View previous topic :: View next topic |
Author |
Message |
ct85711 Veteran
Joined: 27 Sep 2005 Posts: 1791
|
Posted: Mon Jan 08, 2018 7:47 pm Post subject: |
|
|
Quote: | gcc version 4.9.3 (Gentoo 4.9.3 p1.5, pie-0.6.4) |
Considering you are on gcc-4.9, which isn't supported anymore. I'd recommend you switch to >=gcc-5 and follow those directions on recompiling most of your system. As you are recompiling the system, it will also take care of any packages that needs to be recompiled with pie too... |
|
Back to top |
|
|
eddy89 Apprentice
Joined: 01 Feb 2006 Posts: 180 Location: /world/Italy/Torino
|
Posted: Mon Jan 08, 2018 7:55 pm Post subject: |
|
|
ct85711 wrote: | Quote: | gcc version 4.9.3 (Gentoo 4.9.3 p1.5, pie-0.6.4) |
Considering you are on gcc-4.9, which isn't supported anymore. I'd recommend you switch to >=gcc-5 and follow those directions on recompiling most of your system. As you are recompiling the system, it will also take care of any packages that needs to be recompiled with pie too... |
Thanks for your comment but that doesn't reply ANY of my questions, which are not related on gcc version. That was just an example taken from an example system. My questions still subsist.
BTW gcc-4.9 to gcc-6 migration AFAIK does not need a full system recompilation, unlike this pie thing. |
|
Back to top |
|
|
mike155 Advocate
Joined: 17 Sep 2010 Posts: 4438 Location: Frankfurt, Germany
|
Posted: Mon Jan 08, 2018 7:58 pm Post subject: |
|
|
Quote: | I'm sorry I did not read after page 5, so if someone already asked my question, well, sorry.
How do I check if my system(a single binary/library) is already compiled pie? |
This is shown on page 5 (sorry, I couldn't resist )
tholin wrote: | # hardening-check /usr/bin/firefox
/usr/bin/firefox:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes
Read-only relocations: yes
Immediate binding: no, not found! |
|
|
Back to top |
|
|
eddy89 Apprentice
Joined: 01 Feb 2006 Posts: 180 Location: /world/Italy/Torino
|
Posted: Mon Jan 08, 2018 8:41 pm Post subject: |
|
|
mike155 wrote: |
This is shown on page 5 (sorry, I couldn't resist )
|
Thanks, that was actually both useful and funny
So I catched up with almost all posts (skim-reading some about specific packages/libraries) and I can now auto-answer some of my questions. But others questions came to my mind.
Quote: | I know, it's old and masked, but "pie-0.6.4", is the same pie we are talking about?? |
Yes, but it's not enabled by default, so almost all of my system is not PIE.
PIE regards only executables, not libraries so ... why should we recompile libraries?
openssh (as someone pointed out, and I can confirm) is already compiled with PIE, and it works quite well. Then why a mixed system should be broken? |
|
Back to top |
|
|
ct85711 Veteran
Joined: 27 Sep 2005 Posts: 1791
|
Posted: Mon Jan 08, 2018 9:08 pm Post subject: |
|
|
Quote: | BTW gcc-4.9 to gcc-6 migration AFAIK does not need a full system recompilation, unlike this pie thing. |
Actually it does. It's more of the gcc-4 to gcc-5 transition requires the recompilation due to the ABI change. From gcc-5 to gcc-6/7+ does not necessarily require the recompilation. The exception is with the pie flag being enabled with the 17.0 profile.
Now the one thing, it may also cause some issues, is that it isn't officially supported transitioning more than 1 version at a time. So, transitioning from gcc-4 to gcc-6 or 7 directly may cause you to run into strange errors. |
|
Back to top |
|
|
asturm Developer
Joined: 05 Apr 2007 Posts: 8936
|
Posted: Mon Jan 08, 2018 9:13 pm Post subject: |
|
|
ct85711 wrote: | Now the one thing, it may also cause some issues, is that it isn't officially supported transitioning more than 1 version at a time. So, transitioning from gcc-4 to gcc-6 or 7 directly may cause you to run into strange errors. |
It is not guaranteed that gcc-4 is able to build gcc-6, so that intermediate step to gcc-5 *may* be required. But that does not mean you have to rebuild all of your system twice. It is perfectly fine to switch from gcc-4 to -5 then *immediately* -6 and only then do the ABI rebuild. |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54236 Location: 56N 3W
|
Posted: Mon Jan 08, 2018 9:14 pm Post subject: |
|
|
ct85711,
Neither need a full system build.
The gcc-4.x to >=gcc-5.y change needs all the installed C++ to be rebuilt due to the ABI change.
The (-pie) to (+pie) change, managed with the /17.0/ profile needs all the static libraries to be rebuilt.
Hardened profile users have been on (+pie) for a long time, so the upgrade may be a noop for them. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9679 Location: almost Mile High in the USA
|
Posted: Tue Jan 09, 2018 1:33 am Post subject: |
|
|
Fortunately my i686 was able to build gcc-6.4 with gcc-4.9.4, though I haven't gone through with PIEing or rebuilding c++ yet on this machine... _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
krinn Watchman
Joined: 02 May 2003 Posts: 7470
|
Posted: Tue Jan 09, 2018 2:47 am Post subject: |
|
|
because of "incoming" spectre patch mitigation for gcc, i would just wait with my 4.9.
and when "spectre"-gcc is out, i would download latest stage3, chroot, build the new gcc with the toolchain from the chroot : so no upgrade to 4.9->? just using toolchain from stage3 and upgrade to spectre-gcc (which should be 8, but we might have a 7-3 or 7.4 ready), but i really don't expect gcc 6 series to have them backport to it. |
|
Back to top |
|
|
jorgicio n00b
Joined: 17 Oct 2014 Posts: 47
|
Posted: Wed Jan 10, 2018 4:29 am Post subject: Resume |
|
|
In resume: if I just build static-related packages (after migrate of profile and building gcc and other packages with PIE, of course), Am I done and then I'll (re)build everything I want? (In order to avoid the emerge -e @world which takes ages to do so) |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54236 Location: 56N 3W
|
Posted: Wed Jan 10, 2018 1:39 pm Post subject: |
|
|
krinn,
gcc builds itself three times in the course of the install.
It builds a bootstrap gcc with the random C++ compiler it finds on the system.
It uses that bootstrap gcc to build itself, then it compares the two gccs, which should be identical.
Lastly, it uses the second gcc to build the gcc targets that actually get installed.
This build system means that distcc can't help build gcc
Bootstrapping gcc this way only works for native builds.
That's a long way to say don't bother waiting for a stage3.
Build your new gcc.
Use it ts build the toolchain.
If you are really paranoid, do it again. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
Vandon n00b
Joined: 04 Jan 2004 Posts: 29
|
Posted: Wed Jan 10, 2018 2:53 pm Post subject: |
|
|
I've updated my system to a 17.0 profile and everything seemed to go well with re-emerging everything.
I went to: [19] default/linux/amd64/17.0/desktop/plasma *
However, once the 17.1 profiles were removed, I started getting this message every time I emerge something:
Code: | !!! Your current profile is deprecated and not supported anymore.
!!! Use eselect profile to update your profile.
!!! Please upgrade to the following profile if possible:
default/linux/amd64/17.0
You may use the following command to upgrade:
eselect profile set default/linux/amd64/17.0
|
I've tried switching to that specific profile, but I still get the same message.
I've verified that my make.profile is pointing to the right location in the 17.0 profiles:
Code: | ls -la /etc/portage/make.profile
lrwxrwxrwx 1 root root 66 Jan 10 08:32 /etc/portage/make.profile -> ../../usr/portage/profiles/default/linux/amd64/17.0/desktop/plasma
Portage 2.3.13 (python 3.4.5-final-0, default/linux/amd64/17.0/desktop/plasma, gcc-6.4.0, glibc-2.25-r9, 4.14.7-gentoo x86_64)
|
Any ideas on what is causing the message? |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54236 Location: 56N 3W
|
Posted: Wed Jan 10, 2018 5:21 pm Post subject: |
|
|
Vandon,
The message is displayed because you have a file named depreciated in your profile.
See
An may fix it. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
Vandon n00b
Joined: 04 Jan 2004 Posts: 29
|
Posted: Wed Jan 10, 2018 7:40 pm Post subject: |
|
|
NeddySeagoon wrote: | Vandon,
The message is displayed because you have a file named depreciated in your profile.
See
An may fix it. |
I'm not sure where I would have a file named "deprecated". None of the linux/amd64/17.0 profiles have a file named deprecated and only mips/17.0 has a deprecated file in it. I have sync'd several times since 17.1 was removed which was when all this started.
I've also switched to the profile it suggests and get the same...
Code: | # eselect profile set default/linux/amd64/17.0
# etc-update
# env-update
>>> Regenerating /etc/ld.so.cache...
# source /etc/profile
# emerge -upDNv world
!!! Your current profile is deprecated and not supported anymore.
!!! Use eselect profile to update your profile.
!!! Please upgrade to the following profile if possible:
default/linux/amd64/17.0
You may use the following command to upgrade:
eselect profile set default/linux/amd64/17.0
|
emerge --info shows the right profile is selected and I even rm -rf /usr/portage/profiles/default/linux/amd64 and re-synced. Same results |
|
Back to top |
|
|
proteusx Guru
Joined: 21 Jan 2008 Posts: 338
|
Posted: Wed Jan 10, 2018 8:56 pm Post subject: |
|
|
You get this message if the symlink '/etc/portage/make.profile' is invalid. |
|
Back to top |
|
|
Vandon n00b
Joined: 04 Jan 2004 Posts: 29
|
Posted: Wed Jan 10, 2018 9:54 pm Post subject: |
|
|
proteusx wrote: | You get this message if the symlink '/etc/portage/make.profile' is invalid. |
No, the link is valid and was created with eselect, I can 'ls' through it too.
Code: | lrwxrwxrwx 1 root root 51 Jan 10 13:23 make.profile -> ../../usr/portage/profiles/default/linux/amd64/17.0
|
BUT, on closer inspection I also had:
Code: | lrwxrwxrwx 1 root root 51 Nov 5 2014 profile -> ../../usr/portage/profiles/default/linux/amd64/13.0
|
from a very old install.
One 'rm profile' and the message is gone.
Thanks everyone that helped out!
So, this probably means I should re-emerge -e system and world again since it was picking the 13.0 profile somehow |
|
Back to top |
|
|
wrc1944 Advocate
Joined: 15 Aug 2002 Posts: 3435 Location: Gainesville, Florida
|
Posted: Wed Jan 10, 2018 11:57 pm Post subject: |
|
|
tld,
I'm currently running three rock solid gentoo ~amd64 gcc-7.2 profile 13.0 (global -pie) Ryzen systems, and am contemplating using your method of moving to a -pie profile 17 on page 8 of this profile 17.0 thread.
Anyway, posted on page 7 of this thread I'm still wondering how profile 17 with default pie might fare on AM4/Ryzen considering some known and possibly related Ryzen problems, and a few experts offered some thoughts. I've gained a little more understanding, but I'm not convinced I should try a full default pie profile 17 change, even on ~amd64 systems. I'm aware that the pie performance hits are reported as mainly a 32bit problem, but with known ryzen ASLR flaws, I still feel a little apprehensive. If I wasn't on Ryzen, I probably would just go ahead and do the profile 17.0 update, and hope for the best, even if I'm still not convinced I need pie.
equery hasuse pie lists my current GCC, which I take implies GCC is already built with pie (not sure on this),
Code: | gentoo-main /home/wrc # equery hasuse pie
* Searching for USE flag pie ...
[IP-] [ ] net-misc/openssh-7.6_p1-r1:0
[IP-] [ ] sys-devel/gcc-7.2.0:7.2.0
[IP-] [ ] sys-libs/pam-1.3.0-r2:0 |
However, emerge gcc -pv reports gcc does not have a pie or -pie USE flag enabled, which seems odd. I realize you did this on x86 32bit, but any thoughts/advice you might offer would be greatly appreciated.
After struggling for weeks attempting to resolve the problems on my original R7 1700 before I RMA'd it, I'd hate to move to the default profile 17 pie and find out Ryzens are uniquely susceptible to pie induced performance hits.
Code: | gentoo-main /home/wrc # emerge gcc -pv
!!! Your current profile is deprecated and not supported anymore.
!!! Use eselect profile to update your profile.
!!! Please upgrade to the following profile if possible:
default/linux/amd64/17.0/desktop/plasma
You may use the following command to upgrade:
eselect profile set default/linux/amd64/17.0/desktop/plasma
These are the packages that would be merged, in order:
Calculating dependencies... done!
[ebuild R ] sys-devel/gcc-7.2.0:7.2.0::gentoo USE="cxx fortran (multilib) nls nptl openmp pch sanitize ssp vtv (-altivec) (-awt) -cilk -debug -doc (-fixed-point) (-gcj) -go -graphite (-hardened) (-jit) (-libssp) -mpx -objc -objc++ -objc-gc -pgo (-pie) -regression-test -vanilla" 0 KiB |
_________________ Main box- AsRock x370 Gaming K4
Ryzen 7 3700x, 3.6GHz, 16GB GSkill Flare DDR4 3200mhz
Samsung SATA 1000GB, Radeon HD R7 350 2GB DDR5
OpenRC Gentoo ~amd64 plasma, glibc-2.36-r7, gcc-13.2.1_p20230304
kernel-6.8.4 USE=experimental python3_11 |
|
Back to top |
|
|
patrix_neo Guru
Joined: 08 Jan 2004 Posts: 520 Location: The Maldives
|
Posted: Fri Jan 19, 2018 9:15 pm Post subject: |
|
|
NeddySeagoon wrote: | jagdpanther
No. The kernel rebuild can be any time after the gcc rebuild.
I'm not sure it matters as the kernel build system sets all its own CFLAGS.
Therefore, the kernel may not change. |
Does it have to? A sincere question. It has to cope with memory management, right? |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54236 Location: 56N 3W
|
Posted: Fri Jan 19, 2018 9:21 pm Post subject: |
|
|
patrix_neo,
Its the way the kernel build system works. Its not built with emerge. emerge only installs the sources for you, so the settings in make.conf are not used for kernel builds.
If you know the environment variables to set, you can set them on the command line with the make command.
Then you get to keep the pieces if the resulting kernel fails in funny ways as it did with gentoo-hardened's gcc recently. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
Havin_it Veteran
Joined: 17 Jul 2005 Posts: 1247 Location: Edinburgh, UK
|
Posted: Sun Jan 21, 2018 2:51 pm Post subject: |
|
|
I'm about to go through this on my server box, got one small question: The news item specifies gcc:6.4.0, but is it fine to use gcc:7.2.0 instead?
The box is quite out-of-date (~400 updates queued!) and hasn't got gcc:7.2.0 yet. So is this sequence alright?
Code: |
emerge -1 libtool
[switch profile]
emerge gcc:7.2.0
[eselect gcc-7.2.0]
emerge -1 binutils
emerge -1 glibc
emerge -e @world
|
Seems that would save one gcc rebuild (it's a pretty low-spec machine). Any problem there? |
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20067
|
Posted: Sun Jan 21, 2018 5:48 pm Post subject: |
|
|
gcc 7.2 is fine with profile 17.
But depending on the version of gcc you currently have installed, there may be some additional steps.
Upgrading from gcc-4.x to gcc-5.x
Otherwise I've followed Upgrading GCC. Despite the reference to not having to do it the "long way," I followed the unstated advice to do it anyway: Quote: | Some people swear that they need to rebuild every single package on their system when a new GCC version is made available. Of course, that doesn't make sense [...] The "safest" (but also most time-consuming) way to accomplish this |
|
|
Back to top |
|
|
Havin_it Veteran
Joined: 17 Jul 2005 Posts: 1247 Location: Edinburgh, UK
|
Posted: Sun Jan 21, 2018 11:28 pm Post subject: |
|
|
Hi pjp, thanks for the reply.
I've had gcc:6.4 installed for a few months (since last emerge -u @world) but none of my system is built with it (not even libtool until just now -- oops) but rather with gcc:5.3.0.
So if I update to 17.0 now, I can then build gcc:7.2.0 once (followed by switching to it and using it to build libtool, binutils and glibc) and then just proceed with the world rebuild? |
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20067
|
Posted: Mon Jan 22, 2018 12:45 am Post subject: |
|
|
I can't find my notes on my upgrade. Nor the posts I relied upon.
Since you apparently accidentally built libtool with gcc-6.4, I'm not sure how significant that is. I don't know if you can have a gcc-5 environment with libtool compiled with gcc-6 and then migrate everything to gcc-7 and profile 17 in "one step."
I'm going to defer to more experienced users on this one. Unless I'm personally pretty clear that stuff isn't going to hit the fan, I try not to fix things by breaking them more. :)
Otherwise, I would have installed gcc-7.2, rebuilt the toolchain, switched to the 17 profile, rebuilt the toolchain (for pie, etc) and then -ea @system and -ea @world. _________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
trigggl Apprentice
Joined: 26 Aug 2007 Posts: 250 Location: Arkansas
|
Posted: Fri Feb 02, 2018 7:15 am Post subject: |
|
|
eccerr0r wrote: | Fortunately my i686 was able to build gcc-6.4 with gcc-4.9.4, though I haven't gone through with PIEing or rebuilding c++ yet on this machine... |
My longtime neglected virtual machines were also able to do this.
I'm about halfway through the PIE rebuild. _________________ Greg |
|
Back to top |
|
|
trigggl Apprentice
Joined: 26 Aug 2007 Posts: 250 Location: Arkansas
|
Posted: Fri Feb 02, 2018 7:24 am Post subject: |
|
|
patrix_neo wrote: | NeddySeagoon wrote: | jagdpanther
No. The kernel rebuild can be any time after the gcc rebuild.
I'm not sure it matters as the kernel build system sets all its own CFLAGS.
Therefore, the kernel may not change. |
Does it have to? A sincere question. It has to cope with memory management, right? |
Don't know if this answers your question, but I was switching from a version 3 kernel to 4.4 today. When I ran "make oldconfig", one of the new options was whether to compile with PIE or not. PIE is a setting in the kernel configuration. Whether or not the kernel has PIE is determined by .config. (IMO) _________________ Greg |
|
Back to top |
|
|
|