| View previous topic :: View next topic |
| Author |
Message |
mv
Watchman
Joined: 20 Apr 2005
Posts: 6747
|
 Posted: Tue Jan 02, 2018 7:33 am Post subject: |
 |
|
| dmpogo wrote: | | The only job of compiler, at the end, is to make codes work, compiler is a helper, it has little value on its own |
For development, compilation is not the only point: The other important task is to warn if the code violates the standard, looks suspiciously, or is written in a way that it cannot produce good-quality assembler code. If the standard is sufficiently advanced (which is meanwhile the case for C and C++), the correct solution is always to fix the code. This was different several years ago when a lot of important things had not been included in the standard, and so no working standard-compliant (and simultaneously fast) solution had been possible in some cases. |
|
| Back to top |
|
 |
LIsLinuxIsSogood
Veteran
Joined: 13 Feb 2016
Posts: 1179
|
| Posted: Tue Jan 02, 2018 8:27 am Post subject: |
|
|
Ok I just updated the toolchain, and now running a emerge @system. As I was led to believe it would be wise to update static libraries so that is going to be my next course of action.
So that I can free up the processor time and be running stuff in between updates, my hope is to be completing the rest of the changes more slowly, like I said, I'm running emerge @system right now, and next onto the updating of the static libraries, but I am curious to know where does that leave in terms of all the rest of the previously built packages using the old compiler tools, and will this transition be possible by just waiting for package upgrades to be available in the portage tree? I don't mind reinstalling just the packages that need it, but I don't see the point in updating the ones that just won't be using PIE at all now or before.
Does that actually make any sense? |
|
| Back to top |
|
|
mv
Watchman
Joined: 20 Apr 2005
Posts: 6747
|
| Posted: Tue Jan 02, 2018 8:35 am Post subject: |
|
|
| LIsLinuxIsSogood wrote: | | Does that actually make any sense? |
Yes. If you do not want to have the benefit of a somewhat increased security immediately, it is completely safe to wait with recompilation until regular upgrades happen anyway (assuming that once you recompiled the toolchain and static libs as you had written). |
|
| Back to top |
|
|
LIsLinuxIsSogood
Veteran
Joined: 13 Feb 2016
Posts: 1179
|
| Posted: Tue Jan 02, 2018 8:39 am Post subject: |
|
|
| Great...so my system will have the PIE updates within any application that has static libraries involved in it. What about any other static libraries on the disk/system that were installed from outside of portage tree? Are those as well the same common set of intstructions here to replace those packages and libraries with a rebuild of the more security compliant gcc with position independent whatever.... |
|
| Back to top |
|
|
krinn
Watchman
Joined: 02 May 2003
Posts: 7470
|
| Posted: Tue Jan 02, 2018 11:19 am Post subject: |
|
|
| LIsLinuxIsSogood wrote: | | What about any other static libraries on the disk/system that were installed from outside of portage tree? |
You are in charge of them, meaning you need to rebuild them in order to get pie working with them, and with proper pie cflags given to them, which also mean handle the needed patches they might need to build with pie.
portage using pie with packages is not only gentoo with a toolchain with pie, and giving pie option to each package, devs are fixing the tree for packages that need patches to use pie (or disable pie when it's not doable) : all this is your task for packages not in the tree. |
|
| Back to top |
|
|
LIsLinuxIsSogood
Veteran
Joined: 13 Feb 2016
Posts: 1179
|
| Posted: Wed Jan 03, 2018 6:36 am Post subject: |
|
|
While I get that this is generally going to be true for the situation that I'm asking about, maybe my question is better reworded to be asking about a good source for reading up on the process of improving the builds of packages on my system with the new toolchain. In other words, howevery the package maintainers that are working on it are doing it, since some of the reasons for building out of the portage tree for me includes keeping multiple versions without the need for slots of certain applications like vlc media player, for which I have like 3 or 4 different binaries built. I'm just wondering to cover the security concern for whatever the profile change is really about (eliminating the previous easily hacked libraries from the system, I suppose) what kind of information does Gentoo developers source for the reason for changing over. Then I could read that and implement on my system in the other ways I'm describing such as with out of portage tree package installations. If not, then the gentoo developers are pretty much telling me that I have to go find out for myself, and at that point whatever I find out could logically be more reason to not have the PIE implemnted as much as yes having it implemented.
What I understand about that is the build problems that will exist when trying to use the -pie and pie CFLAG settings. So that really can only impact the dependencies within Portage though. But if I go through the process as I want to convert the local out of tree builds into ebuilds in a local repo I will likely be faced with this as a problem, and so I'm trying to be getting ahead of the curve in terms of whether or not the profile change is designed to eliminate all non-positional independent environment for the code, or does that not really matter so long as the bulk of it is done in the more secure profile. Just a matter of opinion but if the reason for the profile change was to add this feature I would think the name of the profile should somehow reflect the change of feature, rather than just the number of the year in which it was done.
EDIT: I'd like to add a note to keep in mind I am not a production environment or system admin, just a user and therefore I have no issues with the handling of the issue however it is needed to satisfy whatever common setups exist out there among the other gentoo linux community. However personally, as someone else may have mentioned I don't like the idea of being forced to update the system. Especially this laptop I have, which I rely on for a lot of different purposes. My home desktop, seems like a straightforward thing and I will go ahead with the instructions as provided in the announcement for that. |
|
| Back to top |
|
|
nokilli
Apprentice
Joined: 25 Feb 2004
Posts: 196
|
| Posted: Fri Jan 05, 2018 2:08 am Post subject: |
|
|
So I'm a good Gentoo citizen and I dutifully do the 17.0 thing and just as it completes and I'm set to revel in my oh-so-much-more-secure system I turn on the news and there's Spectre and Meltdown.
:::facepalm:::
_________________
Today is the first day of the rest of your Gentoo installation. |
|
| Back to top |
|
|
cloc3
Advocate
Joined: 13 Jan 2004
Posts: 4788
Location: http://www.gentoo-users.org/user/cloc3/
|
| Posted: Fri Jan 05, 2018 3:26 am Post subject: |
|
|
| mv wrote: | For the change no-pie-> pie (or vice versa), it is usually not necessary to rebuild all of @world:
The only thing which needs to be rebuilt (after you rebuilt gcc) are the static libraries. The following command should be sufficient for that:
| Code: | | emerge -1 /lib*/*.a /usr/lib*/*.a |
Non-static libraries should have been built with PIC, anyway (which is the PIE replacement for libraries).
|
having a look in portage/profile, I have discovered these lines:
| Code: |
grep -rH PIC /var/gentoo-var/portage/profiles/
/var/gentoo-var/portage/profiles/arch/x86/package.use.force:# On x86 Chromium can be built in non-PIC mode, and this
...
/var/gentoo-var/portage/profiles/base/package.use.force:# Chromium builds in PIC mode on most arches anyway,
...
/var/gentoo-var/portage/profiles/use.local.desc:www-client/chromium:pic - Disable optimized assembly code that is not PIC friendly
|
that seems a little mess.
what really happens for chromium?
may the -pic flag makes some trouble on x86 systems?
are we really sure anything should work fine on other archs?
_________________
vu vu vu
gentù
mi piaci tu |
|
| Back to top |
|
|
mv
Watchman
Joined: 20 Apr 2005
Posts: 6747
|
| Posted: Fri Jan 05, 2018 8:51 am Post subject: |
|
|
| nokilli wrote: | | in my oh-so-much-more-secure system |
Nobody claimed that with pie your system is absolutely secure. As all security mechanisms, it secures your systems against a certain type of attacks. In this case the protection is against a large class of arbitrary code execution attacks (and some others).
| Quote: | | Spectre and Meltdown. |
These are privilege escalation attacks. On the systems where you can trust the users (e.g. on your home desktop) these are only an issue if the attacker additionally has a possibility to execute arbitrary code. Recall that pie helps to protect against the latter. So actually, upgrading to 17.0 (if you recompiled everything) might already have saved you from an exploit of Spectre or Meltdown. On multiuser systems (when users are not necessarily trusted but must be admitted to execute arbitrary code) the situation is different, of course.
Independent of that, if I understood correctly, you are already protected against Spectre and Meltdown if you use gentoo-sources-4.14.11 and have switched on the new CONFIG_PAGE_TABLE_ISOLATION. |
|
| Back to top |
|
|
saboya
Guru
Joined: 28 Nov 2006
Posts: 552
Location: Brazil
|
| Posted: Fri Jan 05, 2018 12:56 pm Post subject: |
|
|
| mv wrote: | | Independent of that, if I understood correctly, you are already protected against Spectre and Meltdown if you use gentoo-sources-4.14.11 and have switched on the new CONFIG_PAGE_TABLE_ISOLATION. |
AFAIK PTI is a fix for Meltdown, but not Spectre. |
|
| Back to top |
|
|
depontius
Advocate
Joined: 05 May 2004
Posts: 3509
|
| Posted: Fri Jan 05, 2018 1:27 pm Post subject: |
|
|
From the way I understand it, AMD is not susceptible to Meltdown, so PTI isn't needed.
But practically anything with speculative execution is susceptible to Spectre, however as of yet there is not kernel fix. But both Firefox and Chrome are intentionally degrading their high resolution timer capability, to mitigate Spectre. For personal use, especially on Gentoo where we compile our own software, this will protect us from javascript - basically the biggest potential attack vector.
_________________
.sigs waste space and bandwidth |
|
| Back to top |
|
|
Havin_it
Veteran
Joined: 17 Jul 2005
Posts: 1247
Location: Edinburgh, UK
|
| Posted: Fri Jan 05, 2018 1:32 pm Post subject: |
|
|
I decided to just bite the bullet and go along with the profile update as prescribed. Took a while to get started on the rebuilds, until I twigged that using distcc with a non-pie host was an (obvious, now I think of it) no-go. Thanks to the poster here who pointed this out 
Was about 700/1060 thru the emerge -e world when it crapped out (due to me forgetting to download the oracle-jdk-bin into my distfiles - gah! - but this can also happen for reasons unrelated to one's own negligence).
On attempting to resume, I got the dreaded "Invalid resume list" message 
For those who've not had the "pleasure", this wipes the resume list so you can't resume, so here is a tip in case anyone has it happen to them:
This failure will spit out a list of packages still to (not) be merged. If you're able in whatever terminal you're in (and the whole list fits in your scrollback buffer), copy the output into a text file: just all the lines that look like this:
| Code: | * ('ebuild', '/', 'dev-java/oracle-jdk-bin-1.8.0.152-r1', 'merge')
* ('ebuild', '/', 'dev-java/oracle-jdk-bin-9.0.1', 'merge')
* ('ebuild', '/', 'dev-lang/ruby-2.5.0-r1', 'merge')
* ('ebuild', '/', 'dev-ruby/rubygems-2.7.4', 'merge') |
(...and so forth)
Then filter the content to provide a list you can feed back into portage:
| Code: | cat my-copied-list.txt | sed s/"\*.*\/', '"/=/ | sed s/"',.*"// > my-resume-list.txt
emerge -av1 `cat my-resume-list.txt` |
Even if emerge still doesn't like this list, you at least have a copy of it which you can whittle away at with the usual portage-fu skillz and hopefully get as much of it merged as possible.
Hope this helps someone |
|
| Back to top |
|
|
fedeliallalinea
Administrator
Joined: 08 Mar 2003
Posts: 30911
Location: here
|
| Posted: Fri Jan 05, 2018 1:36 pm Post subject: |
|
|
Or remeber to add --keep-going option to emerge.
Another solution is to use command emerge -1 $(eix-installed-after -btF /usr/bin/gcc) (mv solution) but require eix package installed
_________________
Questions are guaranteed in life; Answers aren't. |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21631
|
| Posted: Sat Jan 06, 2018 1:29 am Post subject: |
|
|
| Havin_it wrote: | | Code: | | cat my-copied-list.txt | sed s/"\*.*\/', '"/=/ | sed s/"',.*"// > my-resume-list.txt |
|
This can be condensed by omitting the Useless Use of Cat and by passing more than one option to a single sed. | Code: | # Untested, expressions are copied from original poster
sed -e s/"\*.*\/', '"/=/ -e s/"',.*"// < my-copied-list.txt > my-resume-list.txt |
|
|
| Back to top |
|
|
Spargeltarzan
Guru
Joined: 23 Jul 2017
Posts: 317
|
| Posted: Sat Jan 06, 2018 9:24 am Post subject: |
|
|
Does somebody know exactly what became merged into profile 17.0 and/or what may be in future become included as well?
Extract from Hardened-Docu, what all is covered by Hardened:
1) Enabling specific options in the toolchain (compiler, linker ...) such as forcing position-independent executables (PIE), stack smashing protection and compile-time buffer checks.
2) Enabling PaX extensions in the Linux kernel, which offer additional protection measures like address space layout randomization and non-executable memory.
3) Enabling grSecurity extensions in the Linux kernel, including additional chroot restrictions, additional auditing, process restrictions, etc..
4) Enabling SELinux extensions in the Linux kernel, which offers a Mandatory Access Control system enhancing the standard Linux permission restrictions.
5) Enabling Integrity related technologies, such as Integrity Measurement Architecture, for making systems resilient against tampering
For 1) we have got PIE with profile 17.0, but what's about "stack smashing protection" and "compile-time buffer checks"?
2) 3) is dead in the moment unless using the old 4.9 kernel.
For 4) I believe it is recommended to change to a hardened-profile.
Finally, what's about 5) in profile 17.0?
Could I stay on profile 17.0 and activate more hardening features, probably by use flag "hardening"?
_________________
___________________
Regards
Spargeltarzan
Notebook: Lenovo YOGA 900-13ISK: Gentoo stable amd64, GNOME systemd, KVM/QEMU
Desktop-PC: Intel Core i7-4770K, 8GB Ram, AMD Radeon R9 280X, ZFS Storage, GNOME openrc, Dantrell, Xen |
|
| Back to top |
|
|
mv
Watchman
Joined: 20 Apr 2005
Posts: 6747
|
| Posted: Sat Jan 06, 2018 10:23 am Post subject: |
|
|
| Spargeltarzan wrote: | | 1) Enabling specific options in the toolchain (compiler, linker ...) such as forcing position-independent executables (PIE), stack smashing protection and compile-time buffer checks. |
gcc-6 has USE=ssp which AFAIK only implies -fstack-protector-strong.
hardened had even enabled -fstack-protector-all instead which IMHO was an inappropriate overkill: It causes a huge slowdown compared to -fstack-protector-strong with a security benefit only for artificially constructed code.
There is also -fstack-check=specific which unfortunately AFAIK is not enabled by USE=ssp (so it is a good idea to add this to your *FLAGS). I think that this is also auto-enabled by hardened gcc, but I am not sure.
| Quote: | | "compile-time buffer checks" |
I don't know what this refers to; maybe -DFORTIFY_SOURCE=2. AFAIK, this is enabled in all non-ancient gcc versions anyway.
This must be answered by somebody else.
| Quote: | | 5) Enabling Integrity related technologies, such as Integrity Measurement Architecture, for making systems resilient against tampering |
Not sure what this refers to. The grsecurity/pax patch of the kernel contained several such things. But this would mean that it belongs to your points 3 or 4.
Some of these changes are finally upstreamed meanwhile. |
|
| Back to top |
|
|
LIsLinuxIsSogood
Veteran
Joined: 13 Feb 2016
Posts: 1179
|
| Posted: Sat Jan 06, 2018 11:28 am Post subject: |
|
|
Thank you to mv for the instructions (in page 2 or 3 of the thread involving updates to static libraries)... The programming of Portage is truly remarkable that it can handle all that with such elegance.
Here's though where I think the announcement and the use of emerge -e @world (as was suggested in the announcement) that will not be happening, for me, is likely in general too much and not necessary, not to mention putting the processor and equipment under a lot of stress which I can't say is good or bad, but if it isn't necessary than why do it??
The reason that the empty tree build of world set doesn't seem to make sense to me is because there are other ways to do this....LIKE WITH THE eix program as mentioned several times. Also, I don't see the point of really jumping into an empty tree build of the world set without first preparing for the worst (or else as others have pointed out to use the --keep-going option)
Of course the main thing that has to be done first is installing the toolchain, so I was wondering why there isn't a set in portage for this then? It would make so much more sense I think to have that, so that the instructions could be done so much more easily with
emerge -1 @toolchain
emerge -e @system
emerge -1 ...with whatever command to install the remaining packages either in world or selected sets for example
And actually what I'm really wondering is if the emptytree for system is even a bit over kill since that I just looked at which is going to be 216 packages on my desktop PC, which could probably take a long time!!! |
|
| Back to top |
|
|
mv
Watchman
Joined: 20 Apr 2005
Posts: 6747
|
| Posted: Sat Jan 06, 2018 11:51 am Post subject: |
|
|
| LIsLinuxIsSogood wrote: | | emerge -1 @toolchain |
You can write your own sets.
| /etc/portage/sets/toolchain wrote: | @gcc-deps
sys-libs/timezone-data
sys-devel/binutils
sys-devel/binutils-config
sys-libs/binutils-libs
sys-devel/gcc
sys-devel/gcc-config
sys-kernel/linux-headers
sys-libs/glibc |
| /etc/portage/sets/gcc-deps wrote: | sys-libs/zlib
dev-libs/gmp
dev-libs/mpfr
dev-libs/mpc
dev-libs/isl |
(The content will depend on the USE-flags you set for gcc.)
| Quote: | | 216 packages on my desktop PC |
On most of my desktops, the number is about 1500. But the main time for recompiling world is taken by a few dozen packages only (gcc, wine, gimp. chromium, libreoffice, rust, firefox, icedtea, ...) |
|
| Back to top |
|
|
LIsLinuxIsSogood
Veteran
Joined: 13 Feb 2016
Posts: 1179
|
| Posted: Sat Jan 06, 2018 12:05 pm Post subject: |
|
|
EDIT: Oh also, my use flags for gcc are the following is what's enabled: cxx nls fortran nptl openmp pch sanitize ssp vtv pie (of course)
| Quote: | (The content will depend on the USE-flags you set for gcc.)
|
In other words, there is no way to make the set be dynamic so that it changes with portage use flags is there?
That's no big deal, and if need be probably just checking the use flag settings against the sets I would be creating every once in a while isn't going to hurt. Right? |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54236
Location: 56N 3W
|
| Posted: Sat Jan 06, 2018 12:54 pm Post subject: |
|
|
LIsLinuxIsSogood,
Sets are simple lists. You can write a meta ebuild that accepts USE flags to get the functionality you suggest though.
Look at mate-1.18.ebuild as an example. It has some unconditional dependencies, followed by USE flag controlled groups.
Your own meta ebuilds go in your local overlay.
meta means its an ebuild that calls other ebuilds, much like a set, but USE flags are allowed.
Its your ebuild, the naming is up to you.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
krinn
Watchman
Joined: 02 May 2003
Posts: 7470
|
| Posted: Sat Jan 06, 2018 1:44 pm Post subject: |
|
|
| mv wrote: | | There is also -fstack-check=specific which unfortunately AFAIK is not enabled by USE=ssp (so it is a good idea to add this to your *FLAGS). I think that this is also auto-enabled by hardened gcc, but I am not sure. |
You should be aware of what linus said about this: https://cdn.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.18.91
| Quote: | commit 20a0462fffafa1d549e93c16d5b9749ed5441e99
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date: Fri Dec 29 17:34:43 2017 -0800
kbuild: add '-fno-stack-check' to kernel build options
commit 3ce120b16cc548472f80cf8644f90eda958cf1b6 upstream.
It appears that hardened gentoo enables "-fstack-check" by default for
gcc.
That doesn't work _at_all_ for the kernel, because the kernel stack
doesn't act like a user stack at all: it's much smaller, and it doesn't
auto-expand on use. So the extra "probe one page below the stack" code
generated by -fstack-check just breaks the kernel in horrible ways,
causing infinite double faults etc.
[ I have to say, that the particular code gcc generates looks very
stupid even for user space where it works, but that's a separate
issue. ]
|
I'm not worry that it doesn't work in kernel (even less now kernel disable it), still his comment on the code generate by using it should be considered even when using fstack-check on code that is not the kernel. |
|
| Back to top |
|
|
mv
Watchman
Joined: 20 Apr 2005
Posts: 6747
|
| Posted: Sat Jan 06, 2018 6:19 pm Post subject: |
|
|
| krinn wrote: | | still his comment on the code generate by using it should be considered even when using fstack-check on code that is not the kernel. |
It may be that it is stupid (whatever this means: it slows down? not a surprise...), but it protects against some attacks which had public attention because they were exploited not so long ago. (Actually, I already forgot in which occasion...). In userspace, it doesn't appear to break anything. As mentioned, hardened had enabled this since ages. |
|
| Back to top |
|
|
krinn
Watchman
Joined: 02 May 2003
Posts: 7470
|
| Posted: Sat Jan 06, 2018 8:27 pm Post subject: |
|
|
| mv wrote: | | It may be that it is stupid (whatever this means: it slows down? not a surprise...) |
I'm not Linus, but i take it roughly as: the generated code didn't get the full attention it should had get.
| Quote: | | In userspace, it doesn't appear to break anything. As mentioned, hardened had enabled this since ages. |
hardened has also enable fstack-check on kernel, and you can see by this commit how smart it was... so what ; hardened guys couldn't fail?
the fact you run it for ages doesn't prove you don't have a big hole or something nasty sleeping for age in your code because of that.
it wouldn't be first time a security hole was add by something that was made to protect you against them.
So, no, i have no idea precisely of what Linus is speaking off, you better ask gcc or hardened teams ; but i point it just because it may be worth ask them. |
|
| Back to top |
|
|
mv
Watchman
Joined: 20 Apr 2005
Posts: 6747
|
| Posted: Sun Jan 07, 2018 5:46 am Post subject: |
|
|
| krinn wrote: | | hardened has also enable fstack-check on kernel |
I don't know. The grsecurity patches contained a lot. Maybe they had patched it out or maybe they had modified the stack handling completely. In any case, their code was different from what is now in gcc, so maybe this went smoother with the kernel's stack handling. |
|
| Back to top |
|
|
eddy89
Apprentice
Joined: 01 Feb 2006
Posts: 180
Location: /world/Italy/Torino
|
| Posted: Mon Jan 08, 2018 7:41 pm Post subject: |
|
|
Hi all,
I'm sorry I did not read after page 5, so if someone already asked my question, well, sorry.
How do I check if my system(a single binary/library) is already compiled pie?
I ask this question mainly because: | Code: | gcc -v
Using built-in specs.
COLLECT_GCC=/usr/x86_64-pc-linux-gnu/gcc-bin/4.9.3/gcc
COLLECT_LTO_WRAPPER=/usr/libexec/gcc/x86_64-pc-linux-gnu/4.9.3/lto-wrapper
Target: x86_64-pc-linux-gnu
Configured with: /var/tmp/portage/sys-devel/gcc-4.9.3/work/gcc-4.9.3/configure --host=x86_64-pc-linux-gnu --build=x86_64-pc-linux-gnu --prefix=/usr --bindir=/usr/x86_64-pc-linux-gnu/gcc-bin/4.9.3 --includedir=/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/include --datadir=/usr/share/gcc-data/x86_64-pc-linux-gnu/4.9.3 --mandir=/usr/share/gcc-data/x86_64-pc-linux-gnu/4.9.3/man --infodir=/usr/share/gcc-data/x86_64-pc-linux-gnu/4.9.3/info --with-gxx-include-dir=/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/include/g++-v4 --with-python-dir=/share/gcc-data/x86_64-pc-linux-gnu/4.9.3/python --enable-languages=c,c++,fortran --enable-obsolete --enable-secureplt --disable-werror --with-system-zlib --enable-nls --without-included-gettext --enable-checking=release --with-bugurl=https://bugs.gentoo.org/ --with-pkgversion='Gentoo 4.9.3 p1.5, pie-0.6.4' --enable-libstdcxx-time --enable-shared --enable-threads=posix --enable-__cxa_atexit --enable-clocale=gnu --enable-multilib --with-multilib-list=m32,m64 --disable-altivec --disable-fixed-point --enable-targets=all --disable-libgcj --enable-libgomp --disable-libmudflap --disable-libssp --disable-libcilkrts --enable-vtable-verify --enable-libvtv --enable-lto --without-cloog --enable-libsanitizer
Thread model: posix
gcc version 4.9.3 (Gentoo 4.9.3 p1.5, pie-0.6.4) |
I know, it's old and masked, but "pie-0.6.4", is the same pie we are talking about??
Is there a way to check single library?
Is it really a CFLAG? I diffed emerge --info from 13.0 to 17.0 and there are no variations. It's a default?
Can something like readelf get if a binary or a library is compiled with pie or not?
Do revdep-rebuild catches linking breakage caused by mixed pie/pic compiled libraries/binaries? (so if I check after every single package build/update I can reemerge just the needed ones)
BTW:
| mv wrote: | For the change no-pie-> pie (or vice versa), it is usually not necessary to rebuild all of @world:
The only thing which needs to be rebuilt (after you rebuilt gcc) are the static libraries. The following command should be sufficient for that:
| Code: | | emerge -1 /lib*/*.a /usr/lib*/*.a |
Non-static libraries should have been built with PIC, anyway (which is the PIE replacement for libraries).
For all other packages (which compile some non-library code) the effect of changing no-pie->pie (or vice versa) will of course only be active for that package when the package is recompiled, but there should not be any functional problems if you do not recompile. |
Thank you very much for this. But ... how confident are you this works? Someone actually tried it?
I'm of course asking all this because by policy I strictly update on as-needed basis remote-exploitable-bugged packages, so a full -e world emerge would break my system(s)/configurations/versions in so many ways I'll spend DAYS to restore. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Portage & Programming
