Re: Bug#879014: gpgme1.0: FTBFS on some arches: Qt needs a compile with -fPIC (PIE is not enough), hardening downgrades to PIE

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: Bug#879014: gpgme1.0: FTBFS on some arches: Qt needs a compile with -fPIC (PIE is not enough), hardening downgrades to PIE

Thorsten Glaser-6
# same issue
forcemerge 879014 870383
retitle 879014 gpgme1.0: FTBFS on some arches: Qt needs a compile with -fPIC (PIE is not enough), hardening downgrades to PIE
# it still persists
found 879014 1.13.1-6
thanks

Hi,

> points out the problem: Qt wants to be compiled with -fPIC and sets up
> the CFLAGS appropriately, yet hardening comes into the way as it adds
> the PIE *after* the PIC.
>
> Cc’ing qtbase5-dev and dpkg maintainers.

can this please be fixed? Thanks!

> edit debian/rules to get it to compile:
> -export DEB_BUILD_MAINT_OPTIONS = hardening=+all
> +export DEB_BUILD_MAINT_OPTIONS = hardening=+all,-pie
>
> ① I didn’t test whether that was enough with up-to-date dpkg.

This appears to have been enough. So, as a quick workaround,
adding this on affected architectures allows it to build.

bye,
//mirabilos
--
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-235
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg

**********

Mit der tarent Academy bieten wir auch Trainings und Schulungen in den
Bereichen Softwareentwicklung, Agiles Arbeiten und Zukunftstechnologien an.

Besuchen Sie uns auf www.tarent.de/academy. Wir freuen uns auf Ihren Kontakt.

**********

Reply | Threaded
Open this post in threaded view
|

Re: Bug#879014: gpgme1.0: FTBFS on some arches: Qt needs a compile with -fPIC (PIE is not enough), hardening downgrades to PIE

Lisandro Damián Nicanor Pérez Meyer-2
Hi!

El lun., 9 mar. 2020 07:44, Thorsten Glaser <[hidden email]> escribió:
# same issue
forcemerge 879014 870383
retitle 879014 gpgme1.0: FTBFS on some arches: Qt needs a compile with -fPIC (PIE is not enough), hardening downgrades to PIE
# it still persists
found 879014 1.13.1-6
thanks

Hi,

> points out the problem: Qt wants to be compiled with -fPIC and sets up
> the CFLAGS appropriately, yet hardening comes into the way as it adds
> the PIE *after* the PIC.

PIC implies PIE, so adding it after PIE is an error. Yes, this is a special case but not up to Qt to solve it.
Reply | Threaded
Open this post in threaded view
|

Re: Bug#879014: gpgme1.0: FTBFS on some arches: Qt needs a compile with -fPIC (PIE is not enough), hardening downgrades to PIE

Lisandro Damián Nicanor Pérez Meyer-2
Hi again!

On Mon, 9 Mar 2020 at 12:43, Lisandro Damián Nicanor Pérez Meyer
<[hidden email]> wrote:

>
> Hi!
>
> El lun., 9 mar. 2020 07:44, Thorsten Glaser <[hidden email]> escribió:
>>
>> # same issue
>> forcemerge 879014 870383
>> retitle 879014 gpgme1.0: FTBFS on some arches: Qt needs a compile with -fPIC (PIE is not enough), hardening downgrades to PIE
>> # it still persists
>> found 879014 1.13.1-6
>> thanks
>>
>> Hi,
>>
>> > points out the problem: Qt wants to be compiled with -fPIC and sets up
>> > the CFLAGS appropriately, yet hardening comes into the way as it adds
>> > the PIE *after* the PIC.
>
>
> PIC implies PIE, so adding it after PIE is an error. Yes, this is a special case but not up to Qt to solve it.

That was a fast reply from phone, and I seemed to write it wrongly. In
this case Qt uses PIC, which is the right thing to do for libraries
(and Qt needs it that way).
PIE implies PIE so (and here is what I miss wrote above) PIE should
not be added if PIC was used.

Moreover PIC is more suitable for libraries, so it should be the right
choice here.

Hope that helps, and sorry for my typo in the first mail.

--
Lisandro Damián Nicanor Pérez Meyer
http://perezmeyer.com.ar/
http://perezmeyer.blogspot.com/

Reply | Threaded
Open this post in threaded view
|

Re: Bug#879014: gpgme1.0: FTBFS on some arches: Qt needs a compile with -fPIC (PIE is not enough), hardening downgrades to PIE

Thorsten Glaser-6
On Mon, 9 Mar 2020, Lisandro Damián Nicanor Pérez Meyer wrote:

> PIE implies PIE so (and here is what I miss wrote above) PIE should
> not be added if PIC was used.

PIC implies PIE ;)

> Moreover PIC is more suitable for libraries, so it should be the right
> choice here.

The problem is that applications linked against Qt also need PIC,
not PIE. The pkg-config stuff gets this right, but the continued
insisting that -specs= stuff should be used to enable PIE on some
architectures due to disagreements between dpkg and gcc maintainers
causes PIE, if enabled in hardening, to be added too late on the
compiler command line (and not ignored if PIC was already given).

bye,
//mirabilos
--
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-235
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg

**********

Mit der tarent Academy bieten wir auch Trainings und Schulungen in den
Bereichen Softwareentwicklung, Agiles Arbeiten und Zukunftstechnologien an.

Besuchen Sie uns auf www.tarent.de/academy. Wir freuen uns auf Ihren Kontakt.

**********

Reply | Threaded
Open this post in threaded view
|

Re: Bug#879014: gpgme1.0: FTBFS on some arches: Qt needs a compile with -fPIC (PIE is not enough), hardening downgrades to PIE

Lisandro Damián Nicanor Pérez Meyer-2
On Mon, 9 Mar 2020 at 13:48, Thorsten Glaser <[hidden email]> wrote:
> On Mon, 9 Mar 2020, Lisandro Damián Nicanor Pérez Meyer wrote:
> > PIE implies PIE so (and here is what I miss wrote above) PIE should
> > not be added if PIC was used.
>
> PIC implies PIE ;)

Ha! My IRC alternate nickname should be TypoMan.

> > Moreover PIC is more suitable for libraries, so it should be the right
> > choice here.
>
> The problem is that applications linked against Qt also need PIC,
> not PIE. The pkg-config stuff gets this right, but the continued
> insisting that -specs= stuff should be used to enable PIE on some
> architectures due to disagreements between dpkg and gcc maintainers
> causes PIE, if enabled in hardening, to be added too late on the
> compiler command line (and not ignored if PIC was already given).

Exactly, and in this cases one should filter out PIE.

--
Lisandro Damián Nicanor Pérez Meyer
http://perezmeyer.com.ar/
http://perezmeyer.blogspot.com/