Hi, I haven't been paying close attention to the "PIE by default" [1] discussions, so I may have missed the memo, but: it seems the transition is underway?
I've seen two bugs already claiming "static library foo must be compiled with
-fPIC" -- because some reverse dependency now fails to build. But I think
this advice is misplaced. The Ubuntu page [2] says that all you need to do is
rebuild the library foo with the PIE-enabled compiler, then rebuild the
depending code:
Relocation Linking Failure
A dynamically linked program that pulls in a static library that was
not
built with -fPIC. These give an error like:
relocation R_X86_64_32 against '[SYMBOL]' can not be used when
making a
shared object; recompile with -fPIC
To address these types of issues, the package providing the static
object
needs to be rebuilt (usually just a no-change rebuild against the
pie-by-
default compiler) before rebuilding the failed package.
So it seems to me that this should be emphasized on the wiki [1]. Secondly,
it seems that the proposal to change policy to encourage -fPIC on static
libraries [3] is misplaced and should be withdrawn. Are both these
statements accurate?
Thanks,
-Steve
[1] https://wiki.debian.org/Hardening/PIEByDefaultTransition
[2] https://wiki.ubuntu.com/SecurityTeam/PIE
[3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=837478
signature.asc
Description: This is a digitally signed message part.
