On 29/01/12 23:25, Russ Allbery wrote: > For PIE, the main practical problem with PIE is that PIE and PIC conflict, > so you can't just add -fPIE to the compiler flags of a package that builds > both executables and libraries.
I investigated this for D-Bus (which builds a security-sensitive daemon, dbus-daemon, and a library, libdbus). It turns out that libtool is clever enough to replace -fPIE with -fPIC -DPIC when compiling objects that will go in a shared library, and omit -pie when linking shared libraries, so if your hybrid executable|library package uses libtool (as D-Bus does), you *can* just add the PIE flags: https://bugs.freedesktop.org/show_bug.cgi?id=16621#c9 (If your upstream has an ancient libtool, you might need to re-libtoolize - but do that anyway, tbh. dh_autoreconf makes it quite straightforward.) As a result, I dropped the elaborate machinery from the upstream build system to apply -fPIE in the compiler flags of only those objects that will end up in an executable, in favour of recommending that distributions use something like './configure CFLAGS=-fPIE LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"' or the dpkg-buildflags equivalent. At some point I should update the dbus source package to use the right magic options to dpkg-buildflags, but for now it's still using hardening-wrapper and seems to work fine. S -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4f265e36.2010...@debian.org