Because it seems to be a common to many kde ebuilds, I will not file new bugs for every ebuild but instead list them here. The two separate bugs I already filed I will leave open. strip: i686-pc-linux-gnu-strip --strip-unneeded usr/kde/3.5/bin/kdesu usr/kde/3.5/bin/kdesud QA Notice: the following files are setXid, dyn linked, and using lazy bindings This combination is generally discouraged. Try re-emerging the package: LDFLAGS='-Wl,-z,now' emerge kdesu LAZY usr/kde/3.5/bin/kdesud !!! ERROR: kde-base/kdesu-3.5.0 failed.
QA Notice: the following files are setXid, dyn linked, and using lazy bindings This combination is generally discouraged. Try re-emerging the package: LDFLAGS='-Wl,-z,now' emerge kcheckpass LAZY usr/kde/3.5/bin/kcheckpass !!! ERROR: kde-base/kcheckpass-3.5.0 failed.
Is there some documentation on this issue? It would be easy to add an append-flags to the eclass, but maybe it could be better to report it directly upstream, if it really has some impact on security?
To report it upstream, I'd suggest to use at least the m4 I started developing for Gentoo/ALT that supports also Solaris's LD (that use the same syntax, btw) and the one from MacOSX. Other than the, the fixes shouldn't happen unconditionally, I think; I've patched arts and I'll see to patch the rest, but I set the right flags from the ebuild via the BINDNOW_FLAGS variable using $(bindnow-flags); it does the same that the m4 would do if it was used. If you want to push this upstream, maybe you can try to contact Dirk Mueller.. I sure won't do it :) Give me time and I'll see to fix it piece by piece.. but it takes time waiting for kdelibs rebuild for example.
Let's start, I'll use status whiteboard to track changes..
Greg, I've committed kde-base/kdebase with the two patches, tested unpack and they apply, I don't have a monolithic setup at hand, tho, so if you can give that a try, please then close this bug, thanks :)
So I decided to go on and find the rest of setuid stuff. Here we go for kdenetwork: QA Notice: the following files are setXid, dyn linked, and using lazy bindings This combination is generally discouraged. Try re-emerging the package: LDFLAGS='-Wl,-z,now' emerge kdenetwork LAZY usr/kde/3.5/bin/kppp LAZY usr/kde/3.5/bin/reslisa
I have now done emerge kde with some ebuild from split and most from monolithic packages with most USE flags on so most of the setuid programs from KDE itself (not counting external stuff like amarok) should now be listed here.
Fixed then.. in the future you might consider not to use stricter anyway, as solar said, it's supposed that most ebuilds does not build with it. While the QA is always a good idea, also for support of non-glibc non-uclibc libraries, they intend to fix them on libc level, without requiring -znow linking on binaries.
Well stricter also catches other stuff, but I can leave the setuid bit tests out.