Re: gpgme 1.7.0~ alpha or beta to debian experimental?

[Lisandro Damián Nicanor Pérez Meyer]

On viernes, 7 de octubre de 2016 4:56:03 P. M. ART Daniel Kahn Gillmor wrote:
[snip] 
> > And also: yes, -fPIE needs overriding if using hardening flags.
> 
> can you explain that in more detail?  what specifically should be
> overridden and where?

Sure. Hardening adds -fPIE to CFLAGS/CXXFLAGS, so you either need to remove it 
from there with

  CXXFLAGS -= -fPIE # Untested, but should work

or simply not enabling all hardening features:



Just use -pie there.

I wonder what +all,-pie would do there.

-- 
porque no respeta el orden natural en el que se leen las cosas
>¿por qué top-posting es tan molesto?
>>top-posting
>>>¿cuál es la peor molestia en los emails de respuesta?

Lisandro Damián Nicanor Pérez Meyer
http://perezmeyer.com.ar/
http://perezmeyer.blogspot.com/


signature.asc
Description: This is a digitally signed message part.
-- 
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-talk

Re: gpgme 1.7.0~ alpha or beta to debian experimental?

[Sandro Knauß]

Hey,

> >> -PIC implies -fPIE. Replacing -fPIE with -fPIC is the right thing to do,
> >> and is needed to get the code working with Qt 5.4.2+.
> > 
> > And also: yes, -fPIE needs overriding if using hardening flags.
> 
> can you explain that in more detail?  what specifically should be
> overridden and where?

Yes, this is exactly also my questions, because I'm puzzeld with all these 
buildflags...

regards,

sandro

-- 
Ich habe meinen Schlüssel gewechselt / I've switched my GnuPG key:
http://sandroknauss.de/files/transition2015.asc

Mein (neuer) öffentlicher Schlüssel / My (new) public key: E68031D299A6527C 
Fingerabdruck / Fingerprint:
D256 4951 1272 8840 BB5E  99F2 E680 31D2 99A6 527C 
Runterladen z.B. bei/ Get it e.g. here:
pool.sks-keyservers.net, ...

signature.asc
Description: This is a digitally signed message part.
-- 
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-talk

Re: gpgme 1.7.0~ alpha or beta to debian experimental?

[Daniel Kahn Gillmor]

On Fri 2016-10-07 16:33:20 -0400, Lisandro Damián Nicanor Pérez Meyer wrote:
> On viernes, 7 de octubre de 2016 6:35:00 P. M. ART Dmitry Shachnev wrote:
>> On Fri, 07 Oct 2016 08:54:53 -0400, Daniel Kahn Gillmor wrote:
>> > I've been reading about -fPIC and -fpic and -fPIE and -fpie and -pie for
>> > years and i confess i've never completely understood the differences or
>> > whether one is "stronger" than another.
>> > 
>> > gcc says of -fPIE and -fpic "generated position independent code can be
>> > only linked into executables." which makes it seem odd that these
>> > parameters would be passed through to building libraries in the first
>> > place.
>> 
>> -PIC implies -fPIE. Replacing -fPIE with -fPIC is the right thing to do,
>> and is needed to get the code working with Qt 5.4.2+.
>
> And also: yes, -fPIE needs overriding if using hardening flags.

can you explain that in more detail?  what specifically should be
overridden and where?

thanks,

   --dkg

-- 
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-talk

Re: [d...@fifthhorseman.net: Re: gpgme 1.7.0~ alpha or beta to debian experimental?]

[Sandro Knauß]

Hey,

> I'm not entirely sure what to do about the name of the library during
> this handoff -- it might drop the "kf5" prefix.  If we don't drop the
> "kf5" prefix, i suppose we'll need an epoch number in the package
> version to make sure that upgrades happen.  It's also possible that
> we'll need to do a similar thing with qgpgme, i guess.

the libs gpgme installs are without the kf5 prefix, so we have should also name 
the package like the libs without kf5 prefix. So we don't end up in having the 
same package names, what makes the life easier for the transition :)

I'll hope I will finish the build of c++/qt bindings the next days and will 
publish them at a private clone of the debian repo, so dkg can check my 
changes before pulling them in. Just to make sure, I don't break your workflow.

Regards,

sandro

signature.asc
Description: This is a digitally signed message part.
-- 
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-talk

Re: gpgme 1.7.0~ alpha or beta to debian experimental?

[Lisandro Damián Nicanor Pérez Meyer]

On viernes, 7 de octubre de 2016 6:35:00 P. M. ART Dmitry Shachnev wrote:
> On Fri, 07 Oct 2016 08:54:53 -0400, Daniel Kahn Gillmor wrote:
> > I've been reading about -fPIC and -fpic and -fPIE and -fpie and -pie for
> > years and i confess i've never completely understood the differences or
> > whether one is "stronger" than another.
> > 
> > gcc says of -fPIE and -fpic "generated position independent code can be
> > only linked into executables." which makes it seem odd that these
> > parameters would be passed through to building libraries in the first
> > place.
> 
> -PIC implies -fPIE. Replacing -fPIE with -fPIC is the right thing to do,
> and is needed to get the code working with Qt 5.4.2+.

And also: yes, -fPIE needs overriding if using hardening flags.

-- 
Sobre Argentina: "sé que es uno de los países mas hospitalarios del mundo"
 Albert Einstein

Lisandro Damián Nicanor Pérez Meyer
http://perezmeyer.com.ar/
http://perezmeyer.blogspot.com/


signature.asc
Description: This is a digitally signed message part.
-- 
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-talk

Re: [d...@fifthhorseman.net: Re: gpgme 1.7.0~ alpha or beta to debian experimental?]

[Daniel Kahn Gillmor]

¡Hola Maximiliano!

On Fri 2016-10-07 09:45:25 -0400, Maximiliano Curia wrote:
> Yes, sorry for not replying sooner. We are not planning to upload a new 
> version of gpgmepp (we are currently skipping 16.08 and upstream is 
> apparently 
> dropping gpgmepp for 16.12).

ok, cool.  so then taking it over with the gpgme1.0 source package
should be OK.

I'm not entirely sure what to do about the name of the library during
this handoff -- it might drop the "kf5" prefix.  If we don't drop the
"kf5" prefix, i suppose we'll need an epoch number in the package
version to make sure that upgrades happen.  It's also possible that
we'll need to do a similar thing with qgpgme, i guess.

thanks for the reply,

  --dkg


signature.asc
Description: PGP signature
-- 
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-talk

Re: gpgme 1.7.0~ alpha or beta to debian experimental?

[Dmitry Shachnev]

On Fri, 07 Oct 2016 08:54:53 -0400, Daniel Kahn Gillmor wrote:
> I've been reading about -fPIC and -fpic and -fPIE and -fpie and -pie for
> years and i confess i've never completely understood the differences or
> whether one is "stronger" than another.
>
> gcc says of -fPIE and -fpic "generated position independent code can be
> only linked into executables." which makes it seem odd that these
> parameters would be passed through to building libraries in the first
> place.

-PIC implies -fPIE. Replacing -fPIE with -fPIC is the right thing to do,
and is needed to get the code working with Qt 5.4.2+.

--
Dmitry Shachnev


signature.asc
Description: PGP signature
-- 
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-talk

Re: [d...@fifthhorseman.net: Re: gpgme 1.7.0~ alpha or beta to debian experimental?]

[Maximiliano Curia]

¡Hola Daniel!

El 2016-10-07 a las 15:26 +0200, Maximiliano Curia escribió:

On Fri 2016-10-07 04:33:36 -0400, Maximiliano Curia wrote:
Qt and KDE libs are built with -fPIC, which, afaik, is stronger and 
incompatible with -fPIE, would it be an option to use -fPIC for 
gpgme?


I've been reading about -fPIC and -fpic and -fPIE and -fpie and -pie for 
years and i confess i've never completely understood the differences or 
whether one is "stronger" than another.


gcc says of -fPIE and -fpic "generated position independent code can be 
only linked into executables." which makes it seem odd that these 
parameters would be passed through to building libraries in the first 
place.


I'm going to try a rebuild without the extra hardening flags to see 
whether i can make progress on this.


I don't think I can offer you much help with this, the way I see it -fpie and
-fPIE are only useful for non libraries, but I don't really know what gcc/ld 
does with this options.


fwiw, i'd still really love some feedback about whether it's ok to take 
over the binary packages i'd asked about in the first place.


Yes, sorry for not replying sooner. We are not planning to upload a new 
version of gpgmepp (we are currently skipping 16.08 and upstream is apparently 
dropping gpgmepp for 16.12).


Happy hacking,
--
"If you optimize everything, you will always be unhappy."
-- Donald Knuth
Saludos /\/\ /\ >< `/


signature.asc
Description: PGP signature
-- 
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-talk

[d...@fifthhorseman.net: Re: gpgme 1.7.0~ alpha or beta to debian experimental?]

[Maximiliano Curia]

Forwarding as requested.

- Forwarded message from Daniel Kahn Gillmor  -

Date: Fri, 07 Oct 2016 08:54:53 -0400
From: Daniel Kahn Gillmor 
To: Maximiliano Curia 
Subject: Re: gpgme 1.7.0~ alpha or beta to debian experimental?
X-CRM114-Status: GOOD (   6.40  )

[ offlist because your response was offlist; if you intended it to be
 on-list, feel free to re-forward my reply on-list as well.  nothing in
 my message is intended to be private ]

On Fri 2016-10-07 04:33:36 -0400, Maximiliano Curia wrote:
Qt and KDE libs are built with -fPIC, which, afaik, is stronger and 
incompatible with -fPIE, would it be an option to use -fPIC for gpgme?


I've been reading about -fPIC and -fpic and -fPIE and -fpie and -pie for
years and i confess i've never completely understood the differences or
whether one is "stronger" than another.

gcc says of -fPIE and -fpic "generated position independent code can be
only linked into executables." which makes it seem odd that these
parameters would be passed through to building libraries in the first
place.

I'm going to try a rebuild without the extra hardening flags to see
whether i can make progress on this.

fwiw, i'd still really love some feedback about whether it's ok to take
over the binary packages i'd asked about in the first place.

   --dkg

- End forwarded message -

--
Porque no respeta el orden natural en el que se leen las cosas
> ¿Por qué contestar al principio del mensaje es malo?
Saludos /\/\ /\ >< `/


signature.asc
Description: PGP signature
-- 
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-talk

Re: gpgme 1.7.0~ alpha or beta to debian experimental?

[Maximiliano Curia]

(resending on list)

Qt and KDE libs are built with -fPIC, which, afaik, is stronger and 
incompatible with -fPIE, would it be an option to use -fPIC for gpgme?

On October 7, 2016 3:48:39 AM GMT+02:00, Daniel Kahn Gillmor 
 wrote:
> On Thu 2016-10-06 19:51:57 -0400, Sandro Knauß wrote:
>
>> I now started to build cpp and qt bindings for gpgme but ran into a 
>> issue with the hardening flags. The problem is the -fPIE. With this 
>> enabled configure stops with:
>
> fwiw, I'm seeing a similar issue with hardening flags and the python 
> bindings -- they're getting in the way of building with swig.
>
> If you're up for the gpgme1.0 source pakage taking over the cpp and qt 
> binary packages, i'd be willing to consider dropping the hardening 
> flags 
> for now just to make sure they can be built properly from the same 
> source.
>
> If the QT/KDE folks have a proposal for how to fix it later, i'd be 
> happy to fix it subsequently as well.
>
> what do you think?
>
> --dkg


-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

-- 
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-talk

Re: gpgme 1.7.0~ alpha or beta to debian experimental?

[Daniel Kahn Gillmor]

On Thu 2016-10-06 19:51:57 -0400, Sandro Knauß wrote:

> I now started to build cpp and qt bindings for gpgme but ran into a
> issue with the hardening flags. The problem is the -fPIE. With this
> enabled configure stops with:

fwiw, I'm seeing a similar issue with hardening flags and the python
bindings -- they're getting in the way of building with swig.

If you're up for the gpgme1.0 source pakage taking over the cpp and qt
binary packages, i'd be willing to consider dropping the hardening flags
for now just to make sure they can be built properly from the same
source.

If the QT/KDE folks have a proposal for how to fix it later, i'd be
happy to fix it subsequently as well.

what do you think?

 --dkg


signature.asc
Description: PGP signature
-- 
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-talk

Re: gpgme 1.7.0~ alpha or beta to debian experimental?

[Sandro Knauß]

Hey,

I now started to build cpp and qt bindings for gpgme but ran into a issue with 
the hardening flags. The problem is the -fPIE. With this enabled configure 
stops with:
configure:19628: checking whether a simple qt program can be built
configure:19639: g++ -o conftest -g -O2 -fdebug-prefix-map=/<>=. 
-fPIE -fstack-protector-strong -Wformat -Werror=format-security 
-I/usr/include/x86_64-linux-gnu/qt5/QtCore -I/usr/include/x86_6
4-linux-gnu/qt5 -fpic -fPIE -pie -Wl,-z,relro -Wl,-z,now conftest.cpp -lQt5Core 
>&5
In file included from 
/usr/include/x86_64-linux-gnu/qt5/QtCore/qcoreapplication.h:37:0,
 from 
/usr/include/x86_64-linux-gnu/qt5/QtCore/QCoreApplication:1,
 from conftest.cpp:33:
/usr/include/x86_64-linux-gnu/qt5/QtCore/qglobal.h:1087:4: error: #error "You 
must build your code with position independent code if Qt was built with 
-reduce-relocations. " "Compile your code with -fPIC (
-fPIE is not enough)."
 #  error "You must build your code with position independent code if Qt was 
built with -reduce-relocations. "\
^

full log: 
http://sandroknauss.de/files/gpgme1.0_1.7.0-2_amd64_with_hardening.build
with hardening disabled it builds successfully and also via replacing -fPIE 
with -fPIC, but than lintian is unhappy about the missing -fPIE for gpgme-tool.
http://sandroknauss.de/files/gpgme1.0_1.7.0-2_amd64_without_hardening.build

How do I need to change the CPP/C++/CFLAGS, so we get what we want? Or is this 
a bug from Qt side?

Regards,

sandro

Am Donnerstag, 22. September 2016, 17:44:38 CEST schrieb Daniel Kahn Gillmor:
> On Sat 2016-09-10 13:00:26 -0400, Daniel Kahn Gillmor wrote:
> > As i understand it from a talk given by Andre Heinecke (GPGME upstream,
> > cc'ed here) at OpenPGP.conf, GPGME 1.7.0 is likely to take over as
> > upstream from pyme, gpgmepp, and qgpgme.  (it will also add a
> > common-lisp binding, but that's not in debian at all, so i'll ignore it
> > for now).  1.7.0 isn't yet released, but it sounds like the release is
> > due fairly soon.
> 
> 1.7.0 was released a couple days ago, and i just uploaded it to debian
> unstable, along with a fair bit of debian packaging cleanup.
> 
> The source package i uploaded currently only builds the C library.  It
> does not build or attempt to ship the python, common-lisp, c++, or qt
> bindings yet.
> 
> > I don't think it'd be unreasonable for the debian GnuPG packaging team
> > take on these additional binary packages within the gpgme1.0 source
> > package, which would mean that the source packages for python-pyme, and
> > gpgmepp would probably go away, and the kdepimlibs library would stop
> > building libqgpgme1 and libgpgme++2v5.
> 
> I plan to work in experimental for a version that will produce the
> python3 bindings -- binary package python3-pyme in particular.  I'm not
> yet aiming to "hijack" the 2.x bindings with this source package, since
> i haven't heard from Arnaud.
> 
> Arnaud, at some point we should let the gpgme1.0 source package take
> over the python-pyme binary package, though, since i understand that it
> is now python2-compatible upstream.  I haven't heard back from you here,
> but given that the transition has happened upstream, i hope it will be
> OK.  Would you like to help out with this?  I'd be happy to have your
> input and experience on the python bits (and elsewhere if you're
> willing).
> 
> If someone wants to collaborate on doing the same kind of work for qt
> and c++, i'm happy to coordinate via the pkg-gnupg-maint git repo,
> and/or on IRC #debian-gnupg on oftc.
> 
>--dkg



signature.asc
Description: This is a digitally signed message part.
-- 
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-talk