I got the information in Gcc bug http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60530. If not used it fails with /usr/lib/gcc/x86_64-pc-linux-gnu/4.9.0-alpha20140311/../../../../x86_64-pc-linux-gnu/bin/ld: /tmp/ccKc90pS.ltrans0.ltrans.o: relocation R_X86_64_32 against `.rodata.str1.1' can not be used when making a shared object; recompile with -fPIC /tmp/ccKc90pS.ltrans0.ltrans.o: error adding symbols: Bad value Openssh will not do anything here. They wrote me that: There are a whole lot of options in here that were not added by OpenSSH's configure. If you are specifying CFLAGS then it is up to you to provide a coherent set. We can't check every possible option provided by the user; the defaults are intended to work, but if you use others then you need to ensure they are coherent. Reproducible: Always Steps to Reproduce: 1.Use alpha gcc-4.9.0 vanilla and -flto -fuse-linker-plugin in CFLAGS 2.Use binutils patched for slim-LTO or gcc-ar and gcc-nm as NM ad AR 3. Portage 2.2.8-r1 (default/linux/amd64/13.0/desktop/kde, gcc-4.9.0-alpha20140314, glibc-2.18-r1, 3.13.6-gentoo x86_64) ================================================================= System uname: Linux-3.13.6-gentoo-x86_64-Intel-R-_Core-TM-2_Quad_CPU_Q9550_@_2.83GHz-with-gentoo-2.2 KiB Mem: 8170208 total, 679300 free KiB Swap: 8396796 total, 8396640 free Timestamp of tree: Sat, 15 Mar 2014 15:30:01 +0000 ld GNU ld (GNU Binutils) 2.24.51.20140304 app-shells/bash: 4.2_p45-r1 dev-java/java-config: 2.2.0 dev-lang/python: 2.7.6, 3.2.5-r3, 3.3.4 dev-util/cmake: 2.8.12.2 dev-util/pkgconfig: 0.28 sys-apps/baselayout: 2.2 sys-apps/openrc: 0.12.4 sys-apps/sandbox: 2.6-r1 sys-devel/autoconf: 2.13, 2.69 sys-devel/automake: 1.11.6, 1.12.6, 1.13.4, 1.14.1 sys-devel/binutils: 2.24.51::x-portage sys-devel/gcc: 4.7.3-r1, 4.8.2-r1, 4.9.0_alpha20140314::x-portage sys-devel/gcc-config: 1.8 sys-devel/libtool: 2.4.2 sys-devel/make: 4.0-r1 sys-kernel/linux-headers: 3.13 (virtual/os-headers) sys-libs/glibc: 2.18-r1 Repositories: gentoo x-portage ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-flto=4 -fuse-linker-plugin -O2 -ggdb -pipe -march=native -mtune=native -mno-3dnow -mno-sse4.2 -mno-avx" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt /var/bind /var/lib/hsqldb" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-flto=4 -fuse-linker-plugin -O2 -ggdb -pipe -march=native -mtune=native -mno-3dnow -mno-sse4.2 -mno-avx" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--quiet-build=n" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms splitdebug strict unknown-features-warn unmerge-logs unmerge-orphans userfetch usersandbox usersync xattr" FFLAGS="-flto=4 -fuse-linker-plugin -O2 -ggdb -pipe -march=native -mtune=native -mno-3dnow -mno-sse4.2 -mno-avx" GENTOO_MIRRORS="ftp://gentoo.mirror.web4u.cz/" LANG="C" LC_ALL="C" LDFLAGS="-flto=4 -fuse-linker-plugin -Wl,--as-needed -Wl,-O2 -Wl,-flto -O2 -ggdb -pipe -march=native -mtune=native -mno-3dnow -mno-sse4.2 -mno-avx" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_COMPRESS="echo" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" USE="X a52 aac acl acpi alsa amd64 berkdb blas bluetooth branding bzip2 cairo caps cdda cddb cdparanoia cdr cli consolekit cracklib crypt cups cvs cxx dbus declarative djvu dri dts dv dvb dvd dvdr emboss encode exif fam ffmpeg fftw firefox flac fontconfig fortran ftp gd gdbm geoip gif gmp gnuplot gpm gps graphviz gsl gsm gstreamer gtk hdf5 iconv icu idn ieee1394 imagemagick imlib ipv6 ithreads javascript jbig jpeg jpeg2k kde kipi ladspa lame lapack lcms ldap libass libnotify libsamplerate lzma lzo mad matroska mms mmx mmxext mng modplug modules mp3 mp4 mpeg mplayer msn mtp multilib musepack musicbrainz ncurses netcdf nls nptl ocaml ocamlopt odbc ogg openexr opengl openmp pam pango pch pcre pdf perl phonon pic plasma plotutils png policykit postscript ppds pulseaudio python qt3support qt4 quicktime rdesktop readline samba scanner sdl semantic-desktop session slang smp sndfile sox speex spell sse sse2 ssl ssse3 startup-notification svg szip tcpd theora threads tidy tiff truetype udev udisks unicode upower usb v4l vcd vdpau vnc vorbis wavpack wmf wxwidgets x264 xattr xcb xcomposite xft xine xinerama xml xosd xpm xscreensaver xv xvid xvmc zlib" ABI_X86="64 32" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2 adc65 agfa_cl20 aox ax203 barbie canon casio_qv clicksmart310 digigr8 digita dimagev dimera3500 directory enigma13 fuji gsmart300 hp215 iclick jamcam jd11 jl2005a jl2005c kodak_dc120 kodak_dc210 kodak_dc240 kodak_dc3200 kodak_ez200 konica konica_qm150 largan lg_gsm mars mustek panasonic_coolshot panasonic_dc1000 panasonic_dc1580 panasonic_l859 pccam300 pccam600 pentax polaroid_pdc320 polaroid_pdc640 polaroid_pdc700 ricoh ricoh_g3 samsung sierra sipix_blink2 sipix_web2 smal sonix sony_dscf1 sony_dscf55 soundvision spca50x sq905 st2205 stv0674 stv0680 sx330z topfield toshiba_pdrm11 tp6801" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" FFTOOLS="aviocat cws2fws ffescape ffeval fourcc2pixfmt graph2dot ismindex pktdumper qt-faststart trasher ffhash" GPSD_PROTOCOLS="aivdm ashtech earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 navcom nmea ntrip oceanserver oncore rtcm104v2 rtcm104v3 sirf superstar2 tnt tripmate tsip ubx fury geostar nmea2000" GRUB_PLATFORMS="pc" INPUT_DEVICES="evdev keyboard mouse joystick" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer scripting-beanshell scripting-javascript nlpsolver" LINGUAS="cs en" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_2 python3_3" QEMU_SOFTMMU_TARGETS="x86_64 arm i386" QEMU_USER_TARGETS="arm i386 x86_64" RUBY_TARGETS="ruby19 ruby20 ruby21" USERLAND="GNU" VIDEO_CARDS="nouveau" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" USE_PYTHON="2.7 3.2 3.3" Unset: CPPFLAGS, CTARGET, INSTALL_MASK, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, SYNC
Created attachment 372794 [details] config.log.gz
Created attachment 372796 [details] build.log.gz
i think you misread things. you gave ssh.i as an input and that needs -fPIE. the openssh build system doesn't do that -- it compiles everything with -fPIE and links with -pie.
The problem for me is that I want to use LTO. But do not want -fPIE system wide which would be impossible. So do not have -fPIE in CFLAGS nor in LDFLAGS. Openssh configure is nice and does: checking if x86_64-pc-linux-gnu-gcc supports compile flag -fPIE... yes checking if x86_64-pc-linux-gnu-gcc supports link flag -pie... yes checking whether both -fPIE and -pie are supported... yes and then it forces -fPIE to compilation but not to link time. Example, -fPIE is in use: x86_64-pc-linux-gnu-gcc -flto=4 -fuse-linker-plugin -O2 -ggdb -pipe -march=core2 -mtune=core2 -mno-3dnow -mno-sse4.2 -mno-avx -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/lib64/misc/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/lib64/misc/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/lib64/misc/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/lib64/misc/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c sftp-glob.c And here it is not: x86_64-pc-linux-gnu-gcc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o sshconnect1.o sshconnect2.o mux.o roaming_common.o roaming_client.o -L. -Lopenbsd-compat/ -flto=4 -fuse-linker-plugin -Wl,--as-needed -Wl,-O2 -Wl,-flto -O2 -ggdb -pipe -march=core2 -mtune=core2 -mno-3dnow -mno-sse4.2 -mno-avx -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -flto=4 -fuse-linker-plugin -Wl,--as-needed -Wl,-O2 -Wl,-flto -O2 -ggdb -pipe -march=core2 -mtune=core2 -mno-3dnow -mno-sse4.2 -mno-avx -pie -lssh -lopenbsd-compat -lssl -lcrypto -ldl -lutil -lz -lnsl -lcrypt -lresolv -lpthread x86_64-pc-linux-gnu-gcc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o audit.o audit-bsm.o audit-linux.o platform.o sshpty.o sshlogin.o servconf.o serverloop.o auth.o auth1.o auth2.o auth-options.o session.o auth-chall.o auth2-chall.o groupaccess.o auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o auth2-pubkey.o monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o auth-krb5.o auth2-gss.o gss-serv.o gss-serv-krb5.o loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o sftp-server.o sftp-common.o roaming_common.o roaming_serv.o sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o sandbox-seccomp-filter.o sandbox-capsicum.o -L. -Lopenbsd-compat/ -flto=4 -fuse-linker-plugin -Wl,--as-needed -Wl,-O2 -Wl,-flto -O2 -ggdb -pipe -march=core2 -mtune=core2 -mno-3dnow -mno-sse4.2 -mno-avx -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -flto=4 -fuse-linker-plugin -Wl,--as-needed -Wl,-O2 -Wl,-flto -O2 -ggdb -pipe -march=core2 -mtune=core2 -mno-3dnow -mno-sse4.2 -mno-avx -pie -lssh -lopenbsd-compat -lwrap -lpam -lssl -lcrypto -ldl -lutil -lz -lnsl -lcrypt -lresolv -lpthread x86_64-pc-linux-gnu-gcc -o ssh-add ssh-add.o -L. -Lopenbsd-compat/ -flto=4 -fuse-linker-plugin -Wl,--as-needed -Wl,-O2 -Wl,-flto -O2 -ggdb -pipe -march=core2 -mtune=core2 -mno-3dnow -mno-sse4.2 -mno-avx -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -flto=4 -fuse-linker-plugin -Wl,--as-needed -Wl,-O2 -Wl,-flto -O2 -ggdb -pipe -march=core2 -mtune=core2 -mno-3dnow -mno-sse4.2 -mno-avx -pie -lssh -lopenbsd-compat -lssl -lcrypto -ldl -lutil -lz -lnsl -lcrypt -lresolv -lpthread x86_64-pc-linux-gnu-gcc -o ssh-keygen ssh-keygen.o -L. -Lopenbsd-compat/ -flto=4 -fuse-linker-plugin -Wl,--as-needed -Wl,-O2 -Wl,-flto -O2 -ggdb -pipe -march=core2 -mtune=core2 -mno-3dnow -mno-sse4.2 -mno-avx -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -flto=4 -fuse-linker-plugin -Wl,--as-needed -Wl,-O2 -Wl,-flto -O2 -ggdb -pipe -march=core2 -mtune=core2 -mno-3dnow -mno-sse4.2 -mno-avx -pie -lssh -lopenbsd-compat -lssl -lcrypto -ldl -lutil -lz -lnsl -lcrypt -lresolv -lpthread /usr/lib/gcc/x86_64-pc-linux-gnu/4.9.0-alpha20140317/../../../../x86_64-pc-linux-gnu/bin/ld: /var/tmp/portage/net-misc/openssh-6.6_p1/temp/ccBEpZqG.ltrans1.ltrans.o: relocation R_X86_64_32 against `.rodata.str1.1' can not be used when making a shared object; recompile with -fPIC /var/tmp/portage/net-misc/openssh-6.6_p1/temp/ccBEpZqG.ltrans1.ltrans.o: error adding symbols: Bad value collect2: error: ld returned 1 exit status So I have to add it to LDFLAGS by hand. I was thinking that it would be nice if ebuild could do it for me to add -fPIE to link command if LTO is detected. Thank you.
(In reply to David Kredba from comment #4) again, i think you read the comment in the upstream report wrong. they didn't say "you need to always use -fPIE when linking", they said "in the command you posted where you attempted to *compile and link in one command*, you need to use -fPIE". it is not impossible to do system-wide PIE support ... we already do this w/the hardened project.
Thank you. You are right that they said this. And I only said that I do not want -fpie system wide (and was wrong that it is impossible). So I asked if maintainer can think about to include it in build logic or not. My "solution" is to have opennsh.conf file in /etc/portage/env.d and enable its usege in portage.env file.
the current openssh logic for PIE isn't optional. we probably should it behind USE=pie (but default it to on).
should be all set now in the tree; thanks for the report! Commit message: Add USE=pie to control building sshd as a PIE http://sources.gentoo.org/net-misc/openssh/openssh-6.6.1_p1-r4.ebuild?r1=1.1&r2=1.2
