Re: PIE and static libraries

2016-09-18 Thread Florian Weimer
* Jiri Jaburek: > On 09/12/16 13:42, Jakub Wilk wrote: >> * Bálint Réczey , 2016-09-12, 13:21: Reading up on the subject so far, I got the impression that most static libraries should be built with PIE, but not necessarily PIC (to allow building

Re: PIE and static libraries

2016-09-12 Thread Jiri Jaburek
On 09/12/16 13:42, Jakub Wilk wrote: > * Bálint Réczey , 2016-09-12, 13:21: >>> Reading up on the subject so far, I got the impression that most >>> static libraries should be built with PIE, but not necessarily PIC >>> (to allow building PIE(xecutable)s, but discourage

Re: PIE and static libraries

2016-09-12 Thread Markus Wanner
On 09/12/2016 01:42 PM, Jakub Wilk wrote: > * Bálint Réczey , 2016-09-12, 13:21: >>> Reading up on the subject so far, I got the impression that most >>> static libraries should be built with PIE, but not necessarily PIC >>> (to allow building PIE(xecutable)s, but

Re: PIE and static libraries

2016-09-12 Thread Jakub Wilk
* Bálint Réczey , 2016-09-12, 13:21: Reading up on the subject so far, I got the impression that most static libraries should be built with PIE, but not necessarily PIC (to allow building PIE(xecutable)s, but discourage creating shared libraries from those static ones.)

Re: PIE and static libraries

2016-09-12 Thread Mattia Rizzolo
On Mon, Sep 12, 2016 at 01:21:55PM +0200, Bálint Réczey wrote: > There is a (still growing:-)) list in here which includes other PIE > releated issues: > https://udd.debian.org/cgi-bin/bts-usertags.cgi?tag=pie-bindnow-20160906=balint%40balintreczey.hu btw, I saw that in at least one of them I

Re: PIE and static libraries

2016-09-12 Thread Bálint Réczey
Hi Markus, 2016-09-12 8:51 GMT+02:00 Markus Wanner : > On 09/12/2016 01:47 AM, Bálint Réczey wrote: >> I have opened a bug to encourage PIC for static libraries in Policy, too.: >> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=837478 > > Thanks, cool. > > Is there any

Re: PIE and static libraries

2016-09-12 Thread Markus Wanner
On 09/12/2016 01:47 AM, Bálint Réczey wrote: > I have opened a bug to encourage PIC for static libraries in Policy, too.: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=837478 Thanks, cool. Is there any specific reason for not mentioning -fPIE in that request? That seems like a good

Re: PIE and static libraries

2016-09-11 Thread Bálint Réczey
Hi All, 2016-05-22 11:26 GMT+02:00 Christian Seiler : > On 05/22/2016 10:50 AM, Andrey Rahmatullin wrote: >> On Sun, May 22, 2016 at 10:41:56AM +0200, Christian Seiler wrote: ... > >>> B. From a performance perspective, using non-PIC/PIE code is >>>faster, though not

Re: PIE and static libraries

2016-05-22 Thread Christian Seiler
On 05/22/2016 07:31 PM, Guillem Jover wrote: > I've tried to condense this and the other message on the other thread > to extend the dpkg-buildflags(1) man page. Great, thanks! > Attached the patch I'm intending to apply. Let me know if you have > other suggestions, improvements, wording tweaks,

Re: PIE and static libraries

2016-05-22 Thread Guillem Jover
Hi! On Sun, 2016-05-22 at 10:41:56 +0200, Christian Seiler wrote: [… useful overview …] I've tried to condense this and the other message on the other thread to extend the dpkg-buildflags(1) man page. Attached the patch I'm intending to apply. Let me know if you have other suggestions,

Re: PIE and static libraries

2016-05-22 Thread Andreas Metzler
On 2016-05-22 Christian Seiler wrote: [extensive explanation] > Therefore, I would recommend to use at least -fPIE for static > libraries, and possibly -fPIC if you think they might be used > in other dynamic libraries. > Hope that helps. Yes it does. Thanks for taking the

Re: PIE and static libraries

2016-05-22 Thread Christian Seiler
On 05/22/2016 10:50 AM, Andrey Rahmatullin wrote: > On Sun, May 22, 2016 at 10:41:56AM +0200, Christian Seiler wrote: >>=> however, -fPIC code is again slightly slower and >> larger than -fPIE code. > Really? I thought the idea is the same in both modes. Ok, thinking about it

Re: PIE and static libraries

2016-05-22 Thread Andrey Rahmatullin
On Sun, May 22, 2016 at 10:41:56AM +0200, Christian Seiler wrote: >=> however, -fPIC code is again slightly slower and > larger than -fPIE code. Really? I thought the idea is the same in both modes. > So in the end in boils down to the following: > > A. From a hardening

Re: PIE and static libraries

2016-05-22 Thread Christian Seiler
On 05/22/2016 08:48 AM, Andreas Metzler wrote: > https://lintian.debian.org/tags/hardening-no-pie.html says "It is > unlikely to work when compiling static libraries or executables (gcc > -static)." For static libraries, it really depends on what you want to do with them. A static library is just

Re: PIE and static libraries

2016-05-22 Thread Andrey Rahmatullin
On Sun, May 22, 2016 at 12:23:59PM +0500, Andrey Rahmatullin wrote: > On Sun, May 22, 2016 at 08:48:19AM +0200, Andreas Metzler wrote: > > https://lintian.debian.org/tags/hardening-no-pie.html says "It is > > unlikely to work when compiling static libraries or executables (gcc > > -static)." > >

Re: PIE and static libraries

2016-05-22 Thread Andrey Rahmatullin
On Sun, May 22, 2016 at 08:48:19AM +0200, Andreas Metzler wrote: > https://lintian.debian.org/tags/hardening-no-pie.html says "It is > unlikely to work when compiling static libraries or executables (gcc > -static)." > > However e.g. https://wiki.debian.org/Hardening does not mention this >

PIE and static libraries

2016-05-22 Thread Andreas Metzler
Hello, https://lintian.debian.org/tags/hardening-no-pie.html says "It is unlikely to work when compiling static libraries or executables (gcc -static)." However e.g. https://wiki.debian.org/Hardening does not mention this problem. Is the former incorrect or the latter incomplete? cu Andreas --