Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
Not eligible to see or edit group visibility for this bug.
View Bug Activity | Format For Printing | XML | Clone This Bug
The has_hardened, has_pic, has_pie, has_ssp and has_ssp_all functions in flag-o-matic.eclass are problematic and cause confusion and are deprecated. New functions in toolchain-funcs.eclass provide ebuild authors with reliable methods for detecting when the various hardened technologies are enabled in gcc. This bug exists to explain the new functions and how they are intended to be used, and to track migration of existing ebuilds that use the deprecated has_* functions to the new functions in toolchain-funcs.
Problem: Currently we have has_hardened(), has_pic(), has_ssp(), has_ssp_all() and has_pie() in flag-o-matic.eclass, which are intended to provide ebuilds with a way of working out what hardened stuff is on in the compiler. However, has_hardened() only says whether the USE=hardened was set when the compiler was emerged, has_pie() simply doesn't work, has_pic() isn't particularly accurate as it doesn't take account of fPIE (indeed since the hardened specs only ever switch on PIE automatically, has_pic's very existence is misleading), and the has_ssp() functions depend on the compiler setting the __SSP__/__SSP_ALL__ macros, which is broken in the current stable x86 compiler. Solution: 1) Provision of gcc-specs-pie, gcc-specs-ssp, gcc-specs-relro and gcc-specs-now in toolchain-funcs.eclass. These new functions query the gcc specs in the current active compiler, and indicate true if the relevant tech is automatically enabled or not. They have no interest at all in the flags specified by the user, but do need to track any changes to the specs configuration (unlikely but possible) hence their location in toolchain-funcs not flag-o-matic. They're named 'gcc-' as they only work with gcc. When using other compilers (does anyone do this?) they'll always return false since it won't find any specs, which is no different from the result on non-hardened (vanilla) gcc (assuming the compiler responds to '-v'). 2) Deprecation of has_hardened, has_pic, has_pie, has_ssp, has_ssp_all. Leading to eventual elimination :) However see the note on has_pic() below. Actions remaining: To fix up existing eclass/ebuilds to use the new functions from toolchain-funcs instead of has_* from flag-o-matic. There's no hurry - obviously the old functions will remain until they're no longer used. Some of the ebuilds are old, and may well get purged at some point anyway. Note: has_pic() This function returns true not only if the compiler is switching on PIE by default, but also if the user has requested '-fPIC', '-fPIE' etc in their CFLAGS. gcc-specs-pie returns true only if the compiler includes the specs settings to switch on PIE automatically; it does not consider the user's CFLAGS setting at all. If the ebuild in question is only trying to catch the changes made by the hardened compiler, then simply swapping has_pic (or has_pie) for gcc-specs-pie is sufficient. However, if the ebuild is trying to catch also the presence of '-fPIC', '-fpic', '-fPIE', '-fpie', '-pie' in CFLAGS (which is nothing to do with hardened, of course) please comment indicating what your ebuild needs, so we can come up with something suitable in flag-o-matic. ---------------------------------------------------------------------- OK; these are the eclasses & ebuilds that use the various has_* functions that are deprecated. Please find any that are relevant to you and comment. If you are happy for me to alter your ebuilds along the lines described to save you effort, I'll do so - but only if you ask me to, obviously! eclass/php-sapi.eclass eclass/php5-sapi-r2.eclass eclass/php5-sapi-r3.eclass robbat2 - see has_pic() note above mail-client/mozilla-thunderbird/mozilla-thunderbird-1.0.5-r1.ebuild mail-client/mozilla-thunderbird/mozilla-thunderbird-1.0.6-r2.ebuild mail-client/mozilla-thunderbird/mozilla-thunderbird-1.0.5.ebuild www-client/mozilla/mozilla-1.7.10-r1.ebuild www-client/mozilla/mozilla-1.7.10-r2.ebuild www-client/mozilla-firefox/mozilla-firefox-1.0.5-r1.ebuild www-client/mozilla-firefox/mozilla-firefox-1.0.6-r2.ebuild www-client/mozilla-firefox/mozilla-firefox-1.0.6-r3.ebuild gustavoz, mozilla herd - has_hardened can be replaced with gcc-specs-ssp (also closes off bug #) media-libs/hermes/hermes-1.3.3-r1.ebuild eradicator - see has_pic() note above media-libs/libdv/libdv-0.104.ebuild mholzer, max - see has_pic() note above media-libs/libmpeg3/libmpeg3-1.5.2-r1.ebuild media-libs/libmpeg3/libmpeg3-1.5.2-r1.ebuild video herd - see has_pic() note above (for both cases) media-libs/xine-lib/xine-lib-1.0-r2.ebuild media-libs/xine-lib/xine-lib-1.0-r3.ebuild media-libs/xine-lib/xine-lib-1.0-r4.ebuild media-libs/xine-lib/xine-lib-1.0.1-r1.ebuild media-libs/xine-lib/xine-lib-1.0.1-r2.ebuild media-libs/xine-lib/xine-lib-1.0.1-r3.ebuild media-libs/xine-lib/xine-lib-1.0.2.ebuild media-libs/xine-lib/xine-lib-1.1.0.ebuild video herd - see has_pic() note above media-plugins/xmms-mpg123/xmms-mpg123-1.2.10-r1.ebuild media-plugins/xmms-mpg123/xmms-mpg123-1.2.10.ebuild eradicator, sound herd - see has_pic() note above media-video/ffmpeg/ffmpeg-0.4.9_p20050226-r3.ebuild media-video/ffmpeg/ffmpeg-0.4.9_p20050226-r5.ebuild video herd -see has_pic() note above media-video/mjpegtools/mjpegtools-1.6.2-r3.ebuild video, media-tv herds - -r4 has eliminated use of has_pie; either replace with gcc-specs-pie, or remove -r3 since -r4 is stable on all arches that -r3 supports. net-ftp/proftpd/proftpd-1.2.10-r1.ebuild net-ftp/proftpd/proftpd-1.2.10-r2.ebuild net-ftp/proftpd/proftpd-1.2.10-r3.ebuild net-ftp/proftpd/proftpd-1.2.10.ebuild net-ftp/proftpd/proftpd-1.2.9-r2.ebuild net-ftp/proftpd/proftpd-1.2.10-r5.ebuild net-ftp/proftpd/proftpd-1.2.10-r6.ebuild net-ftp/proftpd/proftpd-1.2.10-r7.ebuild killerfox, humpback - it should be ok to remove: # bug #30359 use hardened && echo > lib/libcap/cap_sys.c has_pic && echo > lib/libcap/cap_sys.c completely, now that the kernel headers are PIC-compliant net-p2p/amule/amule-2.0.1.ebuild net-p2p/amule/amule-2.0.3.ebuild chainsaw, net-p2p herd - the condition is unnecessary, you can just do: filter-flags -fstack-protector and all will be well. sys-boot/grub/grub-0.94-r1.ebuild sys-boot/grub/grub-0.94-r1.ebuild robmoss - has_pie can be replaced with gcc-specs-pie, and has_ssp with gcc-specs-ssp. sys-libs/glibc/glibc-2.3.4.20040619-r2.ebuild sys-libs/glibc/glibc-2.3.4.20040808-r1.ebuild sys-libs/glibc/glibc-2.3.4.20041102-r1.ebuild toolchain - has_hardened can be replaced with gcc-specs-pie x11-base/xorg-x11/xorg-x11-6.8.2-r2.ebuild x11-base/xorg-x11/xorg-x11-6.8.2-r2.ebuild x11-base/xorg-x11/xorg-x11-6.8.2-r2.ebuild x11-base/xorg-x11/xorg-x11-6.8.99.15.ebuild x11-base/xorg-x11/xorg-x11-6.8.99.14.ebuild x11-base/xorg-x11/xorg-x11-6.8.99.14.ebuild x11-base/xorg-x11/xorg-x11-6.8.99.14.ebuild spyderous - gcc-specs-pie and gcc-specs-now can replace has_hardened as appropriate.
While I know it's not supported, gcc-specs-directive doesn't work on gcc4, I won't change any of video packages until this works, current solution seems to work for now. BTW has_pic checks for PIC being enabled, via whatever way, checking the CPP output, so this works also (say) for icc, isn't a regression replacing this with a gcc-specific function?
re. gcc-4 I missed that it doesn't have a default external specs file - since it's -* I hadn't tried it. Azarah has fixed this (thanks az!) so the functions return false on gcc-4 - this is ok for now as there aren't any hardened gcc-4 variants. I'll commit a change to cope with the built-in specs soon, certainly before any hardened variants of gcc-4 appear. So gcc-4 isn't a problem. As far as icc goes, we don't provide any hardened variants; it should return false as with gcc-4 - and this is all it needs to do. I'm not a fan of anticipating too much - if we ever need to support other compilers for building the system I suggest we worry about it then. re. pic - I wrote a note about has_pic() in the original report. It's important to realise the gcc-specs-* functions are there purely to allow you to discover what gcc specs trickery is in play (i.e. what hardened gcc is up to) - they're not there to tell you anything about CFLAGS. Since only gcc has hardened variants, it makes sense that they're gcc-specific. It may be that the current has_pic() meets the needs of its users correctly; in which case we'll un-deprecate it. However in the hardened gcc case, it returns true even though -fPIE is automatic, not -fPIC (there are differences between PIC and PIE). Of particular note is that it is often used to apply patches to non-PIC shared library code - these should always be PIC regardless of hardened gcc, so any such fixes should in general be unconditional anyway. The other stuff that gets patched is to get things working with hardened gcc, due to the automatic -fPIE - in which case gcc-specs-pie() is the correct condition.
old grub fixed
I'm not related to the mozilla herd, don't know what you want me to do here since there's no sparc-related ebuilds or others i own, so removing myself.
media-tv did it's thing.
<pkgmetadata> <herd>net-p2p</herd> </pkgmetadata> I am not in the net-p2p herd. Please do not CC people on bugs just because they last touched a package.
net-p2p is done
mozilla is done too, only was www-client/mozilla[-bin] and it has been removed.
(In reply to comment #1) > eclass/php-sapi.eclass > eclass/php5-sapi-r2.eclass > eclass/php5-sapi-r3.eclass deprecated, unused anywhere, will never be fixed. > mail-client/mozilla-thunderbird/mozilla-thunderbird-1.0.5-r1.ebuild > mail-client/mozilla-thunderbird/mozilla-thunderbird-1.0.6-r2.ebuild > mail-client/mozilla-thunderbird/mozilla-thunderbird-1.0.5.ebuild > www-client/mozilla/mozilla-1.7.10-r1.ebuild > www-client/mozilla/mozilla-1.7.10-r2.ebuild > www-client/mozilla-firefox/mozilla-firefox-1.0.5-r1.ebuild > www-client/mozilla-firefox/mozilla-firefox-1.0.6-r2.ebuild > www-client/mozilla-firefox/mozilla-firefox-1.0.6-r3.ebuild Done per Comment #9 > media-libs/hermes/hermes-1.3.3-r1.ebuild done + p.masked pending removal anyway > media-libs/libdv/libdv-0.104.ebuild done > media-libs/libmpeg3/libmpeg3-1.5.2-r1.ebuild > media-libs/libmpeg3/libmpeg3-1.5.2-r1.ebuild done > media-libs/xine-lib/xine-lib-1.0-r2.ebuild > media-libs/xine-lib/xine-lib-1.0-r3.ebuild > media-libs/xine-lib/xine-lib-1.0-r4.ebuild > media-libs/xine-lib/xine-lib-1.0.1-r1.ebuild > media-libs/xine-lib/xine-lib-1.0.1-r2.ebuild > media-libs/xine-lib/xine-lib-1.0.1-r3.ebuild > media-libs/xine-lib/xine-lib-1.0.2.ebuild > media-libs/xine-lib/xine-lib-1.1.0.ebuild done > media-plugins/xmms-mpg123/xmms-mpg123-1.2.10-r1.ebuild > media-plugins/xmms-mpg123/xmms-mpg123-1.2.10.ebuild removed > media-video/ffmpeg/ffmpeg-0.4.9_p20050226-r3.ebuild > media-video/ffmpeg/ffmpeg-0.4.9_p20050226-r5.ebuild 0.4.9_p20050226-r3 and 0.4.9_p20051216, useless and should be punted. > media-video/mjpegtools/mjpegtools-1.6.2-r3.ebuild done > net-ftp/proftpd/proftpd-1.2.10-r1.ebuild > net-ftp/proftpd/proftpd-1.2.10-r2.ebuild > net-ftp/proftpd/proftpd-1.2.10-r3.ebuild > net-ftp/proftpd/proftpd-1.2.10.ebuild > net-ftp/proftpd/proftpd-1.2.9-r2.ebuild > net-ftp/proftpd/proftpd-1.2.10-r5.ebuild > net-ftp/proftpd/proftpd-1.2.10-r6.ebuild > net-ftp/proftpd/proftpd-1.2.10-r7.ebuild switched to gcc-specs-pie > net-p2p/amule/amule-2.0.1.ebuild > net-p2p/amule/amule-2.0.3.ebuild done > sys-boot/grub/grub-0.94-r1.ebuild > sys-boot/grub/grub-0.94-r1.ebuild done per Comment #4 > sys-libs/glibc/glibc-2.3.4.20040619-r2.ebuild > sys-libs/glibc/glibc-2.3.4.20040808-r1.ebuild > sys-libs/glibc/glibc-2.3.4.20041102-r1.ebuild gone > x11-base/xorg-x11/xorg-x11-6.8.2-r2.ebuild > x11-base/xorg-x11/xorg-x11-6.8.2-r2.ebuild > x11-base/xorg-x11/xorg-x11-6.8.2-r2.ebuild > x11-base/xorg-x11/xorg-x11-6.8.99.15.ebuild > x11-base/xorg-x11/xorg-x11-6.8.99.14.ebuild > x11-base/xorg-x11/xorg-x11-6.8.99.14.ebuild > x11-base/xorg-x11/xorg-x11-6.8.99.14.ebuild gone Closing.
