edd@max:~$

So if these flags are left alone by the src/Makevars of an R package -- which
is the default -- then they should just pass through.

>From a random (but most recent) package log:

edd@max:~$ grep stack src/debian/build-logs/r-cran-quantreg_5.19-1.log 
gfortran   -fpic  -g -O2 -fstack-protector-strong  -c akj.f -o akj.o
gfortran   -fpic  -g -O2 -fstack-protector-strong  -c boot.f -o boot.o
gfortran   -fpic  -g -O2 -fstack-protector-strong  -c brute.f -o brute.o
gcc -std=gnu99 -I/usr/share/R/include -DNDEBUG      -fpic  -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -g  -c chlfct.c -o chlfct.o
gfortran   -fpic  -g -O2 -fstack-protector-strong  -c cholesky.f -o cholesky.o
gfortran   -fpic  -g -O2 -fstack-protector-strong  -c combos.f -o combos.o
gfortran   -fpic  -g -O2 -fstack-protector-strong  -c crq.f -o crq.o
gfortran   -fpic  -g -O2 -fstack-protector-strong  -c crqfnb.f -o crqfnb.o
gfortran   -fpic  -g -O2 -fstack-protector-strong  -c dsel05.f -o dsel05.o
gfortran   -fpic  -g -O2 -fstack-protector-strong  -c etime.f -o etime.o
gfortran   -fpic  -g -O2 -fstack-protector-strong  -c extract.f -o extract.o
gfortran   -fpic  -g -O2 -fstack-protector-strong  -c idmin.f -o idmin.o
gfortran   -fpic  -g -O2 -fstack-protector-strong  -c iswap.f -o iswap.o
gfortran   -fpic  -g -O2 -fstack-protector-strong  -c kuantile.f -o kuantile.o
gcc -std=gnu99 -I/usr/share/R/include -DNDEBUG      -fpic  -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -g  -c mcmb.c -o mcmb.o
gfortran   -fpic  -g -O2 -fstack-protector-strong  -c penalty.f -o penalty.o
gfortran   -fpic  -g -O2 -fstack-protector-strong  -c powell.f -o powell.o
gfortran   -fpic  -g -O2 -fstack-protector-strong  -c rls.f -o rls.o
gfortran   -fpic  -g -O2 -fstack-protector-strong  -c rq0.f -o rq0.o
gfortran   -fpic  -g -O2 -fstack-protector-strong  -c rq1.f -o rq1.o
gfortran   -fpic  -g -O2 -fstack-protector-strong  -c rqbr.f -o rqbr.o
gfortran   -fpic  -g -O2 -fstack-protector-strong  -c rqfn.f -o rqfn.o
gfortran   -fpic  -g -O2 -fstack-protector-strong  -c rqfnb.f -o rqfnb.o
gfortran   -fpic  -g -O2 -fstack-protector-strong  -c rqfnc.f -o rqfnc.o
gfortran   -fpic  -g -O2 -fstack-protector-strong  -c rqs.f -o rqs.o
gfortran   -fpic  -g -O2 -fstack-protector-strong  -c sparskit2.f -o sparskit2.o
gcc -std=gnu99 -I/usr/share/R/include -DNDEBUG      -fpic  -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -g  -c srqfn.c -o srqfn.o
gcc -std=gnu99 -I/usr/share/R/include -DNDEBUG      -fpic  -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -g  -c srqfnc.c -o srqfnc.o
gfortran   -fpic  -g -O2 -fstack-protector-strong  -c srtpai.f -o srtpai.o
edd@max:~$

Given that the link step is missing it, this would point to r-base -- but I
do set them there and pass on to LDFLAGS.

But

edd@max:~$ grep LDFLAGS /etc/R/Makeconf 
# configure  '--prefix=/usr' '--with-cairo' '--with-jpeglib' '--with-readline' '--with-tcltk' '--with-system-bzlib' '--with-system-pcre' '--with-system-zlib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--datadir=/usr/share/R/share' '--includedir=/usr/share/R/include' '--with-blas' '--with-lapack' '--enable-R-profiling' '--enable-R-shlib' '--enable-memory-profiling' '--without-recommended-packages' '--build' 'x86_64-linux-gnu' 'build_alias=x86_64-linux-gnu' 'R_PRINTCMD=/usr/bin/lpr' 'R_PAPERSIZE=letter' 'R_BROWSER=xdg-open' 'LIBnn=lib' 'JAVA_HOME=/usr/lib/jvm/default-java' 'CC=gcc -std=gnu99' 'CFLAGS=-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -g' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro' 'CPPFLAGS=' 'F77=gfortran' 'FFLAGS=-g -O2 -fstack-protector-strong' 'CXX=g++' 'CXXFLAGS=-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -g' 'FC=gfortran' 'FCFLAGS=-g -O2 -fstack-protector-strong'
DYLIB_LDFLAGS = -shared -fopenmp# $(CFLAGS) $(CPICFLAGS)
DYLIB_LINK = $(DYLIB_LD) $(DYLIB_LDFLAGS) $(LDFLAGS)
LDFLAGS = -Wl,-Bsymbolic-functions -Wl,-z,relro
MAIN_LDFLAGS = -Wl,--export-dynamic -fopenmp
MAIN_LINK = $(MAIN_LD) $(MAIN_LDFLAGS) $(LDFLAGS)
SHLIB_CXXLDFLAGS = -shared
SHLIB_CXX1XLDFLAGS = -shared
SHLIB_FCLDFLAGS = -shared
SHLIB_LDFLAGS = -shared# $(CFLAGS) $(CPICFLAGS)
SHLIB_LINK = $(SHLIB_LD) $(SHLIB_LDFLAGS) $(LIBR0) $(LDFLAGS)
edd@max:~$

So maybe R drops them?   If anybody has some time on their hands and wants to
hunts this ... 

Dirk

-- 
http://dirk.eddelbuettel.com | @eddelbuettel | edd@debian.org

Reply to:

References:
- Re: r-cran-rinside good to go
  - From: Andreas Tille <andreas@an3as.eu>
- Re: r-cran-rinside good to go
  - From: Jonathon Love <jon@thon.love>
- Re: r-cran-rinside good to go
  - From: Andreas Tille <andreas@an3as.eu>

Prev by Date: Re: r-cran-rinside good to go
Next by Date: Re: r-cran-desolve: lintian warnings
Previous by thread: Re: r-cran-rinside good to go
Next by thread: [Caffe] uploaded to mentors but NOT RFS
Index(es):
- Date
- Thread