Control: retitle -1 dpkg: openssl1.0 broken on x32 due to PIE -specs Hi!
On Mon, 2016-11-21 at 12:01:21 +0100, Thorsten Glaser wrote: > Source: dpkg > Version: 1.18.15 > Severity: important > I cannot build openssl1.0 any longer. Downgrading all binary > packages from src:dpkg to 1.18.10 makes the build succeed. > > I’m suspecting it tries to compile library code (which must > be PIC) as PIE, or something. I got this advice from the > openssl maintainer: Yes, from the log it seems so. > >I have no idea what those specs things do, and can only suggest > >you try to tell dpkg-buildflags not to do that. Those specs files should make it possible to build stuff with PIE unconditionally as long as they declare correctly what they are intended to be. So if the object is supposed to be PIC (and the compiler is explicitly told so) then the specs will not enable PIE by themselves. > This does not happen on most architectures because it appears > to be a result of dpkg adding weird -specs=* flags only on > some of them. Please make this cross-architecture consistent: > do it on all or none. Precisely to make the behavior consistent on all architectures, dpkg enables PIE (conditionally if no other flags marks it as to be disabled) on all architectures were gcc has not enabled this by default. And it appears to build on every of those too, except for x32, so I suspect something is broken there, either in the toolchain or in the openssl1.0 setup? > Full build log attached. […] > make[3]: Entering directory '/tmp/buildd/openssl1.0-1.0.2j' > [ -z "" ] || gcc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT > -DDSO_DLFCN -DHAVE_DLFCN_H -mx32 -DL_ENDIAN -g -O2 > -fdebug-prefix-map=/tmp/buildd/openssl1.0-1.0.2j=. > -specs=/usr/share/dpkg/pie-compile.specs -fstack-protector-strong -Wformat > -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 > -specs=/usr/share/dpkg/pie-link.specs -Wl,-z,relro -Wa,--noexecstack -Wall > -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT > -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM > -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM > -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -Iinclude \ > -DFINGERPRINT_PREMAIN_DSO_LOAD -o fips_premain_dso \ > fips_premain.c fipscanister.o \ > libcrypto.a -ldl > make[4]: Entering directory '/tmp/buildd/openssl1.0-1.0.2j' > make[5]: Entering directory '/tmp/buildd/openssl1.0-1.0.2j' > /usr/bin/ld: libcrypto.a(cryptlib.o): relocation R_X86_64_PC32 against symbol > `stderr@@GLIBC_2.16' can not be used when making a shared object; recompile > with -fPIC > /usr/bin/ld: final link failed: Bad value > collect2: error: ld returned 1 exit status > Makefile.shared:169: recipe for target 'link_a.gnu' failed > make[5]: *** [link_a.gnu] Error 1 Checking the buile system it seems that the link_a.gnu target (instead of link_o.gnu) tries to link a static library composed of PIE objects into a shared library, which makes it fail. You might need to track down why that happens only on x32? So, I think I'll reassign this to openssl1.0, if no other feedback is provided showing that this is a problem in dpkg itself, such as PIE not working at all there, and a request to disable it for x32 in dpkg as non-functional. Also BTW the gcc maintainer asked that porters interested could request PIE to be enabled by default in gcc. Thanks, Guillem