https://blogs.gentoo.org/ago/2020/07/04/gentoo-tinderbox/ Issue: net-p2p/dogecoin-qt-1.14.6 overwrites CFLAGS/CXXFLAGS or adds uncommon ones. Discovered on: amd64 (internal ref: guru_ci) NOTE: This QA check is tinderbox-only, there is the list of the flags that should be dropped out, if you think it is a false positive please let me know.
Created attachment 865918 [details] build.log build log and emerge --info
Hi, > * Tinderbox QA Notice: This package seems to overwrite CFLAGS/CXXFLAGS or add uncommon ones: > * The following flags (probably added by the build system) should be stripped out > * > * 1) -D_FORTIFY_SOURCE=2 > * 2) -U_FORTIFY_SOURCE > * 3) -fstack-protector-all > * 4) -fPIE Unfortunately (or fortunately) these flags are part of the build/configuration process and are likely there for a good reason. I am a bit cautious to tinker with these flags without more detailed analysis of the impact their removal may have on the package once its built. I can definitely modify anything in the ebuild, as, for example, with Bug 910255, or add confirmed patches, but it will take some time for me to analyze the issue surrounding the reported flags. Thanks!
basically, the issue is that the user can't built without those flags
Hi, Some additional observations. I believe these are hardened flags, meant to enhance security as, for example, '-fstack-protector-all' GCC option: https://manpages.org/gcc. Even if the user could compile without these flags, I think the software requires these flags for better security, stability and performance at runtime. As I understand, these flags are enabled by default in Gentoo's Hardened profile. https://wiki.gentoo.org/wiki/Hardened/FAQ#What_exactly_is_the_.22toolchain.22.3F but are not enabled otherwise and so, as I understand it, the software needs to specify these flags to enable hardened features. Thanks, Victor.
(In reply to Victor Skovorodnikov from comment #4) > Hi, > > Some additional observations. I believe these are hardened flags, meant to > enhance security as, for example, '-fstack-protector-all' GCC option: > https://manpages.org/gcc. Even if the user could compile without these > flags, I think the software requires these flags for better security, > stability and performance at runtime. > > As I understand, these flags are enabled by default in Gentoo's Hardened > profile. > https://wiki.gentoo.org/wiki/Hardened/FAQ#What_exactly_is_the_.22toolchain. > 22.3F > but are not enabled otherwise and so, as I understand it, the software needs > to specify these flags to enable hardened features. > > Thanks, > Victor. Hardening flags does not add performance but slowness. I don't believe the software need to specify these flags. They were enabled to enhance security, but users can't make their choices. Imagine an embedded device where these flags add slowness..
> Hardening flags does not add performance but slowness. > I don't believe the software need to specify these flags. They were enabled to > enhance security, but users can't make their choices. Imagine an embedded > device where these flags add slowness.. Thank you for your feedback. If there is any performance penalty due to hardened security enhancements, I think it's well compensated by the optional avx2 CPU flags and an upcoming sse2 option in version 1.14.7. Security is of paramount importance for this software category, and rightly so.
Hi, Quick note: I checked configure options and there is a '--disable-hardening' executables option. If it's there, I presume it's optional but enabled by default. If I implement "harden" USE flag, enabled by default but with an option to disable, will this resolve this issue? Thanks, Victor.
in similar cases they are controlled by use pie/ssp
Created attachment 866172 [details] Sample build log with hardened flags stripped. Hi, Please find attached sample build log with stripped hardened build flags when 'pie' option is not used. I've implemented 'pie' USE flag so if the 'pie' option is not selected, then hardened build flags will not be used. This change is in the following commits: https://github.com/gentoo/guru/commit/6fa8a2134f9538c088f813f01d9233fa8b43e814 https://github.com/gentoo/guru/commit/e8df3b3a4d48627266d3a30f503f696f87597b61 (here I re-added 'tests' option because I used VI to edit ebuild and accidentally removed a line above ;)) Kindly advise if these changes fix the issue. Thank you, Victor.
(In reply to Victor Skovorodnikov from comment #9) > Created attachment 866172 [details] > Sample build log with hardened flags stripped. > > Hi, > > Please find attached sample build log with stripped hardened build flags > when 'pie' option is not used. I've implemented 'pie' USE flag so if the > 'pie' option is not selected, then hardened build flags will not be used. > This change is in the following commits: > > https://github.com/gentoo/guru/commit/ > 6fa8a2134f9538c088f813f01d9233fa8b43e814 > https://github.com/gentoo/guru/commit/ > e8df3b3a4d48627266d3a30f503f696f87597b61 > (here I re-added 'tests' option because I used VI to edit ebuild and > accidentally removed a line above ;)) > > Kindly advise if these changes fix the issue. > > Thank you, > Victor. Hello Victor, you are on the right way, but USE="pie" should control only -fPIE while USE="ssp" should control -fstack-protector-all. *FORTIFY_SOURCE* should be completely dropped
Created attachment 866284 [details] Build logs for pie and ssp test cases > you are on the right way, but USE="pie" should control only -fPIE while > USE="ssp" should control -fstack-protector-all. > *FORTIFY_SOURCE* should be completely dropped Hi, I have made a new commit for the above requirements: https://github.com/gentoo/guru/commit/0f246a2c5449e2345bd82436a3c8b273504ce56a Please find attached build logs for test cases with 'pie' and 'ssp' USE flags turned on/off in 4 different scenarios. As requested: - FORTIFY_SOURCE is never used. - 'pie' and 'ssp' granularly control -fPIE and -fstack-protector-all options, depending on user selection. Please let me know if this meets the required criteria? Thank you, Victor.
