When building cross-glibc, sanity_prechecks() is called with build host CFLAGS resulting in a fail of tc-enables-pie() and a warning message: "PIE hardening not applied, as your compiler doesn't default to PIE". Part of the debug log: ... ++ armv7a-unknown-linux-gnueabihf-gcc -E -O2 -march=bdver2 -mtune=bdver2 -mno-tbm -mno-fma4 -mno-xop -mno-lwp -pipe -P - + local RESULT= + [[ '' == true ]] + ewarn 'PIE hardening not applied, as your compiler doesn'\''t default to PIE' ... $ sudo emerge -1av cross-armv7a-unknown-linux-gnueabihf/glibc These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild R ] cross-armv7a-unknown-linux-gnueabihf/glibc-2.27-r6:2.2::crossdev USE="caps hardened multiarch -audit -compile-locales -doc -gd -headers-only -multilib -nscd (-profile) (-selinux) -suid -systemtap -vanilla" 0 KiB Total: 1 package (1 reinstall), Size of downloads: 0 KiB Would you like to merge these packages? [Yes/No] y >>> Verifying ebuild manifests >>> Running pre-merge checks for cross-armv7a-unknown-linux-gnueabihf/glibc-2.27-r6 * Checking general environment sanity. * PIE hardening not applied, as your compiler doesn't default to PIE * Checking gcc for __thread support ... [ ok ] * Checking linux-headers version (4.13.0 >= 3.2.0) ... [ ok ] >>> Emerging (1 of 1) cross-armv7a-unknown-linux-gnueabihf/glibc-2.27-r6::crossdev * glibc-2.27.tar.xz BLAKE2B SHA512 size ;-) ... [ ok ] * glibc-2.27-patches-3.tar.bz2 BLAKE2B SHA512 size ;-) ... [ ok ] >>> Unpacking source... * PIE hardening not applied, as your compiler doesn't default to PIE * Checking gcc for __thread support ... [ ok ] * Checking linux-headers version (4.13.0 >= 3.2.0) ... [ ok ] * Manual CFLAGS: -O2 -march=core2 -mtune=core2 -pipe * Manual CC: armv7a-unknown-linux-gnueabihf-gcc $ emerge --info cross-armv7a-unknown-linux-gnueabihf/glibc Portage 2.3.49 (python 3.6.5-final-0, default/linux/amd64/17.1/hardened, gcc-7.3.0, glibc-2.27-r6, 4.14.78-gentoo x86_64) ================================================================= System Settings ================================================================= System uname: Linux-4.14.78-gentoo-x86_64-AMD_Opteron-tm-_Processor_4332_HE-with-gentoo-2.4.1 KiB Mem: 32986652 total, 2256384 free KiB Swap: 16777212 total, 16777212 free Timestamp of repository gentoo: Tue, 23 Oct 2018 06:30:01 +0000 Head commit of repository gentoo: f717474a782311cf1c0632cf1692989e44bdd8e4 Head commit of repository puleglot: 2ffcb2c8d17b3892dcd6d4939146c839f78a5d9f sh dash 0.5.9.1-r3 ld GNU ld (Gentoo 2.30 p5) 2.30.0 distcc 3.2rc1 x86_64-pc-linux-gnu [disabled] app-shells/bash: 4.4_p12::gentoo dev-java/java-config: 2.2.0-r4::gentoo dev-lang/perl: 5.24.3-r1::gentoo dev-lang/python: 2.7.15::gentoo, 3.6.5::gentoo dev-util/cmake: 3.9.6::gentoo dev-util/pkgconfig: 0.29.2::gentoo sys-apps/baselayout: 2.4.1-r2::gentoo sys-apps/sandbox: 2.13::gentoo sys-devel/autoconf: 2.13::gentoo, 2.69-r4::gentoo sys-devel/automake: 1.11.6-r3::gentoo, 1.15.1-r2::gentoo sys-devel/binutils: 2.30-r4::gentoo sys-devel/gcc: 7.3.0-r5::gentoo sys-devel/gcc-config: 1.8-r1::gentoo sys-devel/libtool: 2.4.6-r3::gentoo sys-devel/make: 4.2.1-r4::gentoo sys-kernel/linux-headers: 4.13::gentoo (virtual/os-headers) sys-libs/glibc: 2.27-r6::gentoo Repositories: gentoo location: /var/db/repos/gentoo sync-type: rsync sync-uri: rsync://puleglot.ru/gentoo-portage priority: -1000 sync-rsync-extra-opts: sync-rsync-verify-metamanifest: yes sync-rsync-verify-max-age: 24 sync-rsync-verify-jobs: 4 crossdev location: /var/db/repos/crossdev masters: gentoo priority: 100 puleglot location: /var/db/repos/puleglot sync-type: git sync-uri: https://puleglot.ru/git/gentoo/puleglot-overlay.git masters: gentoo priority: 900 local location: /usr/local/portage masters: gentoo priority: 1000 ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -march=bdver2 -mtune=bdver2 -mno-tbm -mno-fma4 -mno-xop -mno-lwp -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/lib64/libreoffice/program/sofficerc /usr/share/easy-rsa /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-O2 -march=bdver2 -mtune=bdver2 -mno-tbm -mno-fma4 -mno-xop -mno-lwp -pipe" DISTDIR="/var/cache/distfiles" EMERGE_DEFAULT_OPTS="--dynamic-deps=n --with-bdeps=y --binpkg-respect-use=y --ask-enter-invalid" ENV_UNSET="DBUS_SESSION_BUS_ADDRESS DISPLAY PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs buildsyspkg cgroup compress-build-logs config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch preserve-libs protect-owned sandbox sfperms split-log strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://mirror.yandex.ru/gentoo-distfiles/ http://distfiles.gentoo.org/" LANG="ru_RU.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j6" PKGDIR="/var/cache/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git" PORTAGE_TMPDIR="/var/tmp" USE="X aac acl acpi aio alsa amd64 amr ape asyncns avahi bash-completion berkdb bluetooth bluray branding bzip2 cairo caps cdda cddb cdparanoia cdr cli colord crypt cryptsetup cups cxx dbus dconf device-mapper djvu dri dts dvd dvdr eds egl evo examples exif faac faad ffmpeg flac fontconfig fuse gdbm gif gnome gnome-keyring gnome-online-accounts gpm gstreamer gtk gtk3 hardened iconv icu idn ieee1394 introspection ipv6 jpeg jpeg2k lcms libass libnotify libsecret libtirpc lz4 lzma mac maildir mms mp3 mp4 multilib musepack musicbrainz nautilus ncurses networkmanager nls nptl ogg opengl openmp opus pam pcre perl pie png policykit postscript pulseaudio python raw readline samba sasl seccomp speex spell ssl ssp startup-notification svg systemd theora tiff tls truetype udev unicode upnp-av urandom usb vaapi vdpau vim-syntax vorbis vpx wavpack webp x264 xattr xfs xtpax xv xvid xz zeroconf zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" APACHE2_MPMS="prefork" CALLIGRA_FEATURES="karbon plan sheets stage words" CAMERAS="*" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx mmxext sse sse2 sse3 ssse3 sse4_1 sse4_2 avx fma3 aes f16c" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="pc" INPUT_DEVICES="evdev libinput" KERNEL="linux" L10N="en ru" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-6 php7-1" POSTGRES_TARGETS="postgres9_5 postgres10" PYTHON_SINGLE_TARGET="python3_6" PYTHON_TARGETS="python2_7 python3_6" QEMU_SOFTMMU_TARGETS="aarch64 arm i386 mips mips64 mips64el mipsel x86_64" QEMU_USER_TARGETS="aarch64 arm" RUBY_TARGETS="ruby23" USERLAND="GNU" VIDEO_CARDS="amdgpu radeon radeonsi vesa mga" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CC, CPPFLAGS, CTARGET, CXX, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS ================================================================= Package Settings ================================================================= cross-armv7a-unknown-linux-gnueabihf/glibc-2.27-r6::crossdev was built with the following: USE="caps hardened multiarch -audit -compile-locales -doc -gd -headers-only -multilib -nscd (-profile) (-selinux) -suid -systemtap -vanilla" ABI_X86="(64)" CFLAGS="-pipe -O2 -fno-strict-aliasing" CXXFLAGS="-pipe -O2 -fno-strict-aliasing"
Created attachment 552516 [details] glibc-2.27-r6:20181023-154813.log.gz Debug log of the pkg_pretend phase
I don't think it's misleading. setup_flags() has the following code: if [[ $(gcc-major-version) -lt 6 ]]; then if use hardened && tc-enables-pie ; then append-cppflags -DPIC else filter-flags -fPIE fi fi
(In reply to Sergei Trofimovich from comment #2) > I don't think it's misleading. setup_flags() has the following code: > > if [[ $(gcc-major-version) -lt 6 ]]; then > if use hardened && tc-enables-pie ; then > append-cppflags -DPIC > else > filter-flags -fPIE > fi > fi And tc-enables-pie() returns 0 here, apparently because it is called after strip-unsupported-flags(). Or am I missing the purpose of the warning?
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cbda286a2f7c63bf8075cb999e64c26835530c68 commit cbda286a2f7c63bf8075cb999e64c26835530c68 Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2018-10-24 21:41:26 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-10-24 21:41:39 +0000 sys-libs/glibc: drop PIE ewarn The ewarn lacks '<gcc-6' guard. Let's drop ewarn completely. Reported-by: Alexander Tsoy Closes: https://bugs.gentoo.org/669410 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org> Package-Manager: Portage-2.3.51, Repoman-2.3.11 sys-libs/glibc/glibc-2.19-r2.ebuild | 5 +---- sys-libs/glibc/glibc-2.26-r7.ebuild | 5 +---- sys-libs/glibc/glibc-2.27-r6.ebuild | 3 --- sys-libs/glibc/glibc-2.28-r1.ebuild | 3 --- sys-libs/glibc/glibc-2.28.ebuild | 5 +---- sys-libs/glibc/glibc-9999.ebuild | 3 --- 6 files changed, 3 insertions(+), 21 deletions(-) Additionally, it has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c74db48acaf558d7f98f0e189e4aa6e50e640970 commit c74db48acaf558d7f98f0e189e4aa6e50e640970 Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2018-10-24 21:38:12 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-10-24 21:41:38 +0000 toolchain-glibc.eclass: drop PIE ewarn The ewarn lacks '<gcc-6' guard. Let's drop ewarn completely. Reported-by: Alexander Tsoy Bug: https://bugs.gentoo.org/669410 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org> eclass/toolchain-glibc.eclass | 3 --- 1 file changed, 3 deletions(-)
(In reply to Alexander Tsoy from comment #3) > (In reply to Sergei Trofimovich from comment #2) > > I don't think it's misleading. setup_flags() has the following code: > > > > if [[ $(gcc-major-version) -lt 6 ]]; then > > if use hardened && tc-enables-pie ; then > > append-cppflags -DPIC > > else > > filter-flags -fPIE > > fi > > fi > > And tc-enables-pie() returns 0 here, apparently because it is called after > strip-unsupported-flags(). Or am I missing the purpose of the warning? I don't think this warning was ever working for cross/glibc package. CC meaning is very skewed there. One day we'll get rid of it (https://bugs.gentoo.org/642604#c6). For native case apart from missing '$(gcc-major-version) -lt 6' guard warning used to provide some signal. Nowadays it's not very interesting. I deleted it. Thanks for the report!
