Re: gpgme 1.7.0~ alpha or beta to debian experimental?

[Lisandro Damián Nicanor Pérez Meyer]

On viernes, 7 de octubre de 2016 4:56:03 P. M. ART Daniel Kahn Gillmor wrote:
[snip] 
> > And also: yes, -fPIE needs overriding if using hardening flags.
> 
> can you explain that in more detail?  what specifically should be
> overridden and where?

Sure. Hardening adds -fPIE to CFLAGS/CXXFLAGS, so you either need to remove it 
from there with

  CXXFLAGS -= -fPIE # Untested, but should work

or simply not enabling all hardening features:



Just use -pie there.

I wonder what +all,-pie would do there.

-- 
porque no respeta el orden natural en el que se leen las cosas
>¿por qué top-posting es tan molesto?
>>top-posting
>>>¿cuál es la peor molestia en los emails de respuesta?

Lisandro Damián Nicanor Pérez Meyer
http://perezmeyer.com.ar/
http://perezmeyer.blogspot.com/


signature.asc
Description: This is a digitally signed message part.
-- 
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-talk

Re: gpgme 1.7.0~ alpha or beta to debian experimental?

[Sandro Knauß]

Hey,

> >> -PIC implies -fPIE. Replacing -fPIE with -fPIC is the right thing to do,
> >> and is needed to get the code working with Qt 5.4.2+.
> > 
> > And also: yes, -fPIE needs overriding if using hardening flags.
> 
> can you explain that in more detail?  what specifically should be
> overridden and where?

Yes, this is exactly also my questions, because I'm puzzeld with all these 
buildflags...

regards,

sandro

-- 
Ich habe meinen Schlüssel gewechselt / I've switched my GnuPG key:
http://sandroknauss.de/files/transition2015.asc

Mein (neuer) öffentlicher Schlüssel / My (new) public key: E68031D299A6527C 
Fingerabdruck / Fingerprint:
D256 4951 1272 8840 BB5E  99F2 E680 31D2 99A6 527C 
Runterladen z.B. bei/ Get it e.g. here:
pool.sks-keyservers.net, ...

signature.asc
Description: This is a digitally signed message part.
-- 
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-talk

Re: gpgme 1.7.0~ alpha or beta to debian experimental?

[Daniel Kahn Gillmor]

On Fri 2016-10-07 16:33:20 -0400, Lisandro Damián Nicanor Pérez Meyer wrote:
> On viernes, 7 de octubre de 2016 6:35:00 P. M. ART Dmitry Shachnev wrote:
>> On Fri, 07 Oct 2016 08:54:53 -0400, Daniel Kahn Gillmor wrote:
>> > I've been reading about -fPIC and -fpic and -fPIE and -fpie and -pie for
>> > years and i confess i've never completely understood the differences or
>> > whether one is "stronger" than another.
>> > 
>> > gcc says of -fPIE and -fpic "generated position independent code can be
>> > only linked into executables." which makes it seem odd that these
>> > parameters would be passed through to building libraries in the first
>> > place.
>> 
>> -PIC implies -fPIE. Replacing -fPIE with -fPIC is the right thing to do,
>> and is needed to get the code working with Qt 5.4.2+.
>
> And also: yes, -fPIE needs overriding if using hardening flags.

can you explain that in more detail?  what specifically should be
overridden and where?

thanks,

   --dkg

-- 
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-talk

Re: [d...@fifthhorseman.net: Re: gpgme 1.7.0~ alpha or beta to debian experimental?]

[Sandro Knauß]

Hey,

> I'm not entirely sure what to do about the name of the library during
> this handoff -- it might drop the "kf5" prefix.  If we don't drop the
> "kf5" prefix, i suppose we'll need an epoch number in the package
> version to make sure that upgrades happen.  It's also possible that
> we'll need to do a similar thing with qgpgme, i guess.

the libs gpgme installs are without the kf5 prefix, so we have should also name 
the package like the libs without kf5 prefix. So we don't end up in having the 
same package names, what makes the life easier for the transition :)

I'll hope I will finish the build of c++/qt bindings the next days and will 
publish them at a private clone of the debian repo, so dkg can check my 
changes before pulling them in. Just to make sure, I don't break your workflow.

Regards,

sandro

signature.asc
Description: This is a digitally signed message part.
-- 
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-talk

Re: gpgme 1.7.0~ alpha or beta to debian experimental?

[Lisandro Damián Nicanor Pérez Meyer]

On viernes, 7 de octubre de 2016 6:35:00 P. M. ART Dmitry Shachnev wrote:
> On Fri, 07 Oct 2016 08:54:53 -0400, Daniel Kahn Gillmor wrote:
> > I've been reading about -fPIC and -fpic and -fPIE and -fpie and -pie for
> > years and i confess i've never completely understood the differences or
> > whether one is "stronger" than another.
> > 
> > gcc says of -fPIE and -fpic "generated position independent code can be
> > only linked into executables." which makes it seem odd that these
> > parameters would be passed through to building libraries in the first
> > place.
> 
> -PIC implies -fPIE. Replacing -fPIE with -fPIC is the right thing to do,
> and is needed to get the code working with Qt 5.4.2+.

And also: yes, -fPIE needs overriding if using hardening flags.

-- 
Sobre Argentina: "sé que es uno de los países mas hospitalarios del mundo"
 Albert Einstein

Lisandro Damián Nicanor Pérez Meyer
http://perezmeyer.com.ar/
http://perezmeyer.blogspot.com/


signature.asc
Description: This is a digitally signed message part.
-- 
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-talk

Re: [d...@fifthhorseman.net: Re: gpgme 1.7.0~ alpha or beta to debian experimental?]

[Daniel Kahn Gillmor]

¡Hola Maximiliano!

On Fri 2016-10-07 09:45:25 -0400, Maximiliano Curia wrote:
> Yes, sorry for not replying sooner. We are not planning to upload a new 
> version of gpgmepp (we are currently skipping 16.08 and upstream is 
> apparently 
> dropping gpgmepp for 16.12).

ok, cool.  so then taking it over with the gpgme1.0 source package
should be OK.

I'm not entirely sure what to do about the name of the library during
this handoff -- it might drop the "kf5" prefix.  If we don't drop the
"kf5" prefix, i suppose we'll need an epoch number in the package
version to make sure that upgrades happen.  It's also possible that
we'll need to do a similar thing with qgpgme, i guess.

thanks for the reply,

  --dkg


signature.asc
Description: PGP signature
-- 
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-talk

Re: gpgme 1.7.0~ alpha or beta to debian experimental?

[Dmitry Shachnev]

On Fri, 07 Oct 2016 08:54:53 -0400, Daniel Kahn Gillmor wrote:
> I've been reading about -fPIC and -fpic and -fPIE and -fpie and -pie for
> years and i confess i've never completely understood the differences or
> whether one is "stronger" than another.
>
> gcc says of -fPIE and -fpic "generated position independent code can be
> only linked into executables." which makes it seem odd that these
> parameters would be passed through to building libraries in the first
> place.

-PIC implies -fPIE. Replacing -fPIE with -fPIC is the right thing to do,
and is needed to get the code working with Qt 5.4.2+.

--
Dmitry Shachnev


signature.asc
Description: PGP signature
-- 
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-talk

Re: gpgme 1.7.0~ alpha or beta to debian experimental?

[Maximiliano Curia]

(resending on list)

Qt and KDE libs are built with -fPIC, which, afaik, is stronger and 
incompatible with -fPIE, would it be an option to use -fPIC for gpgme?

On October 7, 2016 3:48:39 AM GMT+02:00, Daniel Kahn Gillmor 
 wrote:
> On Thu 2016-10-06 19:51:57 -0400, Sandro Knauß wrote:
>
>> I now started to build cpp and qt bindings for gpgme but ran into a 
>> issue with the hardening flags. The problem is the -fPIE. With this 
>> enabled configure stops with:
>
> fwiw, I'm seeing a similar issue with hardening flags and the python 
> bindings -- they're getting in the way of building with swig.
>
> If you're up for the gpgme1.0 source pakage taking over the cpp and qt 
> binary packages, i'd be willing to consider dropping the hardening 
> flags 
> for now just to make sure they can be built properly from the same 
> source.
>
> If the QT/KDE folks have a proposal for how to fix it later, i'd be 
> happy to fix it subsequently as well.
>
> what do you think?
>
> --dkg


-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

-- 
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-talk

Re: gpgme 1.7.0~ alpha or beta to debian experimental?

[Sandro Knauß]

Hey,

I now started to build cpp and qt bindings for gpgme but ran into a issue with 
the hardening flags. The problem is the -fPIE. With this enabled configure 
stops with:
configure:19628: checking whether a simple qt program can be built
configure:19639: g++ -o conftest -g -O2 -fdebug-prefix-map=/<>=. 
-fPIE -fstack-protector-strong -Wformat -Werror=format-security 
-I/usr/include/x86_64-linux-gnu/qt5/QtCore -I/usr/include/x86_6
4-linux-gnu/qt5 -fpic -fPIE -pie -Wl,-z,relro -Wl,-z,now conftest.cpp -lQt5Core 
>&5
In file included from 
/usr/include/x86_64-linux-gnu/qt5/QtCore/qcoreapplication.h:37:0,
 from 
/usr/include/x86_64-linux-gnu/qt5/QtCore/QCoreApplication:1,
 from conftest.cpp:33:
/usr/include/x86_64-linux-gnu/qt5/QtCore/qglobal.h:1087:4: error: #error "You 
must build your code with position independent code if Qt was built with 
-reduce-relocations. " "Compile your code with -fPIC (
-fPIE is not enough)."
 #  error "You must build your code with position independent code if Qt was 
built with -reduce-relocations. "\
^

full log: 
http://sandroknauss.de/files/gpgme1.0_1.7.0-2_amd64_with_hardening.build
with hardening disabled it builds successfully and also via replacing -fPIE 
with -fPIC, but than lintian is unhappy about the missing -fPIE for gpgme-tool.
http://sandroknauss.de/files/gpgme1.0_1.7.0-2_amd64_without_hardening.build

How do I need to change the CPP/C++/CFLAGS, so we get what we want? Or is this 
a bug from Qt side?

Regards,

sandro

Am Donnerstag, 22. September 2016, 17:44:38 CEST schrieb Daniel Kahn Gillmor:
> On Sat 2016-09-10 13:00:26 -0400, Daniel Kahn Gillmor wrote:
> > As i understand it from a talk given by Andre Heinecke (GPGME upstream,
> > cc'ed here) at OpenPGP.conf, GPGME 1.7.0 is likely to take over as
> > upstream from pyme, gpgmepp, and qgpgme.  (it will also add a
> > common-lisp binding, but that's not in debian at all, so i'll ignore it
> > for now).  1.7.0 isn't yet released, but it sounds like the release is
> > due fairly soon.
> 
> 1.7.0 was released a couple days ago, and i just uploaded it to debian
> unstable, along with a fair bit of debian packaging cleanup.
> 
> The source package i uploaded currently only builds the C library.  It
> does not build or attempt to ship the python, common-lisp, c++, or qt
> bindings yet.
> 
> > I don't think it'd be unreasonable for the debian GnuPG packaging team
> > take on these additional binary packages within the gpgme1.0 source
> > package, which would mean that the source packages for python-pyme, and
> > gpgmepp would probably go away, and the kdepimlibs library would stop
> > building libqgpgme1 and libgpgme++2v5.
> 
> I plan to work in experimental for a version that will produce the
> python3 bindings -- binary package python3-pyme in particular.  I'm not
> yet aiming to "hijack" the 2.x bindings with this source package, since
> i haven't heard from Arnaud.
> 
> Arnaud, at some point we should let the gpgme1.0 source package take
> over the python-pyme binary package, though, since i understand that it
> is now python2-compatible upstream.  I haven't heard back from you here,
> but given that the transition has happened upstream, i hope it will be
> OK.  Would you like to help out with this?  I'd be happy to have your
> input and experience on the python bits (and elsewhere if you're
> willing).
> 
> If someone wants to collaborate on doing the same kind of work for qt
> and c++, i'm happy to coordinate via the pkg-gnupg-maint git repo,
> and/or on IRC #debian-gnupg on oftc.
> 
>--dkg



signature.asc
Description: This is a digitally signed message part.
-- 
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-talk