Hi Steve, 2016-10-25 5:31 GMT+02:00 Steve M. Robbins <st...@sumost.ca>: > Hi, > > I haven't been paying close attention to the "PIE by default" [1] discussions, > so I may have missed the memo, but: it seems the transition is underway?
GCC have been changed to enable PIE by default but dpkg has not been changed yet. > > I've seen two bugs already claiming "static library foo must be compiled with > -fPIC" -- because some reverse dependency now fails to build. But I think > this advice is misplaced. The Ubuntu page [2] says that all you need to do is > rebuild the library foo with the PIE-enabled compiler, then rebuild the > depending code: > > Relocation Linking Failure > > A dynamically linked program that pulls in a static library that was > not > built with -fPIC. These give an error like: > > relocation R_X86_64_32 against '[SYMBOL]' can not be used when > making a > shared object; recompile with -fPIC > > To address these types of issues, the package providing the static > object > needs to be rebuilt (usually just a no-change rebuild against the > pie-by- > default compiler) before rebuilding the failed package. > > > So it seems to me that this should be emphasized on the wiki [1]. Secondly, I filed the original bugs with the following template, which contains "Please", not "must": "Please build <static lib name>.a with -fPIC" It seems it was a mistake not emphasizing that a rebuild can also solve most of the FTBFS bugs, and I have now updated the wiki, too. > it seems that the proposal to change policy to encourage -fPIC on static > libraries [3] is misplaced and should be withdrawn. Are both these > statements accurate? It have updated the wiki making it clear, that the Policy may not be changed. Thanks, Balint > > Thanks, > -Steve > > [1] https://wiki.debian.org/Hardening/PIEByDefaultTransition > [2] https://wiki.ubuntu.com/SecurityTeam/PIE > [3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=837478