Hi, First of all thanks to Lucas Nussbaum who ran the first test build!
2016-08-31 19:21 GMT+02:00 Steve Langasek <vor...@debian.org>: > On Wed, Aug 31, 2016 at 11:26:55AM +0100, Dimitri John Ledkov wrote: >> Hello, >> > Results are available at >> > https://people.debian.org/~lucas/logs/2016/08/30/pie-bindnow-20160830/ > >> > I did a full rebuild with bindnow and PIE enabled, then rebuilt all >> > failed packages with a pristine unstable chroot. > >> > You can take a look at >> > https://people.debian.org/~lucas/logs/2016/08/30/pie-bindnow-20160830/diff.txt >> > and grep for "OK Failed" (failed with PIE+bindnow, built fine in >> > unstable). (There are 1188 packages failing to build) > >> > Logs for both builds are available in the respective subdirectories. > >> Are you sure these are correct? The numbers for PIE+bindnow are a lot >> higher than what we see in Ubuntu, for same unmodified packages. > >> E.g. looking at http://qa.ubuntuwire.org/ftbfs/ > >> amd64/ppc64el/s390x have PIE+bindnow enabled, and >> i386/armhf/arm64/powerpc do not. here is nothing in the thousands >> range. There might be a dozen packages with PIE+bindnow fixes in >> ubuntu, that's not in debian, but that amount cannot be more than a >> dozen or two. Is there a list available or an easy way of collecting them? > > Note that enabling PIE by default is going to cause build failures for a > number of packages which link against static libraries, if those static > libraries have not been rebuilt yet with PIE/PIC. Ubuntu has worked through > this transition, so a direct comparison would require a rebootstrap test in > Debian instead of just a rebuild test (i.e.: test rebuild packages in > dependency order, and build later packages against the output of the earlier > rebuilds). True. Full rebootstrapping of the archive is not available automatically and this was really useful as a first test. I have added more dpkg patches [1] to make -pie hardening flag a noop since GCC upstream is not interested in making -no-pie easily usable [2]. I tested the packages failing to build with the previous patches and many of them could be built. The logs of the remaining failures can be found here: https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/ If we ignore the packages having "haskell" in their name the failures are down to 295 packages. I'm starting ot file bugs for the FTBFS-s. Patched dpkg and gcc is still available for those who would like to reproduce the issues. Cheers, Balint [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=835149 [2] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=77464 [3] https://people.debian.org/~rbalint/ppa/pie-bindnow/
