/srv/irclogs.ubuntu.com/2016/04/30/#ubuntu-devel.txt

dokoslangasek, the problem was that -fPIE couldn't be turned off in some situations. See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70192. Strange that this didn't turn up during testing ...00:56
ubottugcc.gnu.org bug 70192 in driver "-fno-pic doesn't work with --enable-default-pie" [Normal,Resolved: fixed]00:56
slangasekdoko: hmm, what problem is that?00:57
slangasekmissing context00:57
dokothe kernel can't build with pie, so you have to turn it off00:57
slangasekah, that one00:57
dokoand every kernel module00:57
slangaseknot automatable somehow?00:58
slangaseklike, in the dkms package instead of fixing each module?00:58
dokowell, lets fix the kernel first00:58
dokoI could turn it off if I see some other options, like -ffreestanding, or -nostdlib. but I'm unsure how much I'll break which such automated guessing00:59
=== juliank is now known as Guest40488
=== juliank_ is now known as juliank
=== Wulf4 is now known as Wulf
slangasekLocutusOfBorg: fyi, LP: #1576914.  Since I'm pretty sure this is a regression in a core package, I'm not inclined to remove the upstart binaries to work around it.02:19
ubottuLaunchpad bug 1576914 in upstart (Ubuntu) "upstart,libnih ftbfs on s390x with linux 4.4.0-21.37" [Undecided,New] https://launchpad.net/bugs/157691402:19
dokoslangasek, this could be automated: https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/157691502:29
ubottuLaunchpad bug 1576915 in dpkg (Ubuntu) "dpkg-buildflags should explicitly pass -fno-PIE and -no-pie if DEB_BUILD_HARDENING_PIE=0 is set" [Undecided,New]02:29
slangasekdoko: are those options defined somewhere, or are you proposing new options that don't currently exist in Debian?02:43
dokoslangasek, well, DEB_BUILD_HARDENING_PIE seems to be documented. we should just adjust these to work when pie is the default02:44
slangasekthe standard option I know about is DEB_BUILD_{MAINT_,}OPTIONS=hardening=-pie,-bindnow02:44
slangasekdoko: documented where?02:45
dokohmm, I saw this in virtualbox ...02:45
dokoLocutusOfBorg, ^^^02:45
slangasekhttps://wiki.debian.org/Hardening documents DEB_BUILD_HARDENING_PIE, but that's hardening-wrapper, which is obsolete02:45
dokoahh02:46
dokoslangasek, but in any case, =hardening=-pie should result in no pie flags02:46
* slangasek nods02:47
dokoand I realize there is no way to turn off the -z now default :-/02:47
slangasekdoko: wouldn't that be -z lazy?02:47
dokoohh, was looking for nonow02:49
slangasek-z someothertime ;)02:49
dokoone more thing for the gcc specs :-/02:50
dokoLocutusOfBorg, please teach virtualbox to pass the appropriate no pie flags02:56
=== athairus is now known as afkthairus
LocutusOfBorgdoko, ack08:46
LocutusOfBorgthanks08:46
bigonis anybody taking care of the selinux userspace in ubuntu (even if you are a apparmor shop?)09:12
LocutusOfBorgdoko, it doesn't work09:20
LocutusOfBorgI don't have any fPIC fpic fpie fPIE references in the build log09:20
LocutusOfBorgbut it fails anyway09:20
LocutusOfBorgtrying -pic,-pie,-bindnow09:21
cjwatsoncyphermox: ndisc6> go for it09:32
abhinav--seeing this error in dmesg when trying to boot from 16.04 live USB traps: compiz[3446] trap invalid opcode ip:7fb11003e0e9 sp:7ffc1d32ec20 error:012:01
abhinav--is this a known bug with?12:02
=== Cimi_ is now known as cimi
dokogdal, json-c, cpl, cfitsio, ffmpeg, gsoap, libgetdata are now all entangled transitions14:00
=== afkthairus is now known as athairus
showazhttp://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security17:04
cjwatsondoko: at least the ffmpeg transition seems to be going relatively smoothly so far.  I filed a Debian bug about the failing ffmpeg autopkgtest17:50
cjwatsonwill look at freshplayerplugin in the coming week17:51
dokoyeah, I set up the tracker, and then noticed that you had already started :)20:34
infinitydoko: Why do PIE executables think they're libraries?21:37
dokosplit personality21:37
infinity(base)adconrad@nosferatu:~$ readelf -a /usr/bin/wget | grep '^  Type:'21:38
infinity  Type:                              DYN (Shared object file)21:38
infinity(base)adconrad@nosferatu:~$ readelf -a /bin/mv | grep '^  Type:'21:38
infinity  Type:                              EXEC (Executable file)21:38
infinityIt's rather irksome.21:38
infinity(I get that they're linked as shared objects, so technically are just like a PIC library, but I don't get why the ELF header has to be wrong too)21:39
keesinfinity: they're both ET_DYN. it's been a bug that .so files were detected using the Type.21:40
keesi.e. this is, imo, a bug in readelf21:41
=== NCommander is now known as Guest14045
infinitykees: So, how would readelf go about telling the difference, then?21:46
keesinfinity: I think the presence of DT_DEBUG22:19
kees$ readelf -d /usr/lib/x86_64-linux-gnu/libmirclient.so | fgrep '(DEBUG)'22:19
kees$ readelf -d /usr/bin/ssh | fgrep '(DEBUG)'22:19
kees 0x0000000000000015 (DEBUG)              0x022:19
infinitykees: binutils patch forthcoming? :)22:22
infinitykees: It's weird to see my system slowly shifting to being nothing but libraries (weirder still to see tools like lintian agree)22:22
keesI'm used to it at this point. :) chrome os has been default PIE since the beginning, and Android switched a few years ago too.22:23
keesit really confuses "file" :)22:23
infinityQuite.22:23
infinityfile is where I first noticed it.22:24
infinityWhich I assume it just using the same heuristic as readelf.22:24
keesyup. it just examines the elf type. fundamentally, there's no difference.22:24
keesit just happens that gcc drops in DT_DEBUG for executables for some reason22:24
infinityStill seems wrong to my that the ELF type is "shared object" (even if it technically is), but meh.22:25
infinityI wonder if the real definition of an ELF executable would be "any valid ELF type" + "has a PI entry".22:25
infinityExcept that I've seen a ton of libraries with /lib/ld-linux PI entries, so there's a toolchain bug there too. :P22:26
infinitys/bug/misfeature/ ... It's not like it hurts for a library to have a PI, but it's also pointless.22:27
keesi'm misparsing. what do you mean by PI? I was reading it as "position independent" but "a PI" doesn't make sense to me now :)22:28
infinitykees: Program Interpreter.22:28
keesah!22:28
infinitykees: ie: a binary shebang.22:28
keesright22:28
infinityOf course, static binaries also shouldn't have one, so that goes out the window. :P22:29
keeswhere does the PI show up?22:29
infinityBut if the existence of (DEBUG) is a gcc oddity, that's also a broken heuristic.22:29
keesyeah, I'd rather have a better one22:29
infinitykees: I don't recall precisely where it shows up in the byte stream, file knows.22:30
infinity/bin/mv: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.222:30
infinitySince it extracts it.22:30
keesyeah... trying to find it in readelf...22:30
infinityBut.  Like I said, we seem to have a toolchain that bakes it into libraries too, so that's no help. :P22:30
keesoh, it does? ew22:31
infinityOh.  Maybe not.22:31
infinityIt might just be needlessly linking libraries to it.22:31
infinityWhich is fine.22:31
LocutusOfBorgcan anybody with an s390x machine tell me why this package isn't installable? https://launchpad.net/ubuntu/+source/dolfin/1.6.0-1ubuntu5/+build/962108622:31
LocutusOfBorg Missing build dependencies: libslepc3.6.1-dev22:31
infinityhttp://paste.ubuntu.com/16160211/22:33
infinitykees: ^-- So, quick random sample of a whole two files.  Yes, libs are linked to ld-linux, but not listed as an interpreter.  And file seems smart enough to point out interpreters even in "libraries" (PIE wget).22:33
infinitykees: So that may indeed by the right heuristic, since a PI implies executable, even if it's just because you misbuilt your library.  ie: that may be a misbuild you'd want to know about anyway.22:34
keesinfinity: yeah, I think that's correct. I still haven't found where that's listed in the various readelf options...22:34
infinityOr you may be a unique snowflake like libc, which is intentionally an executable library and, indeed, I think it should be detected as EXEC.22:35
keesProgram headers, I think22:35
keesyeah, no INTERP program header.22:36
keesso, maybe even just INTERP or not... not need to check for ld-linux.22:36
keeswhich is, I think, what you just said. ;)22:36
infinityRight.22:38
infinitykees: Oh hey, since you're the resident expert on PIE...22:38
* kees cringes22:38
infinitykees: I understand why it's a massive performance hit on i386 (register pressure because, well, we have two), why is there not an i686 implementation that just absconds with an MMX register instead?22:38
infinitykees: Given our baseline is i686, that would seem like it should work...22:39
keesinfinity: I don't know :) this is a question for the compiler gods.22:39
infinitykees: Also, your mention of ChromeOS and Android implies you're PIEing on armv7.  Does that eat one of the vfp registers, or one of the gp registers (and did you benchmark it at all)?22:40
keesinfinity: iirc, it eats a gp register. we don't care about the hit because PIE is more important. :)22:41
kees(though our ASLR entropy on armv7 is terrible)22:41
infinitykees: I feel like this is a thing we should turn on for all our arches (well, minus i386, unless we can get something magic like above), but I need a lot more info.22:41
keesit should be on for all archs including i386. ;)22:42
infinityTurning it on for i386, we may as well just drop i386, the hit's that bad. :/22:42
keesnah22:42
keesbut given most people are in a "who cares about i386?" mood, taking a perf hit doesn't bother them :)22:43
infinityI might make an executive decision as the powerpc community port maintainer to turn it on there.22:44
infinityBut armv7, arm64, and i386 will take internal discussions.22:44
keesarm64 should be a no-brainer22:44
infinityI'm inclined to agree.  It's just that doko and the security team only tested amd64 and ppc64el on the last pass, so those are the ones he enabled.22:45
infinity(And we did s390x out of the gate)22:45
keesno one has any arm64, so no one will notice a change. :)22:46
infinityWe actually have a fair few installations out there.22:47
infinitySome reasonably large, even.22:47
infinityI was as puzzled as you to discover this.22:47
infinityThat said, right after an LTS seems the best time to be switching.22:48
infinityPeople have two years to deal with the new world order.22:48
keesI love s390x22:56
infinitykees: I feel like there's a followup coming to turn that into a sarcastic statement.22:57
keesunrelated: I don't seem to be able to debootstrap yaketty right now. complains about deps22:57
keesinfinity: no! the s390x hardware support in the kernel is great! they've had strong kernel memory permissions since forever, they have separate userspace and kernel space memory, etc etc22:57
keesmuch more hardened than x8622:57
infinityWell, you have to look at the heritage.22:57
infinityThe invented virtualization before we started copying BASIC programs from magazines.22:58
infinityThe real disappointment is that it's taken everyone else so long to catch up.22:58
infinityThey caught up to "mainframe performance", but skipped all the features.22:59
infinitys/The invented/They invented/22:59
infinitykees: --variant=buildd, or a big, fat debootstrap?23:01
infinitykees: A buildd one just worked here.23:01
* infinity tries a chubby one.23:01
infinitykees: chubby debootstrap also succeeded, I blame your mirror.23:05
keesinfinity: hmmm. I will double-check my mirror. I've been having .. Issues(tm)23:17
keesoh good, my mirror refresh just finished. debootstrap much happier now23:26

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!