On Sat, 13 May 2006 23:04:10 -0700 Donnie Berkholz <[EMAIL PROTECTED]> wrote:
> Kevin F. Quinn (Gentoo) wrote:
>
> Oh, OK, let's argue semantics. It's suggested by a hardened user on a
> bug the hardened team is CC'd on, but the team didn't say anything was
> wrong with the change.
That's because for the moment we don't have a better suggestion; we
can't say "don't do it" in this case until we have a solution. Our
silence doesn't mean we like the solution; it means we haven't got
anything better to suggest for now.
> > With regards to Duncan's (non-hardened) problem, adding:
> >
> > filter-ldflags -Wl,-z,now
> >
> > to x-modular.eclass as he suggests should be fine; his issue is
> > different to that with the hardened compiler in as much as he has
> > added the '-Wl,-z,now' to LDFLAGS as advised by the QA message and
> > the above filter will just remove it again; whereas to deal with
> > the hardened compiler we need to reliably add a flag to all the
> > relevant link commands (the bit that takes the effort is working
> > out which are relevant).
>
> Now I'm confused. Do you want this filter instead of the current
> situation, in addition to, or what? This is exactly why I asked for a
> patch.
This is a completely separate issue, nothing to do with the hardened
team or the hardened compiler. It causes the same problem in the end,
but a completely different way.
The QA checks in portage advise the user to try:
LDFLAGS='-Wl,-z,now' emerge ${PN}
because the X server is "suid, dyn linked and using lazy
bindings". This warning becomes fatal if FEATURES=stricter,
so you may want to RESTRICT it (which doesn't remove the warning, so
you should be able to find it in your build logs for xorg-server).
In summary, for Duncan's issue I suggest adding:
# Xorg server is unaviodably suid with lazy bindings
RESTRICT="stricter"
to the xorg-server ebuild to stop it dying for people with
FEATURES=stricter (the comment helps people who have enabled STRICTER
to see why it's disabled, in case anything else crops up) and also to
add:
filter-ldflags -Wl,-z,now
to the eclass (perhaps in x-modular_src_compile, or in both
x-modular_src_config and x-modular_src_make). If you do it just on the
xorg-server ebuild, and people do what Duncan did and set LDFLAGS in
make.conf, it'll set BIND_NOW on everything which at the very least
will cause the radeon and GL drivers to fail to load.
Obviously I haven't tried it so it would be useful if Duncan could
raise a bug with the exact change he made.
--
Kevin F. Quinn
signature.asc
Description: PGP signature
