gcc on ppc doesn't recognize the -fno-stack-protector option. This is appears both in the ghc-6.2.hardened.patch.bz2 patch as well as inserted into build.mk by the src_compile function. Reproducible: Always Steps to Reproduce: 1. ACCEPT_KEYWORDS="~ppc" emerge dev-lang/ghc Actual Results: gcc reports an unrecognized option -fno-stack-protector. I'll try and get this working. Once I have a working ebuild, I'll attach it.
Created attachment 37004 [details, diff] Fix ebuild to build for PPC. I'm not sure if the modified hardened patch is needed. When I get more time, I'll test without it. With this change and the modified patch, I can build on PPC, and have build a few test programs with ghc.
Created attachment 37005 [details, diff] Modified "hardened" patch for ppc.
cc'ing hardened on this for advice.
Please cc ppc again when something needs testing.
I don't use ghc and I can't confirm this one for hardened. But why it would fail on ppc and not others baffles me.
I think ppc is fairly far behind in gcc, and it doesn't have the -fno-stack-protector option.
I can't test on ppc, although this change looks reasonable. mattam, you have committed ppc changes to ghc in the past. If it works for you, could you commit it? Thanks, ks
Not all ppc gcc's support -fstack-protector as you discovered, so we have to find out if the one used to build ghc does (and accepts -fno-stack-protector). Please tell us, david, if applying the patch i attach works (didn't touch the hardened things, so if it fails try to check if it's not their fault).
Created attachment 40366 [details, diff] Patch to apply in dev-lang/ghc Doesn't touch the hardened patch, so you may have to modify the two scripts modified, although it's unlikely (the patch is not applied unless stack-protector options are accepted).
The patch fails to unpack: tg4 ghc # ebuild ghc-6.2.1-r1.ebuild unpack >>> md5 src_uri ;-) ghc-6.2.1-src.tar.bz2 >>> Unpacking source... >>> Unpacking ghc-6.2.1-src.tar.bz2 to /var/tmp/portage/ghc-6.2.1-r1/work /usr/sbin/ebuild.sh: line 76: has_spp: command not found /usr/sbin/ebuild.sh: line 81: pushd: ghc/compiler/ghci: No such file or directory can't find file to patch at input line 3 Perhaps you used the wrong -p or --strip option? The text leading up to this was: -------------------------- |--- Linker.orig.lhs 2004-06-15 10:06:03.955035728 +0200 |+++ Linker.lhs 2004-06-15 10:08:53.446269144 +0200 -------------------------- File to patch:
First, sorry, the line "cd ${S}" has to remain outside the 'if has_spp'. Second, sorry again, the 'has_spp' not found error may come from the fact that it's not exported by the flag-o-matic eclass (and my portage has no problems with that but not yours). I will attach a fixed patch in a minute.
Created attachment 40402 [details, diff] The new patch Same thing, apply the patch on the original version, not the already patched one. It should get rid of all the previous errors. Don't forget to get the new hardened patch before anything else.
Created attachment 40403 [details, diff] Reworked hardened patch to allow dynamic setting of the -optc-f options. The new hardened patch.
I've heard no complaints, and since it does seem to work for mattam and does not make things worse for me, I have included the changes into ghc-6.2.1-r1 and the new ghc-6.2.2 ... I'd be interested in feedback -- can we close this bug?
I'm perfectly fine with it now, you can close it.
I have a comment which might as well go to this PR rather than opening a new one: The use of the -fno-pic option has been discouraged by the hardened team because it does not only disable PIE building, but PIC building altogether. The correct way to disable the hardened features is: -optc-nopie -optc-fno-stack-protector -optc-fno-stack-protector-all Thought I should let you know, since I suggested the incorrect flags in the first place. :-)
Created attachment 42158 [details, diff] patch for ghc-6.2.2.ebuild So -- using the example of ghc-6.2.2, you're proposing this patch to the ebuild? I'm currently testing it, and am willing to do it. Any reference to a place where what you just said is written down as a reference? ks
Be careful: The flag is "-nopie", not "-fno-pie". It strays from the usual naming scheme. You'll find it described here: http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#hardenedcflagsoff
Created attachment 42190 [details, diff] patch for ghc-6.2.2.ebuild (new) Ok, thanks for the link. The wrong flag caused me to discover that mattam's flag-test-routine seems to work unreliably under certain circumstances. I rewrote it and now it seems to work fine -- at least for me. I am running another test, now using the attached patch for ghc-6.2.2. ks
I have committed the fix -- closing the bug, please test ... ks
