Bug#624460: libextutils-cbuilder-perl: shouldn't override $Config{ccflags} with $ENV{CFLAGS}

Niko Tyni ntyni at debian.org
Thu Apr 28 16:03:04 UTC 2011 

Package: libextutils-cbuilder-perl
Version: 0.280202-1 
Severity: serious
Justification: potential for hidden binary incompatibility
Forwarded: http://rt.perl.org/rt3//Public/Bug/Display.html?id=89478
Tags: patch
x-debbugs-cc: perl at packages.debian.org

Since ExtUtils::CBuilder 0.27_04, CFLAGS and LDFLAGS from the environment
have overridden the Config.pm ccflags and ldflags settings. This can
cause binary incompatibilities between the core Perl and extensions
built with EU::CBuilder.

The issue seems to have been introduced with
 https://github.com/dagolden/extutils-cbuilder/commit/e653d24a

This is particularly nasty on Debian, because dpkg-buildpackage sets
CFLAGS to "-g -O2" by default.

Comparing for example these build logs:

 https://buildd.debian.org/status/fetch.php?pkg=libparams-validate-perl&arch=amd64&ver=0.93-1&stamp=1259695361
 https://buildd.debian.org/status/fetch.php?pkg=libparams-validate-perl&arch=amd64&ver=0.97-1&stamp=1303329531

we see the old correct behaviour:

 cc -Ic -I/usr/lib/perl/5.10/CORE -DXS_VERSION="0.93" -DVERSION="0.93" -fPIC -c -D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -O2 -g -o lib/Params/Validate.o lib/Params/Validate.c

and the new incorrect one:

 cc -Ic -I/usr/lib/perl/5.10/CORE -DXS_VERSION="0.97" -DVERSION="0.97" -fPIC -c -g -O2 -O2 -g -o lib/Params/Validate.o lib/Params/Validate.c

Omitting the Config.pm flags ($Config{ccflags}) can cause hidden
binary incompatibilities between the Perl core and extensions built with
EU::CBuilder. I'm not aware of any reports of this in current sid, but
the problem was originally spotted while testing Perl 5.14.0-RC1 on i386,
where omitting -D_FILE_OFFSET_BITS=64 made some extensions fail to load.
See the threads at
 http://lists.alioth.debian.org/pipermail/perl-maintainers/2011-April/001883.html
 http://www.nntp.perl.org/group/perl.perl5.porters/2011/04/msg171535.html

I'm attaching the patch I've sent upstream in [perl #89478], it applies
cleanly with -p3. It may be good to wait a bit for upstream comments,
but I think this is a real problem for Debian even if upstream doesn't
care that much.

To be on the safe side, I think that after this is fixed we should
binNMU all the XS modules built with buggy libextutils-builder-perl
package versions (starting at 2010-12-11 at 0.2801-1, inclusive.) I
haven't looked at how to identify those builds.
-- 
Niko Tyni   ntyni at debian.org

More information about the pkg-perl-maintainers mailing list