[Pkg-nginx-maintainers] Bug#856530: fPIE not enabled for Jessie Backports
Thomas Ward
teward at ubuntu.com
Thu Mar 2 03:34:16 UTC 2017
Source: nginx
Severity: wishlist
Version: 1.10.3-1~bpo8+1
As part of a discussion with the NGINX maintainers on IRC chat in the
#debian-nginx channel on OFTC, we established fPIE/fPIC is enabled
proper in Debian Unstable and Debian Experimental. We also established
there were build issues when trying to get the packages to build for
Jessie backports. Coincidentally, the same fix that I introduced
downstream in Ubuntu back in 2014, and again as part of merging from
Debian to Ubuntu for the Ubuntu 17.04 cycle with a few changes, seem to
address the build issues for Jessie Backports, and the changes to the
packaging to fix the build problems observed by me are now part of the
packaging in Experimental as well [1], in an effort to reduce the merge
delta in the future. These changes were necessary downstream to get
fPIE part of hardening flags enabled and working with the binaries and
libraries.
All this said, backporting of the packaging from Stretch to Jessie
introduced a build failure [2] when trying to use PIE hardening flags.
Upon further investigation of the core issue myself, it seems to be an
issue similar to the toolchain problems I've observed downstream in
Ubuntu. Inclusion of the original diff which was put into Experimental
[1] will fix the build issues and produce usable binaries and builds, as
seen in build logs from a second build run for backports which included
these changes to the flags [3].
As the backport to Jessie Backports is disabling fPIE, I'd like to
request that the original diff submitted to Experimental my Michael
Lustfield to address this issue from a downstream perspective be
introduced at least for Jessie Backports, in order to resolve the build
failures that have been observed with a 'pure from stretch' packaging set.
(NOTE: *.dark-net.io is owned by me, I needed a place to dump my build
logs and data, so I thought I'd leverage my datanet.dark-net.io space on
my servers to hold the data)
------
Thomas
[1]:
https://anonscm.debian.org/cgit/pkg-nginx/nginx.git/commit/?id=f4307ddb1478c4ed9717c7a954f7192541d1cf95
[2]:
https://datanet.dark-net.io/nginx-debian/stretch-pure_jessie/nginx_1.10.3-1~bpo8%2B0%2Btest0_amd64-20170228-1520.build
[3]:
https://datanet.dark-net.io/nginx-debian/jessie-backports_teward/nginx_1.10.3-1~bpo8%2B1%2Btest0_amd64-20170228-1520.build
More information about the Pkg-nginx-maintainers
mailing list