Hi Stéphane, Thank you for your prompt reply.
2016-09-13 10:53 GMT+02:00 Stéphane Glondu <[email protected]>: > On 10/09/2016 23:27, Balint Reczey wrote: >> >> During a rebuild of all packages in sid, many ocaml packages >> failed to build on amd64 with patched GCC and dpkg. The root cause >> seems to be that libasmrun.a is shipped as a non-PIC library. > > > There is already a version of libasmrun.a compiled with -fPIC: > libasmrun_pic.a. But to use it, a specific option (-runtime-variant _pic) > must be used. This is done in sks, for example. I believe it would be more reasonable to fix that issue in ocaml, than changing all affected packages and I also think using -fPIC for static libs is the better option archive-wide (which I detail below). > >> The rebuild tested if packages are ready for a transition >> enabling PIE and bindnow for amd64. >> [...] >> The attached patch fixed the problem. > > > Your patch injects -fPIC in all calls to gcc. Is that what we want from now I believe that would be the best solution. > on? Why isn't that done inside gcc itself, then? At Debian we try tend to set flags in dpkg rather than in GCC (unlike Ubuntu). > > I read on https://lintian.debian.org/tags/hardening-no-pie.html that -fPIC > is not compatible with -fPIE. Then, I don't understand why you talk about > adding -fPIC in this bugreport which is about enabling PIE. The explanation there is correct but a little terse. The incompatibility here means that you can't link a PIE static library to a shared library (compiled with PIC). There is an ongoing discussion about PIC/PIE on debian-devel: https://lists.debian.org/debian-devel/2016/05/msg00306.html https://lists.debian.org/debian-devel/2016/09/msg00217.html and a request to change the policy: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=837478 I think the outcome will be at least encouraging PIC for static libraries, too, and this proposed patch is a simple way of enabling PIC in ocaml.
