Comment 1 Anthony Basile 2014-10-31 00:20:32 UTC

(In reply to Ulrich Müller from comment #0)
> I have the following in an ebuild:
> 
>     filter-flags -pie
>     strip-flags
> 
> Now on a hardened system, filter-flags will append the -nopie flag (via the
> _filter-hardened function), but the subsequent strip-flags will remove it
> again. So, should -nopie be added to ALLOWED_FLAGS? Both -fno-PIE and
> -fno-pie are already there.
> 
> (Not sure if this qualifies as a bug. At least, the eclass documentation
> doesn't seem to require any particular calling order of functions.)


Ulrich, I'm not 100% sure what you're worried about there --- I was going to give you an analysis of the bash for strip-flags but you probably can read it better than I can!  Anyhow, adding -nopie to ALLOWED_FLAGS should do what you want.

Comment 2 Ulrich Müller 2014-10-31 08:12:58 UTC

(In reply to Anthony Basile from comment #1)
> Ulrich, I'm not 100% sure what you're worried about there ---

About calling order: strip-flags followed by filter-flags works, but the other way around it doesn't work. Which I think is surprising behaviour.

> [...]
> Anyhow, adding -nopie to ALLOWED_FLAGS should do what you want.

Ack.

Comment 3 SpanKY 2014-11-01 03:45:55 UTC

if we allow -fno-PIE, there's no reason to not also allow -nopie

http://sources.gentoo.org/eclass/flag-o-matic.eclass?r1=1.202&r2=1.203

Comment 4 Anthony Basile 2014-11-01 15:32:55 UTC

(In reply to Ulrich Müller from comment #2)
> (In reply to Anthony Basile from comment #1)
> > Ulrich, I'm not 100% sure what you're worried about there ---
> 
> About calling order: strip-flags followed by filter-flags works, but the
> other way around it doesn't work. Which I think is surprising behaviour.
> 

Oh I see, the calling order is an issue.


> > [...]
> > Anyhow, adding -nopie to ALLOWED_FLAGS should do what you want.
> 
> Ack.