[pkg-gnupg-maint] Bug#846889: Bug#846889: gnupg2: FTBFS on hppa - Please don't link static version with -pie on hppa

Mon Dec 5 17:38:52 UTC 2016

On 2016-12-05 12:27 PM, Daniel Kahn Gillmor wrote:
> Hi Dave--
>
> thanks for this report!
>
> On Sat 2016-12-03 18:12:41 -0500, John David Anglin wrote:
>> make[2]: Entering directory '/<<PKGBUILDDIR>>/build-gpgv-static/g10'
>> gcc     -Wall -Wno-pointer-sign -Wpointer-arith  -g -O2 -fdebug-prefix-map=/<<PKGBUILDDIR>>=. -Wformat -Werror=format-security  -pie -static -o gpgv gpgv.o build-packet.o compress.o  free-packet.o getkey.o keydb.o keyring.o seskey.o kbnode.o mainproc.o armor.o mdfilter.o textfilter.o progress.o misc.o rmd160.o openfile.o keyid.o parse-packet.o cpr.o plaintext.o sig-check.o keylist.o pkglue.o ecdh.o verify.o ../kbx/libkeybox.a ../common/libcommon.a ../common/libgpgrl.a -lz    -lgcrypt -L/usr/lib/hppa-linux-gnu -lgpg-error
>> /usr/bin/ld: /usr/lib/gcc/hppa-linux-gnu/6/crtbeginT.o: relocation R_PARISC_DPREL21L can not be used when making a shared object; recompile with -fPIC
>> /usr/lib/gcc/hppa-linux-gnu/6/crtbeginT.o: error adding symbols: Bad value
>> collect2: error: ld returned 1 exit status
>> Makefile:788: recipe for target 'gpgv' failed
>>
>> Full log is here:
>> https://buildd.debian.org/status/fetch.php?pkg=gnupg2&arch=hppa&ver=2.1.16-2&stamp=1479760527
>>
>> The build will complete successfully if "-pie" is removed from the following
>> line in debian/rules:
>>          cd build-gpgv-static/g10 && $(MAKE) LDFLAGS="$$LDFLAGS -pie -static" gpgv
>>
>> PIE support is not well tested on hppa.  Further, gcc on hppa is not built
>> with --enable-pie-default.  So, archive libraries and executable code are
>> not built by default with -fPIE.  So, in general, linking with -pie and -static
>> isn't going to work.
> that's a bummer, since it means that ASLR isn't going to work for hppa,
> which leaves hppa users more vulnerable to certain kinds of attack.
Understood.
>
> I plan on resolving this in the next upload with a change like the following:
>
> --- a/debian/rules
> +++ b/debian/rules
> @@ -14,6 +14,12 @@ include /usr/share/dpkg/architecture.mk
>   
>   export DEB_BUILD_MAINT_OPTIONS = hardening=+all
>   
> +ifeq ($(DEB_HOST_ARCH),hppa)
> +	GPGV_STATIC_HARDENING = ""
> +else
> +	GPGV_STATIC_HARDENING = "-pie"
> +endif
> +
>   %:
>   	dh $@ --with=autoreconf --builddirectory=build
>   
> @@ -36,7 +42,7 @@ override_dh_auto_build-arch:
>   	dh_auto_build --builddirectory=build
>   	cp -a build-gpgv-udeb build-gpgv-static
>   	rm -f build-gpgv-static/g10/gpgv
> -	cd build-gpgv-static/g10 && $(MAKE) LDFLAGS="$$LDFLAGS -pie -static" gpgv
> +	cd build-gpgv-static/g10 && $(MAKE) LDFLAGS="$$LDFLAGS $(GPGV_STATIC_HARDENING) -static" gpgv
>   	mv build-gpgv-static/g10/gpgv build-gpgv-static/g10/gpgv-static
>   
>   override_dh_auto_build-indep:
>
>
> Please let me know if you think this could be improved.
The patch looks good.

Thanks,

Dave

-- 
John David Anglin  dave.anglin at bell.net