Re: Bug#879014: gpgme1.0: FTBFS on some arches: Qt needs a compile with -fPIC (PIE is not enough), hardening downgrades to PIE

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: Bug#879014: gpgme1.0: FTBFS on some arches: Qt needs a compile with -fPIC (PIE is not enough), hardening downgrades to PIE

Thorsten Glaser-6
# same issue
forcemerge 879014 870383
retitle 879014 gpgme1.0: FTBFS on some arches: Qt needs a compile with -fPIC (PIE is not enough), hardening downgrades to PIE
# it still persists
found 879014 1.13.1-6
thanks

Hi,

> points out the problem: Qt wants to be compiled with -fPIC and sets up
> the CFLAGS appropriately, yet hardening comes into the way as it adds
> the PIE *after* the PIC.
>
> Cc’ing qtbase5-dev and dpkg maintainers.

can this please be fixed? Thanks!

> edit debian/rules to get it to compile:
> -export DEB_BUILD_MAINT_OPTIONS = hardening=+all
> +export DEB_BUILD_MAINT_OPTIONS = hardening=+all,-pie
>
> ① I didn’t test whether that was enough with up-to-date dpkg.

This appears to have been enough. So, as a quick workaround,
adding this on affected architectures allows it to build.

bye,
//mirabilos
--
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-235
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg

**********

Mit der tarent Academy bieten wir auch Trainings und Schulungen in den
Bereichen Softwareentwicklung, Agiles Arbeiten und Zukunftstechnologien an.

Besuchen Sie uns auf www.tarent.de/academy. Wir freuen uns auf Ihren Kontakt.

**********

Reply | Threaded
Open this post in threaded view
|

Re: Bug#879014: gpgme1.0: FTBFS on some arches: Qt needs a compile with -fPIC (PIE is not enough), hardening downgrades to PIE

Lisandro Damián Nicanor Pérez Meyer-2
Hi!

El lun., 9 mar. 2020 07:44, Thorsten Glaser <[hidden email]> escribió:
# same issue
forcemerge 879014 870383
retitle 879014 gpgme1.0: FTBFS on some arches: Qt needs a compile with -fPIC (PIE is not enough), hardening downgrades to PIE
# it still persists
found 879014 1.13.1-6
thanks

Hi,

> points out the problem: Qt wants to be compiled with -fPIC and sets up
> the CFLAGS appropriately, yet hardening comes into the way as it adds
> the PIE *after* the PIC.

PIC implies PIE, so adding it after PIE is an error. Yes, this is a special case but not up to Qt to solve it.
Reply | Threaded
Open this post in threaded view
|

Re: Bug#879014: gpgme1.0: FTBFS on some arches: Qt needs a compile with -fPIC (PIE is not enough), hardening downgrades to PIE

Lisandro Damián Nicanor Pérez Meyer-2
Hi again!

On Mon, 9 Mar 2020 at 12:43, Lisandro Damián Nicanor Pérez Meyer
<[hidden email]> wrote:

>
> Hi!
>
> El lun., 9 mar. 2020 07:44, Thorsten Glaser <[hidden email]> escribió:
>>
>> # same issue
>> forcemerge 879014 870383
>> retitle 879014 gpgme1.0: FTBFS on some arches: Qt needs a compile with -fPIC (PIE is not enough), hardening downgrades to PIE
>> # it still persists
>> found 879014 1.13.1-6
>> thanks
>>
>> Hi,
>>
>> > points out the problem: Qt wants to be compiled with -fPIC and sets up
>> > the CFLAGS appropriately, yet hardening comes into the way as it adds
>> > the PIE *after* the PIC.
>
>
> PIC implies PIE, so adding it after PIE is an error. Yes, this is a special case but not up to Qt to solve it.

That was a fast reply from phone, and I seemed to write it wrongly. In
this case Qt uses PIC, which is the right thing to do for libraries
(and Qt needs it that way).
PIE implies PIE so (and here is what I miss wrote above) PIE should
not be added if PIC was used.

Moreover PIC is more suitable for libraries, so it should be the right
choice here.

Hope that helps, and sorry for my typo in the first mail.

--
Lisandro Damián Nicanor Pérez Meyer
http://perezmeyer.com.ar/
http://perezmeyer.blogspot.com/

Reply | Threaded
Open this post in threaded view
|

Re: Bug#879014: gpgme1.0: FTBFS on some arches: Qt needs a compile with -fPIC (PIE is not enough), hardening downgrades to PIE

Thorsten Glaser-6
On Mon, 9 Mar 2020, Lisandro Damián Nicanor Pérez Meyer wrote:

> PIE implies PIE so (and here is what I miss wrote above) PIE should
> not be added if PIC was used.

PIC implies PIE ;)

> Moreover PIC is more suitable for libraries, so it should be the right
> choice here.

The problem is that applications linked against Qt also need PIC,
not PIE. The pkg-config stuff gets this right, but the continued
insisting that -specs= stuff should be used to enable PIE on some
architectures due to disagreements between dpkg and gcc maintainers
causes PIE, if enabled in hardening, to be added too late on the
compiler command line (and not ignored if PIC was already given).

bye,
//mirabilos
--
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-235
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg

**********

Mit der tarent Academy bieten wir auch Trainings und Schulungen in den
Bereichen Softwareentwicklung, Agiles Arbeiten und Zukunftstechnologien an.

Besuchen Sie uns auf www.tarent.de/academy. Wir freuen uns auf Ihren Kontakt.

**********

Reply | Threaded
Open this post in threaded view
|

Re: Bug#879014: gpgme1.0: FTBFS on some arches: Qt needs a compile with -fPIC (PIE is not enough), hardening downgrades to PIE

Lisandro Damián Nicanor Pérez Meyer-2
On Mon, 9 Mar 2020 at 13:48, Thorsten Glaser <[hidden email]> wrote:
> On Mon, 9 Mar 2020, Lisandro Damián Nicanor Pérez Meyer wrote:
> > PIE implies PIE so (and here is what I miss wrote above) PIE should
> > not be added if PIC was used.
>
> PIC implies PIE ;)

Ha! My IRC alternate nickname should be TypoMan.

> > Moreover PIC is more suitable for libraries, so it should be the right
> > choice here.
>
> The problem is that applications linked against Qt also need PIC,
> not PIE. The pkg-config stuff gets this right, but the continued
> insisting that -specs= stuff should be used to enable PIE on some
> architectures due to disagreements between dpkg and gcc maintainers
> causes PIE, if enabled in hardening, to be added too late on the
> compiler command line (and not ignored if PIC was already given).

Exactly, and in this cases one should filter out PIE.

--
Lisandro Damián Nicanor Pérez Meyer
http://perezmeyer.com.ar/
http://perezmeyer.blogspot.com/

Reply | Threaded
Open this post in threaded view
|

Re: Bug#879014: gpgme1.0: FTBFS on some arches: Qt needs a compile with -fPIC (PIE is not enough), hardening downgrades to PIE

Guillem Jover
In reply to this post by Thorsten Glaser-6
Control: unmerge 870383
Control: reassign 870383 libdpkg-perl
Control: retitle 870383 libdpkg-perl: PIE specs files override previous entries
Control: reassign 879014 src:qtbase-opensource-src
Control: severity 879014 minor
Control: affects 870383 src:gpgme1.0
Control: affects 879014 src:gpgme1.0

Hi!

I've split (to reuse both instead of cloning a new one) and reassigned
the bugs where it seems they belong. See below for context.

On Wed, 2020-07-01 at 17:20:40 -0400, Daniel Kahn Gillmor wrote:

> Control: affects 879014 + dpkg src:qtbase-opensource-src
> Control: tags 879014 + patch
>
> Hi folks--
>
> Further conversation about problems compiling and linking against Qt and
> GPGME in debian suggest that the problem might be related to dpkg's
> default spec files, and confused by Qt's compiler warnings.
>
> I'm attaching a patch to dpkg which (i think) reflects the fix proposed
> by Guillem Jover (in cc):

Yes this is what I had locally, thanks for testing! I'm including a
fix in the next upload.

> From 8d01f1419c62e24b662abc2e1ec708a7c63fbbfe Mon Sep 17 00:00:00 2001
> From: Daniel Kahn Gillmor <[hidden email]>
> Date: Wed, 1 Jul 2020 17:00:02 -0400
> Subject: [PATCH] Use +self_spec: instead of *self_spec:
>
> After discussion with NIIBE Yutaka on https://dev.gnupg.org/T4982 and
> Guillem Jover on IRC, I think this is the correct fix for problems
> when compiling Qt/GPGME code in debian systems.
>
> I don't fully understand the implications of this change, but i
> believe it is related to #870383 and #879014 (in the debian BTS) as
> well.
> ---
>  data/no-pie-compile.specs | 2 +-
>  data/no-pie-link.specs    | 2 +-
>  data/pie-compile.specs    | 2 +-
>  data/pie-link.specs       | 2 +-
>  4 files changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/data/no-pie-compile.specs b/data/no-pie-compile.specs
> index 2277b97ef..70cb36095 100644
> --- a/data/no-pie-compile.specs
> +++ b/data/no-pie-compile.specs
> @@ -1,2 +1,2 @@
> -*self_spec:
> ++self_spec:
>  + %{!r:%{!fpie:%{!fPIE:%{!fpic:%{!fPIC:%{!fno-pic:-fno-PIE}}}}}}
> diff --git a/data/no-pie-link.specs b/data/no-pie-link.specs
> index 54db649b1..fa4162793 100644
> --- a/data/no-pie-link.specs
> +++ b/data/no-pie-link.specs
> @@ -1,2 +1,2 @@
> -*self_spec:
> ++self_spec:
>  + %{!shared:%{!r:%{!fPIE:%{!pie:-fno-PIE -no-pie}}}}
> diff --git a/data/pie-compile.specs b/data/pie-compile.specs
> index 74d82155c..c1ee08c71 100644
> --- a/data/pie-compile.specs
> +++ b/data/pie-compile.specs
> @@ -1,2 +1,2 @@
> -*self_spec:
> ++self_spec:
>  + %{!r:%{!fpie:%{!fPIE:%{!fpic:%{!fPIC:%{!fno-pic:%{!fno-PIE:%{!no-pie:-fPIE}}}}}}}}
> diff --git a/data/pie-link.specs b/data/pie-link.specs
> index 94c122fd3..9b401e34a 100644
> --- a/data/pie-link.specs
> +++ b/data/pie-link.specs
> @@ -1,2 +1,2 @@
> -*self_spec:
> ++self_spec:
>  + %{!static:%{!shared:%{!r:%{!fno-PIE:%{!no-pie:-fPIE -pie}}}}}
> --
> 2.27.0
>

I'm leaving this for the src:qtbase-opensource-src maintainers to
decide whether to pick up or not.

> gniibe also identified a problem in how Qt reports compilation warnings
> related to the PIE/PIC mismatch.  I've tried to address that in the
> following patch to qtbase-opensource-src:

> From 107f387ea625a67ef03b916ef965761f36de2bf4 Mon Sep 17 00:00:00 2001
> From: Daniel Kahn Gillmor <[hidden email]>
> Date: Wed, 1 Jul 2020 17:15:12 -0400
> Subject: [PATCH] Clarify warning message about PIC/PIE
>
> As noted in discussion at https://dev.gnupg.org/T4982#135524, the
> warning message produced when there is a mismatch between
> position-independence of the Qt library and other compilations, the
> warning produced by Qt is confusing.
>
> This is an attempt to express a warning that is more closely aligned
> with the actual test used.
> ---
>  src/corelib/global/qglobal.h | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/src/corelib/global/qglobal.h b/src/corelib/global/qglobal.h
> index fe8e8e8..971ee56 100644
> --- a/src/corelib/global/qglobal.h
> +++ b/src/corelib/global/qglobal.h
> @@ -1280,7 +1280,7 @@ Q_CORE_EXPORT int qrand();
>  #if !defined(QT_BOOTSTRAPPED) && defined(QT_REDUCE_RELOCATIONS) && defined(__ELF__) && \
>      (!defined(__PIC__) || (defined(__PIE__) && defined(Q_CC_GNU) && Q_CC_GNU >= 500))
>  #  error "You must build your code with position independent code if Qt was built with -reduce-relocations. "\
> -         "Compile your code with -fPIC (-fPIE is not enough)."
> +         "Compile your code with -fPIC (and not with -fPIE unless you have a very old version of GCC)."
>  #endif
>  
>  namespace QtPrivate {
> --
> 2.27.0
>

>
> If either of these two fixes are not appropriate to help resolve the
> problem, i'd appreciate help in figuring out what the right fixes are.
>
> I am not an expert in either Qt or dpkg, so pointers and explanations
> are welcome.

Thanks,
Guillem