Closed gregoa closed 3 months ago
Same for Crypt-Argon2:
I: libcrypt-argon2-perl: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/perl5/5.38/auto/Crypt/Argon2/Argon2.so]
N:
N: This package provides an ELF binary that lacks the "bindnow" linker flag.
N:
N: This is needed (together with "relro") to make the "Global Offset Table"
N: (GOT) fully read-only. The bindnow feature trades startup time for
N: improved security. Please consider enabling this feature or consider
N: overriding the tag (possibly with a comment about why).
N:
N: If you use dpkg-buildflags, you may have to add hardening=+bindnow or
N: hardening=+all to DEB_BUILD_MAINT_OPTIONS.
N:
N: The relevant compiler flags are set in LDFLAGS.
LDFLAGS missing (-Wl,-z,relro): x86_64-linux-gnu-gcc -shared -o blib/arch/auto/Crypt/Argon2/Argon2.so lib/Crypt/Argon2.o src/argon2.o src/core.o src/encoding.o src/thread.o src/blake2/blake2b.o src/switch.o src/ref.o src/sse3.o src/avx2.o src/avx512.o -fstack-protector-strong -L/usr/local/lib -pthread
Cheers, gregor
Technically this is an ExtUtils::Builder::Compiler
issue. Can you give me the full output of perl -V
?
Older toolchainy things (ExtUtils::MakeMaker
and ExtUtils::CBuilder
) don't do what you might expect with $LDFLAGS
either, but they should pick it up from perl itself.
Sure:
% perl -V
Summary of my perl5 (revision 5 version 38 subversion 2) configuration:
Platform:
osname=linux
osvers=6.1.0
archname=x86_64-linux-gnu-thread-multi
uname='linux localhost 6.1.0 #1 smp debian 6.1.0 x86_64 gnulinux '
config_args='-Dmksymlinks -Dusethreads -Duselargefiles -Dcc=x86_64-linux-gnu-gcc -Dcpp=x86_64-linux-gnu-cpp -Dld=x86_64-linux-gnu-gcc -Dccflags=-DDEBIAN -Wdate-time -D_FORTIFY_SOURCE=2 -g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/dummy/build/dir=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -Dldflags= -Wl,-z,relro -Dlddlflags=-shared -Wl,-z,relro -Dcccdlflags=-fPIC -Darchname=x86_64-linux-gnu -Dprefix=/usr -Dprivlib=/usr/share/perl/5.38 -Darchlib=/usr/lib/x86_64-linux-gnu/perl/5.38 -Dvendorprefix=/usr -Dvendorlib=/usr/share/perl5 -Dvendorarch=/usr/lib/x86_64-linux-gnu/perl5/5.38 -Dsiteprefix=/usr/local -Dsitelib=/usr/local/share/perl/5.38.2 -Dsitearch=/usr/local/lib/x86_64-linux-gnu/perl/5.38.2 -Dman1dir=/usr/share/man/man1 -Dman3dir=/usr/share/man/man3 -Dsiteman1dir=/usr/local/man/man1 -Dsiteman3dir=/usr/local/man/man3 -Duse64bitint -Dman1ext=1 -Dman3ext=3perl -Dpager=/usr/bin/sensible-pager -Uafs -Ud_csh -Ud_ualarm -Uusesfio -Uusenm -Ui_libutil -Ui_xlocale -Uversiononly -Ud_strlcpy -Ud_strlcat -DDEBUGGING=-g -Doptimize=-O2 -dEs -Duseshrplib -Dlibperl=libperl.so.5.38.2'
hint=recommended
useposix=true
d_sigaction=define
useithreads=define
usemultiplicity=define
use64bitint=define
use64bitall=define
uselongdouble=undef
usemymalloc=n
default_inc_excludes_dot=define
Compiler:
cc='x86_64-linux-gnu-gcc'
ccflags ='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fwrapv -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64'
optimize='-O2 -g'
cppflags='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fwrapv -fno-strict-aliasing -pipe -I/usr/local/include'
ccversion=''
gccversion='13.2.0'
gccosandvers=''
intsize=4
longsize=8
ptrsize=8
doublesize=8
byteorder=12345678
doublekind=3
d_longlong=define
longlongsize=8
d_longdbl=define
longdblsize=16
longdblkind=3
ivtype='long'
ivsize=8
nvtype='double'
nvsize=8
Off_t='off_t'
lseeksize=8
alignbytes=8
prototype=define
Linker and Libraries:
ld='x86_64-linux-gnu-gcc'
ldflags =' -fstack-protector-strong -L/usr/local/lib'
libpth=/usr/local/lib /usr/lib/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib
libs=-lgdbm -lgdbm_compat -ldb -ldl -lm -lpthread -lc -lcrypt
perllibs=-ldl -lm -lpthread -lc -lcrypt
libc=/lib/x86_64-linux-gnu/libc.so.6
so=so
useshrplib=true
libperl=libperl.so.5.38
gnulibc_version='2.38'
Dynamic Linking:
dlsrc=dl_dlopen.xs
dlext=so
d_dlsymun=undef
ccdlflags='-Wl,-E'
cccdlflags='-fPIC'
lddlflags='-shared -L/usr/local/lib -fstack-protector-strong'
Characteristics of this binary (from libperl):
Compile-time options:
HAS_LONG_DOUBLE
HAS_STRTOLD
HAS_TIMES
MULTIPLICITY
PERLIO_LAYERS
PERL_COPY_ON_WRITE
PERL_DONT_CREATE_GVSV
PERL_HASH_FUNC_SIPHASH13
PERL_HASH_USE_SBOX32
PERL_MALLOC_WRAP
PERL_OP_PARENT
PERL_PRESERVE_IVUV
PERL_USE_SAFE_PUTENV
USE_64_BIT_ALL
USE_64_BIT_INT
USE_ITHREADS
USE_LARGE_FILES
USE_LOCALE
USE_LOCALE_COLLATE
USE_LOCALE_CTYPE
USE_LOCALE_NUMERIC
USE_LOCALE_TIME
USE_PERLIO
USE_PERL_ATOF
USE_REENTRANT_API
USE_THREAD_SAFE_LOCALE
Locally applied patches:
DEBPKG:debian/cpan_definstalldirs - Provide a sensible INSTALLDIRS default for modules installed from CPAN.
DEBPKG:debian/db_file_ver - https://bugs.debian.org/340047 Remove overly restrictive DB_File version check.
DEBPKG:debian/doc_info - Replace generic man(1) instructions with Debian-specific information.
DEBPKG:debian/enc2xs_inc - https://bugs.debian.org/290336 Tweak enc2xs to follow symlinks and ignore missing @INC directories.
DEBPKG:debian/errno_ver - https://bugs.debian.org/343351 Remove Errno version check due to upgrade problems with long-running processes.
DEBPKG:debian/libperl_embed_doc - https://bugs.debian.org/186778 Note that libperl-dev package is required for embedded linking
DEBPKG:fixes/respect_umask - Respect umask during installation
DEBPKG:debian/writable_site_dirs - Set umask approproately for site install directories
DEBPKG:debian/extutils_set_libperl_path - EU:MM: set location of libperl.a under /usr/lib
DEBPKG:debian/no_packlist_perllocal - Don't install .packlist or perllocal.pod for perl or vendor
DEBPKG:debian/fakeroot - Postpone LD_LIBRARY_PATH evaluation to the binary targets.
DEBPKG:debian/instmodsh_doc - Debian policy doesn't install .packlist files for core or vendor.
DEBPKG:debian/ld_run_path - Remove standard libs from LD_RUN_PATH as per Debian policy.
DEBPKG:debian/libnet_config_path - Set location of libnet.cfg to /etc/perl/Net as /usr may not be writable.
DEBPKG:debian/perlivp - https://bugs.debian.org/510895 Make perlivp skip include directories in /usr/local
DEBPKG:debian/squelch-locale-warnings - https://bugs.debian.org/508764 Squelch locale warnings in Debian package maintainer scripts
DEBPKG:debian/patchlevel - https://bugs.debian.org/567489 List packaged patches for 5.38.2-5 in patchlevel.h
DEBPKG:fixes/document_makemaker_ccflags - https://bugs.debian.org/628522 [rt.cpan.org #68613] Document that CCFLAGS should include $Config{ccflags}
DEBPKG:debian/find_html2text - https://bugs.debian.org/640479 Configure CPAN::Distribution with correct name of html2text
DEBPKG:debian/perl5db-x-terminal-emulator.patch - https://bugs.debian.org/668490 Invoke x-terminal-emulator rather than xterm in perl5db.pl
DEBPKG:debian/cpan-missing-site-dirs - https://bugs.debian.org/688842 Fix CPAN::FirstTime defaults with nonexisting site dirs if a parent is writable
DEBPKG:debian/makemaker-pasthru - https://bugs.debian.org/758471 Pass LD settings through to subdirectories
DEBPKG:debian/makemaker-manext - https://bugs.debian.org/247370 Make EU::MakeMaker honour MANnEXT settings in generated manpage headers
DEBPKG:debian/kfreebsd-softupdates - https://bugs.debian.org/796798 Work around Debian Bug#796798
DEBPKG:debian/hurd-softupdates - https://bugs.debian.org/822735 Fix t/op/stat.t failures on hurd
DEBPKG:fixes/math_complex_doc_great_circle - https://bugs.debian.org/697567 [rt.cpan.org #114104] Math::Trig: clarify definition of great_circle_midpoint
DEBPKG:fixes/math_complex_doc_angle_units - https://bugs.debian.org/731505 [rt.cpan.org #114106] Math::Trig: document angle units
DEBPKG:fixes/cpan_web_link - https://bugs.debian.org/367291 CPAN: Add link to main CPAN web site
DEBPKG:debian/installman-utf8 - https://bugs.debian.org/840211 Generate man pages with UTF-8 characters
DEBPKG:debian/perldoc-pager - https://bugs.debian.org/870340 [rt.cpan.org #120229] Fix perldoc terminal escapes when sensible-pager is less
DEBPKG:debian/prune_libs - https://bugs.debian.org/128355 Prune the list of libraries wanted to what we actually need.
DEBPKG:debian/mod_paths - Tweak @INC ordering for Debian
DEBPKG:debian/deprecate-with-apt - https://bugs.debian.org/747628 Point users to Debian packages of deprecated core modules
DEBPKG:debian/disable-stack-check - https://bugs.debian.org/902779 [GH #16607] Disable debugperl stack extension checks for binary compatibility with perl
DEBPKG:debian/perlbug-editor - https://bugs.debian.org/922609 Use "editor" as the default perlbug editor, as per Debian policy
DEBPKG:debian/eu-mm-perl-base - https://bugs.debian.org/962138 Suppress an ExtUtils::MakeMaker warning about our non-default @INC
DEBPKG:fixes/io_socket_ip_ipv6 - Disable getaddrinfo(3) AI_ADDRCONFIG for localhost and IPv4 numeric addresses
DEBPKG:debian/usrmerge-lib64 - https://bugs.debian.org/914128 Configure / libpth.U: Do not adjust glibpth when /usr/lib64 is present.
DEBPKG:debian/usrmerge-realpath - https://bugs.debian.org/914128 Configure / libpth.U: use realpath --no-symlinks on Debian
DEBPKG:fixes/x32-io-msg-skip - https://bugs.debian.org/922609 Skip io/msg.t on x32 due to broken System V message queues
DEBPKG:debian/configure-regen - https://bugs.debian.org/762638 Regenerate Configure et al. after probe unit changes
DEBPKG:fixes/bignum-recursion - https://bugs.debian.org/1012704 [rt.cpan.org #146411] Fix CPAN RT #146411
DEBPKG:fixes/math-bigfloat-subclass - https://bugs.debian.org/1043234 Fix Math::BigFloat subclass numeric comparison
DEBPKG:fixes/unbreak-locale-initialization - [GH #21366] https://bugs.debian.org/1060679 Revert "locale.c: Do uselocale() earlier in init process"
Built under linux
Compiled at May 30 2024 19:24:33
%ENV:
PERL5LIB="/home/gregoa/src/git-pkg-perl/meta/packages/pkg-perl-tools/lib"
PERLDOC="-oMan"
@INC:
/home/gregoa/src/git-pkg-perl/meta/packages/pkg-perl-tools/lib
/etc/perl
/usr/local/lib/x86_64-linux-gnu/perl/5.38.2
/usr/local/share/perl/5.38.2
/usr/lib/x86_64-linux-gnu/perl5/5.38
/usr/share/perl5
/usr/lib/x86_64-linux-gnu/perl-base
/usr/lib/x86_64-linux-gnu/perl/5.38
/usr/share/perl/5.38
/usr/local/lib/site_perl
I don't think I understand that output. You're setting it appropriately in the config_args, but I'm not seeing those values back in the listed ldflags
or lddlflags
. As far as I can tell it shouldn't be working with other tools either.
Clearly I'm missing something important here.
I'm afraid I'm not the most qualified person to explain the details of how this all works together in Debian builds … Maybe @ntyni can help.
What I can say from experience is that various compiler and linker flags are set in the environment by Debian build tools, e.g.
CFLAGS=-g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/home/gregoa/src/git-pkg-perl/meta/packages/libextutils-builder-compiler-perl=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection
CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2
CXXFLAGS=-g -O2 -ffile-prefix-map=/home/gregoa/src/git-pkg-perl/meta/packages/libextutils-builder-compiler-perl=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection
LDFLAGS=-Wl,-z,relro
and typically¹ they are picked up by EUMM and Module::Build{,Tiny} without further ado.
¹ sometimes we have to add patches like
+push @extra_compiler_flags, Module::Build->split_like_shell($ENV{CPPFLAGS});
or
+ CCFLAGS => "$Config{ccflags} $ENV{CFLAGS} $ENV{CPPFLAGS}",
+ LDFLAGS => "$Config{lddlflags} $ENV{LDFLAGS}",
I just compiled a perl with -Dldflags=-Wl,-z,relro -Dlddlflags="-shared -Wl,-z,relro"
, and -Wl,-z,relro
showed up in both ldflags and lddlflags. I don't understand why it doesn't for your perl.
Would you be able to post the build output of one of these modules? (it should print the commands it's executing). That may be enlightening.
Sure, that's crypt-argon2:
…
dpkg-buildpackage: info: source package libcrypt-argon2-perl
dpkg-buildpackage: info: source version 0.026-1
dpkg-buildpackage: info: source distribution unstable
dpkg-buildpackage: info: source changed by gregor herrmann <gregoa@debian.org>
dpkg-source --before-build .
dpkg-buildpackage: info: host architecture amd64
debian/rules clean
dh clean
dh_clean
dpkg-source -b .
dpkg-source: info: using source format '3.0 (quilt)'
dpkg-source: info: building libcrypt-argon2-perl using existing ./libcrypt-argon2-perl_0.026.orig.tar.gz
dpkg-source: info: building libcrypt-argon2-perl in libcrypt-argon2-perl_0.026-1.debian.tar.xz
dpkg-source: info: building libcrypt-argon2-perl in libcrypt-argon2-perl_0.026-1.dsc
debian/rules binary
dh binary
dh_update_autotools_config
dh_autoreconf
dh_auto_configure
/usr/bin/perl Build.PL --installdirs vendor --config "optimize=-g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/build/libcrypt-argon2-perl-0.026=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -Wdate-time -D_FORTIFY_SOURCE=2" --config "ld=x86_64-linux-gnu-gcc -g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/build/libcrypt-argon2-perl-0.026=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -Wl,-z,relro -Wl,-z,now"
x86_64-linux-gnu-gcc -msse3 -o try_compilerLKbo.o -c /tmp/Z2m9zN6je4/try_compilerLKbo.c
x86_64-linux-gnu-gcc -o try_compilerLKbo try_compilerLKbo.o
x86_64-linux-gnu-gcc -march=haswell -o try_compilersXht.o -c /tmp/UP5UAou_lR/try_compilersXht.c
x86_64-linux-gnu-gcc -o try_compilersXht try_compilersXht.o
x86_64-linux-gnu-gcc -march=skylake-avx512 -o try_compilerwlIX.o -c /tmp/6LzePID5ks/try_compilerwlIX.c
x86_64-linux-gnu-gcc -o try_compilerwlIX try_compilerwlIX.o
x86_64-linux-gnu-gcc -o try_compilerf4E6.o -c /tmp/4vt4pPWllO/try_compilerf4E6.c
x86_64-linux-gnu-gcc -o try_compilerf4E6 try_compilerf4E6.o
./try_compilerf4E6
Creating new 'Build' script for 'Crypt-Argon2' version '0.026'
dh_auto_build
/usr/bin/perl Build
mkdir blib/lib
mkdir blib/arch
mkdir blib/bindoc
mkdir blib/libdoc
mkdir blib/script
mkdir blib/bin
cp lib/Crypt/Argon2.pm blib/lib/Crypt/Argon2.pm
cp script/argon2-calibrate blib/script/argon2-calibrate
make_executable blib/script/argon2-calibrate
manify lib/Crypt/Argon2.pm blib/libdoc/Crypt::Argon2.3pm 3pm
manify script/argon2-calibrate blib/bindoc/argon2-calibrate.1p 1p
parse-xs lib/Crypt/Argon2.xs
x86_64-linux-gnu-gcc -Ilib/Crypt -Iinclude -I/usr/lib/x86_64-linux-gnu/perl/5.38/CORE -DVERSION="0.026" -DHAVE_SSE3 -DXS_VERSION="0.026" -DHAVE_AVX2 -DHAVE_AVX512 -DHAVE_IFUNC -fPIC -pthread -D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fwrapv -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/build/libcrypt-argon2-perl-0.026=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -Wdate-time -D_FORTIFY_SOURCE=2 -o lib/Crypt/Argon2.o -c lib/Crypt/Argon2.c
x86_64-linux-gnu-gcc -Iinclude -I/usr/lib/x86_64-linux-gnu/perl/5.38/CORE -DHAVE_IFUNC -DHAVE_AVX512 -DHAVE_AVX2 -DHAVE_SSE3 -fPIC -pthread -D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fwrapv -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/build/libcrypt-argon2-perl-0.026=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -Wdate-time -D_FORTIFY_SOURCE=2 -o src/argon2.o -c src/argon2.c
x86_64-linux-gnu-gcc -Iinclude -I/usr/lib/x86_64-linux-gnu/perl/5.38/CORE -DHAVE_SSE3 -DHAVE_AVX2 -DHAVE_AVX512 -DHAVE_IFUNC -fPIC -pthread -D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fwrapv -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/build/libcrypt-argon2-perl-0.026=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -Wdate-time -D_FORTIFY_SOURCE=2 -o src/core.o -c src/core.c
x86_64-linux-gnu-gcc -Iinclude -I/usr/lib/x86_64-linux-gnu/perl/5.38/CORE -DHAVE_SSE3 -DHAVE_AVX2 -DHAVE_AVX512 -DHAVE_IFUNC -fPIC -pthread -D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fwrapv -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/build/libcrypt-argon2-perl-0.026=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -Wdate-time -D_FORTIFY_SOURCE=2 -o src/encoding.o -c src/encoding.c
x86_64-linux-gnu-gcc -Iinclude -I/usr/lib/x86_64-linux-gnu/perl/5.38/CORE -DHAVE_AVX512 -DHAVE_IFUNC -DHAVE_SSE3 -DHAVE_AVX2 -fPIC -pthread -D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fwrapv -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/build/libcrypt-argon2-perl-0.026=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -Wdate-time -D_FORTIFY_SOURCE=2 -o src/thread.o -c src/thread.c
x86_64-linux-gnu-gcc -Iinclude -I/usr/lib/x86_64-linux-gnu/perl/5.38/CORE -DHAVE_IFUNC -DHAVE_AVX512 -DHAVE_SSE3 -DHAVE_AVX2 -fPIC -pthread -D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fwrapv -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/build/libcrypt-argon2-perl-0.026=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -Wdate-time -D_FORTIFY_SOURCE=2 -o src/blake2/blake2b.o -c src/blake2/blake2b.c
x86_64-linux-gnu-gcc -Iinclude -I/usr/lib/x86_64-linux-gnu/perl/5.38/CORE -DHAVE_SSE3 -DHAVE_AVX2 -DHAVE_IFUNC -DHAVE_AVX512 -fPIC -pthread -D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fwrapv -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/build/libcrypt-argon2-perl-0.026=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -Wdate-time -D_FORTIFY_SOURCE=2 -o src/switch.o -c src/switch.c
x86_64-linux-gnu-gcc -Iinclude -I/usr/lib/x86_64-linux-gnu/perl/5.38/CORE -DHAVE_AVX512 -DHAVE_IFUNC -Dfill_segment=fill_segment_ref -DHAVE_AVX2 -DHAVE_SSE3 -fPIC -pthread -D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fwrapv -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/build/libcrypt-argon2-perl-0.026=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -Wdate-time -D_FORTIFY_SOURCE=2 -o src/ref.o -c src/ref.c
x86_64-linux-gnu-gcc -Iinclude -I/usr/lib/x86_64-linux-gnu/perl/5.38/CORE -DHAVE_SSE3 -Dfill_segment=fill_segment_sse3 -DHAVE_AVX2 -DHAVE_IFUNC -DHAVE_AVX512 -fPIC -pthread -msse3 -D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fwrapv -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/build/libcrypt-argon2-perl-0.026=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -Wdate-time -D_FORTIFY_SOURCE=2 -o src/sse3.o -c src/opt.c
x86_64-linux-gnu-gcc -Iinclude -I/usr/lib/x86_64-linux-gnu/perl/5.38/CORE -Dfill_segment=fill_segment_avx2 -DHAVE_AVX2 -DHAVE_SSE3 -DHAVE_IFUNC -DHAVE_AVX512 -fPIC -pthread -march=haswell -D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fwrapv -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/build/libcrypt-argon2-perl-0.026=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -Wdate-time -D_FORTIFY_SOURCE=2 -o src/avx2.o -c src/opt.c
x86_64-linux-gnu-gcc -Iinclude -I/usr/lib/x86_64-linux-gnu/perl/5.38/CORE -DHAVE_AVX512 -DHAVE_IFUNC -Dfill_segment=fill_segment_avx512 -DHAVE_AVX2 -DHAVE_SSE3 -fPIC -pthread -march=skylake-avx512 -D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fwrapv -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/build/libcrypt-argon2-perl-0.026=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -Wdate-time -D_FORTIFY_SOURCE=2 -o src/avx512.o -c src/opt.c
mkdir blib/arch/auto/Crypt/Argon2
x86_64-linux-gnu-gcc -shared -o blib/arch/auto/Crypt/Argon2/Argon2.so lib/Crypt/Argon2.o src/argon2.o src/core.o src/encoding.o src/thread.o src/blake2/blake2b.o src/switch.o src/ref.o src/sse3.o src/avx2.o src/avx512.o -fstack-protector-strong -L/usr/local/lib -pthread
dh_auto_test
/usr/bin/perl Build test --verbose 1
prove
t/test.t ..
# Subtest: argon2i(2, 64M, 1, password, somesalt)
ok 1 - 2:64M:1(password, somesalt) encodes as expected
ok 2 - 2:64M:1(password, somesalt) matches as expected
ok 3 - 2:64M:1(password, somesalt) verifies as expected
1..3
ok 1 - argon2i(2, 64M, 1, password, somesalt)
# Subtest: argon2i(2, 256k, 1, password, somesalt)
ok 1 - 2:256k:1(password, somesalt) encodes as expected
ok 2 - 2:256k:1(password, somesalt) matches as expected
ok 3 - 2:256k:1(password, somesalt) verifies as expected
1..3
ok 2 - argon2i(2, 256k, 1, password, somesalt)
# Subtest: argon2i(2, 256k, 2, password, somesalt)
ok 1 - 2:256k:2(password, somesalt) encodes as expected
ok 2 - 2:256k:2(password, somesalt) matches as expected
ok 3 - 2:256k:2(password, somesalt) verifies as expected
1..3
ok 3 - argon2i(2, 256k, 2, password, somesalt)
# Subtest: argon2i(1, 64M, 1, password, somesalt)
ok 1 - 1:64M:1(password, somesalt) encodes as expected
ok 2 - 1:64M:1(password, somesalt) matches as expected
ok 3 - 1:64M:1(password, somesalt) verifies as expected
1..3
ok 4 - argon2i(1, 64M, 1, password, somesalt)
# Subtest: argon2i(4, 64M, 1, password, somesalt)
ok 1 - 4:64M:1(password, somesalt) encodes as expected
ok 2 - 4:64M:1(password, somesalt) matches as expected
ok 3 - 4:64M:1(password, somesalt) verifies as expected
1..3
ok 5 - argon2i(4, 64M, 1, password, somesalt)
# Subtest: argon2i(2, 64M, 1, differentpassword, somesalt)
ok 1 - 2:64M:1(differentpassword, somesalt) encodes as expected
ok 2 - 2:64M:1(differentpassword, somesalt) matches as expected
ok 3 - 2:64M:1(differentpassword, somesalt) verifies as expected
1..3
ok 6 - argon2i(2, 64M, 1, differentpassword, somesalt)
# Subtest: argon2i(2, 64M, 1, password, diffsalt)
ok 1 - 2:64M:1(password, diffsalt) encodes as expected
ok 2 - 2:64M:1(password, diffsalt) matches as expected
ok 3 - 2:64M:1(password, diffsalt) verifies as expected
1..3
ok 7 - argon2i(2, 64M, 1, password, diffsalt)
# Subtest: needs_rehash
ok 1 - No rehash with same parameters
ok 2 - Rehash with different argon2 variant
ok 3 - Rehash with different time cost
ok 4 - Rehash with different memory cost
ok 5 - Rehash with different parallelism
ok 6 - Rehash with different output length
ok 7 - Rehash with different salt length
1..7
ok 8 - needs_rehash
1..8
ok
All tests successful.
Files=1, Tests=8, 1 wallclock secs ( 0.01 usr 0.01 sys + 1.22 cusr 0.38 csys = 1.62 CPU)
Result: PASS
create-stamp debian/debhelper-build-stamp
dh_prep
dh_auto_install --destdir=debian/libcrypt-argon2-perl/
/usr/bin/perl Build install --destdir /build/libcrypt-argon2-perl-0.026/debian/libcrypt-argon2-perl --create_packlist 0
install install_map HASH(0x564364ae21b0)
Files found in blib/arch: installing files in blib/lib into architecture dependent library tree
Installing /build/libcrypt-argon2-perl-0.026/debian/libcrypt-argon2-perl/usr/lib/x86_64-linux-gnu/perl5/5.38/auto/Crypt/Argon2/Argon2.so
Installing /build/libcrypt-argon2-perl-0.026/debian/libcrypt-argon2-perl/usr/share/man/man1/argon2-calibrate.1p
Installing /build/libcrypt-argon2-perl-0.026/debian/libcrypt-argon2-perl/usr/lib/x86_64-linux-gnu/perl5/5.38/Crypt/Argon2.pm
Installing /build/libcrypt-argon2-perl-0.026/debian/libcrypt-argon2-perl/usr/share/man/man3/Crypt::Argon2.3pm
Installing /build/libcrypt-argon2-perl-0.026/debian/libcrypt-argon2-perl/usr/bin/argon2-calibrate
…
On Sat, Aug 10, 2024 at 07:01:48AM -0700, Leon Timmermans wrote:
I just compiled a perl with
-Dldflags=-Wl,-z,relro -Dlddlflags="-shared -Wl,-z,relro"
, and-Wl,-z,relro
showed up in both ldflags and lddlflags. I don't understand why it doesn't for your perl.
Hi, this is indeed a bit messy. Please accept my apologies for the confusion.
The reason they aren't in $Config{ldflags} and $Config{lddlflags} on Debian despite our Perl being built with them is that we're patching them away from %Config.
https://sources.debian.org/src/perl/5.38.2-5/debian/rules/#L189
The background for this is in https://bugs.debian.org/657853 , particularly https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657853#92 and onwards.
In a nutshell, when we started build Perl itself with hardening flags, we wanted to keep them opt-in for XS modules because there's a risk of breakage.
Both EU::MM and the M::B family indeed pass everything in $Config{ccflags} and $Config{ldflags} / $Config{lddlflags} down to XS module builds. So we'd be forcing them to all XS modules, both those packaged in Debian and those installed manually from CPAN etc.
We decided that this was too intrusive, so we patch the risky flags away from %Config after the Perl build. We still retain them in $Config{config_args} because doing otherwise would feel like lying.
For packaged modules, there's a Debian specific mechanism (dpkg-buildflags) for opting into the hardening flags, and each package is supposed to opt in (or stay out by default) independently. This is implemented by our toolchain (debhelper) calling EU::MM and M::B with appropriate arguments [1, 2] to use the build specific flags in addition to ccflags / ldflags from %Config.
[2] https://sources.debian.org/src/debhelper/13.16/lib/Debian/Debhelper/Buildsystem/perl_build.pm/#L58
In this specific issue of Dist::Build apparently not passing linker flags
through, our toolchain uses the Module::Build mechanism where we call
Build.PL with --config optimize=
Thanks for the clarification @ntyni.
In this specific issue of Dist::Build apparently not passing linker flags through
I was using cc instead of ld because that's apparently needed on some unices (e.g. AIX), but I should probably limit that to only those unices. Therefore the ld override didn't work as expected.
This should be fixed with ExtUtils::Builder::Compiler 0.020.
On Sat, 10 Aug 2024 09:17:00 -0700, Leon Timmermans wrote:
Thanks for the clarification @ntyni.
Indeed!
In this specific issue of Dist::Build apparently not passing linker flags through It's using cc instead of ld because that's apparently needed on some unices (e.g. AIX), but I should probably limit that to only those unices. This should be fixed with ExtUtils::Builder::Compiler 0.020.
Thanks alot!
I'll try and have a look later tonight and report back.
Cheers, gregor
--
.''. https://info.comodo.priv.at -- Debian Developer https://www.debian.org : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06
. ' Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
-
I've updated ExtUtils::Builder::Compiler to 0.020 and rebuilt crypt-argon2 and syntax-infix-smartmatch locally against it, and I can confirm that the issue is fixed. Just FYI, extracts of the log for the latter:
debian/rules binary
dh binary
dh_update_autotools_config
dh_autoreconf
dh_auto_configure
/usr/bin/perl Build.PL --installdirs vendor --config "optimize=-g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/build/libsyntax-infix-smartmatch-perl-0.007=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -Wdate-time -D_FORTIFY_SOURCE=2" --config "ld=x86_64-linux-gnu-gcc -g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/build/libsyntax-infix-smartmatch-perl-0.007=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -Wl,-z,relro -Wl,-z,now"
Creating new 'Build' script for 'Syntax-Infix-Smartmatch' version '0.007'
dh_auto_build
/usr/bin/perl Build
mkdir blib/lib
mkdir blib/arch
mkdir blib/bindoc
mkdir blib/libdoc
mkdir blib/script
mkdir blib/bin
cp lib/Syntax/Infix/Smartmatch.pm blib/lib/Syntax/Infix/Smartmatch.pm
manify lib/Syntax/Infix/Smartmatch.pm blib/libdoc/Syntax::Infix::Smartmatch.3pm 3pm
parse-xs lib/Syntax/Infix/Smartmatch.xs
x86_64-linux-gnu-gcc -Ilib/Syntax/Infix -I/usr/lib/x86_64-linux-gnu/perl/5.38/CORE -DVERSION="0.007" -DXS_VERSION="0.007" -fPIC -I/usr/lib/x86_64-linux-gnu/perl5/5.38/auto/share/dist/XS-Parse-Keyword/include -D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fwrapv -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/build/libsyntax-infix-smartmatch-perl-0.007=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -Wdate-time -D_FORTIFY_SOURCE=2 -o lib/Syntax/Infix/Smartmatch.o -c lib/Syntax/Infix/Smartmatch.c
mkdir blib/arch/auto/Syntax/Infix/Smartmatch
x86_64-linux-gnu-gcc -g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/build/libsyntax-infix-smartmatch-perl-0.007=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -Wl,-z,relro -Wl,-z,now -shared -o blib/arch/auto/Syntax/Infix/Smartmatch/Smartmatch.so lib/Syntax/Infix/Smartmatch.o -fstack-protector-strong -L/usr/local/lib
dh_auto_test
/usr/bin/perl Build test --verbose 1
prove
t/basic.t ..
ok 1
ok 2
ok 3
ok 4
ok 5
ok 6
ok 7
ok 8
1..8
ok
All tests successful.
Files=1, Tests=8, 1 wallclock secs ( 0.02 usr 0.00 sys + 0.04 cusr 0.00 csys = 0.06 CPU)
Result: PASS
create-stamp debian/debhelper-build-stamp
dh_prep
dh_auto_install --destdir=debian/libsyntax-infix-smartmatch-perl/
/usr/bin/perl Build install --destdir /build/libsyntax-infix-smartmatch-perl-0.007/debian/libsyntax-infix-smartmatch-perl --create_packlist 0
install install_map HASH(0x55c4f7d53bc0)
Files found in blib/arch: installing files in blib/lib into architecture dependent library tree
Installing /build/libsyntax-infix-smartmatch-perl-0.007/debian/libsyntax-infix-smartmatch-perl/usr/lib/x86_64-linux-gnu/perl5/5.38/auto/Syntax/Infix/Smartmatch/Smartmatch.so
Installing /build/libsyntax-infix-smartmatch-perl-0.007/debian/libsyntax-infix-smartmatch-perl/usr/lib/x86_64-linux-gnu/perl5/5.38/Syntax/Infix/Smartmatch.pm
Installing /build/libsyntax-infix-smartmatch-perl-0.007/debian/libsyntax-infix-smartmatch-perl/usr/share/man/man3/Syntax::Infix::Smartmatch.3pm
Thanks again! gregor
When updating syntax-infix-smartmatch in Debian (cf. https://github.com/Leont/syntax-infix-smartmatch/issues/2) I got some warnings from 2 Debian tools (lintian and blhc) about the build, and I think they are related to Dist::Build:
So it looks to me that
LDFLAGS
from the environment are not passed through to the linker call.Cheers, gregor