Leont / dist-build

A modern module builder, author tools not included!
0 stars 1 forks source link

LDFLAGS not passed through #8

Closed gregoa closed 3 months ago

gregoa commented 3 months ago

When updating syntax-infix-smartmatch in Debian (cf. https://github.com/Leont/syntax-infix-smartmatch/issues/2) I got some warnings from 2 Debian tools (lintian and blhc) about the build, and I think they are related to Dist::Build:

I: libsyntax-infix-smartmatch-perl: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/perl5/5.38/auto/Syntax/Infix/Smartmatch/Smartmatch.so]
N: 
N:   This package provides an ELF binary that lacks the "bindnow" linker flag.
N:   
N:   This is needed (together with "relro") to make the "Global Offset Table"
N:   (GOT) fully read-only. The bindnow feature trades startup time for
N:   improved security. Please consider enabling this feature or consider
N:   overriding the tag (possibly with a comment about why).
N:   
N:   If you use dpkg-buildflags, you may have to add hardening=+bindnow or
N:   hardening=+all to DEB_BUILD_MAINT_OPTIONS.
N:   
N:   The relevant compiler flags are set in LDFLAGS.
% blhc ../build-area/libsyntax-infix-smartmatch-perl_0.006-1_amd64.build
LDFLAGS missing (-Wl,-z,relro): x86_64-linux-gnu-gcc -shared -o blib/arch/auto/Syntax/Infix/Smartmatch/Smartmatch.so Smartmatch.o -fstack-protector-strong -L/usr/local/lib

So it looks to me that LDFLAGS from the environment are not passed through to the linker call.

Cheers, gregor

gregoa commented 3 months ago

Same for Crypt-Argon2:

I: libcrypt-argon2-perl: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/perl5/5.38/auto/Crypt/Argon2/Argon2.so]
N: 
N:   This package provides an ELF binary that lacks the "bindnow" linker flag.
N:   
N:   This is needed (together with "relro") to make the "Global Offset Table"
N:   (GOT) fully read-only. The bindnow feature trades startup time for
N:   improved security. Please consider enabling this feature or consider
N:   overriding the tag (possibly with a comment about why).
N:   
N:   If you use dpkg-buildflags, you may have to add hardening=+bindnow or
N:   hardening=+all to DEB_BUILD_MAINT_OPTIONS.
N:   
N:   The relevant compiler flags are set in LDFLAGS.
LDFLAGS missing (-Wl,-z,relro): x86_64-linux-gnu-gcc -shared -o blib/arch/auto/Crypt/Argon2/Argon2.so lib/Crypt/Argon2.o src/argon2.o src/core.o src/encoding.o src/thread.o src/blake2/blake2b.o src/switch.o src/ref.o src/sse3.o src/avx2.o src/avx512.o -fstack-protector-strong -L/usr/local/lib -pthread

Cheers, gregor

Leont commented 3 months ago

Technically this is an ExtUtils::Builder::Compiler issue. Can you give me the full output of perl -V?

Older toolchainy things (ExtUtils::MakeMaker and ExtUtils::CBuilder) don't do what you might expect with $LDFLAGS either, but they should pick it up from perl itself.

gregoa commented 3 months ago

Sure:

% perl -V
Summary of my perl5 (revision 5 version 38 subversion 2) configuration:

  Platform:
    osname=linux
    osvers=6.1.0
    archname=x86_64-linux-gnu-thread-multi
    uname='linux localhost 6.1.0 #1 smp debian 6.1.0 x86_64 gnulinux '
    config_args='-Dmksymlinks -Dusethreads -Duselargefiles -Dcc=x86_64-linux-gnu-gcc -Dcpp=x86_64-linux-gnu-cpp -Dld=x86_64-linux-gnu-gcc -Dccflags=-DDEBIAN -Wdate-time -D_FORTIFY_SOURCE=2 -g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/dummy/build/dir=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -Dldflags= -Wl,-z,relro -Dlddlflags=-shared -Wl,-z,relro -Dcccdlflags=-fPIC -Darchname=x86_64-linux-gnu -Dprefix=/usr -Dprivlib=/usr/share/perl/5.38 -Darchlib=/usr/lib/x86_64-linux-gnu/perl/5.38 -Dvendorprefix=/usr -Dvendorlib=/usr/share/perl5 -Dvendorarch=/usr/lib/x86_64-linux-gnu/perl5/5.38 -Dsiteprefix=/usr/local -Dsitelib=/usr/local/share/perl/5.38.2 -Dsitearch=/usr/local/lib/x86_64-linux-gnu/perl/5.38.2 -Dman1dir=/usr/share/man/man1 -Dman3dir=/usr/share/man/man3 -Dsiteman1dir=/usr/local/man/man1 -Dsiteman3dir=/usr/local/man/man3 -Duse64bitint -Dman1ext=1 -Dman3ext=3perl -Dpager=/usr/bin/sensible-pager -Uafs -Ud_csh -Ud_ualarm -Uusesfio -Uusenm -Ui_libutil -Ui_xlocale -Uversiononly -Ud_strlcpy -Ud_strlcat -DDEBUGGING=-g -Doptimize=-O2 -dEs -Duseshrplib -Dlibperl=libperl.so.5.38.2'
    hint=recommended
    useposix=true
    d_sigaction=define
    useithreads=define
    usemultiplicity=define
    use64bitint=define
    use64bitall=define
    uselongdouble=undef
    usemymalloc=n
    default_inc_excludes_dot=define
  Compiler:
    cc='x86_64-linux-gnu-gcc'
    ccflags ='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fwrapv -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64'
    optimize='-O2 -g'
    cppflags='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fwrapv -fno-strict-aliasing -pipe -I/usr/local/include'
    ccversion=''
    gccversion='13.2.0'
    gccosandvers=''
    intsize=4
    longsize=8
    ptrsize=8
    doublesize=8
    byteorder=12345678
    doublekind=3
    d_longlong=define
    longlongsize=8
    d_longdbl=define
    longdblsize=16
    longdblkind=3
    ivtype='long'
    ivsize=8
    nvtype='double'
    nvsize=8
    Off_t='off_t'
    lseeksize=8
    alignbytes=8
    prototype=define
  Linker and Libraries:
    ld='x86_64-linux-gnu-gcc'
    ldflags =' -fstack-protector-strong -L/usr/local/lib'
    libpth=/usr/local/lib /usr/lib/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib
    libs=-lgdbm -lgdbm_compat -ldb -ldl -lm -lpthread -lc -lcrypt
    perllibs=-ldl -lm -lpthread -lc -lcrypt
    libc=/lib/x86_64-linux-gnu/libc.so.6
    so=so
    useshrplib=true
    libperl=libperl.so.5.38
    gnulibc_version='2.38'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs
    dlext=so
    d_dlsymun=undef
    ccdlflags='-Wl,-E'
    cccdlflags='-fPIC'
    lddlflags='-shared -L/usr/local/lib -fstack-protector-strong'

Characteristics of this binary (from libperl): 
  Compile-time options:
    HAS_LONG_DOUBLE
    HAS_STRTOLD
    HAS_TIMES
    MULTIPLICITY
    PERLIO_LAYERS
    PERL_COPY_ON_WRITE
    PERL_DONT_CREATE_GVSV
    PERL_HASH_FUNC_SIPHASH13
    PERL_HASH_USE_SBOX32
    PERL_MALLOC_WRAP
    PERL_OP_PARENT
    PERL_PRESERVE_IVUV
    PERL_USE_SAFE_PUTENV
    USE_64_BIT_ALL
    USE_64_BIT_INT
    USE_ITHREADS
    USE_LARGE_FILES
    USE_LOCALE
    USE_LOCALE_COLLATE
    USE_LOCALE_CTYPE
    USE_LOCALE_NUMERIC
    USE_LOCALE_TIME
    USE_PERLIO
    USE_PERL_ATOF
    USE_REENTRANT_API
    USE_THREAD_SAFE_LOCALE
  Locally applied patches:
    DEBPKG:debian/cpan_definstalldirs - Provide a sensible INSTALLDIRS default for modules installed from CPAN.
    DEBPKG:debian/db_file_ver - https://bugs.debian.org/340047 Remove overly restrictive DB_File version check.
    DEBPKG:debian/doc_info - Replace generic man(1) instructions with Debian-specific information.
    DEBPKG:debian/enc2xs_inc - https://bugs.debian.org/290336 Tweak enc2xs to follow symlinks and ignore missing @INC directories.
    DEBPKG:debian/errno_ver - https://bugs.debian.org/343351 Remove Errno version check due to upgrade problems with long-running processes.
    DEBPKG:debian/libperl_embed_doc - https://bugs.debian.org/186778 Note that libperl-dev package is required for embedded linking
    DEBPKG:fixes/respect_umask - Respect umask during installation
    DEBPKG:debian/writable_site_dirs - Set umask approproately for site install directories
    DEBPKG:debian/extutils_set_libperl_path - EU:MM: set location of libperl.a under /usr/lib
    DEBPKG:debian/no_packlist_perllocal - Don't install .packlist or perllocal.pod for perl or vendor
    DEBPKG:debian/fakeroot - Postpone LD_LIBRARY_PATH evaluation to the binary targets.
    DEBPKG:debian/instmodsh_doc - Debian policy doesn't install .packlist files for core or vendor.
    DEBPKG:debian/ld_run_path - Remove standard libs from LD_RUN_PATH as per Debian policy.
    DEBPKG:debian/libnet_config_path - Set location of libnet.cfg to /etc/perl/Net as /usr may not be writable.
    DEBPKG:debian/perlivp - https://bugs.debian.org/510895 Make perlivp skip include directories in /usr/local
    DEBPKG:debian/squelch-locale-warnings - https://bugs.debian.org/508764 Squelch locale warnings in Debian package maintainer scripts
    DEBPKG:debian/patchlevel - https://bugs.debian.org/567489 List packaged patches for 5.38.2-5 in patchlevel.h
    DEBPKG:fixes/document_makemaker_ccflags - https://bugs.debian.org/628522 [rt.cpan.org #68613] Document that CCFLAGS should include $Config{ccflags}
    DEBPKG:debian/find_html2text - https://bugs.debian.org/640479 Configure CPAN::Distribution with correct name of html2text
    DEBPKG:debian/perl5db-x-terminal-emulator.patch - https://bugs.debian.org/668490 Invoke x-terminal-emulator rather than xterm in perl5db.pl
    DEBPKG:debian/cpan-missing-site-dirs - https://bugs.debian.org/688842 Fix CPAN::FirstTime defaults with nonexisting site dirs if a parent is writable
    DEBPKG:debian/makemaker-pasthru - https://bugs.debian.org/758471 Pass LD settings through to subdirectories
    DEBPKG:debian/makemaker-manext - https://bugs.debian.org/247370 Make EU::MakeMaker honour MANnEXT settings in generated manpage headers
    DEBPKG:debian/kfreebsd-softupdates - https://bugs.debian.org/796798 Work around Debian Bug#796798
    DEBPKG:debian/hurd-softupdates - https://bugs.debian.org/822735 Fix t/op/stat.t failures on hurd
    DEBPKG:fixes/math_complex_doc_great_circle - https://bugs.debian.org/697567 [rt.cpan.org #114104] Math::Trig: clarify definition of great_circle_midpoint
    DEBPKG:fixes/math_complex_doc_angle_units - https://bugs.debian.org/731505 [rt.cpan.org #114106] Math::Trig: document angle units
    DEBPKG:fixes/cpan_web_link - https://bugs.debian.org/367291 CPAN: Add link to main CPAN web site
    DEBPKG:debian/installman-utf8 - https://bugs.debian.org/840211 Generate man pages with UTF-8 characters
    DEBPKG:debian/perldoc-pager - https://bugs.debian.org/870340 [rt.cpan.org #120229] Fix perldoc terminal escapes when sensible-pager is less
    DEBPKG:debian/prune_libs - https://bugs.debian.org/128355 Prune the list of libraries wanted to what we actually need.
    DEBPKG:debian/mod_paths - Tweak @INC ordering for Debian
    DEBPKG:debian/deprecate-with-apt - https://bugs.debian.org/747628 Point users to Debian packages of deprecated core modules
    DEBPKG:debian/disable-stack-check - https://bugs.debian.org/902779 [GH #16607] Disable debugperl stack extension checks for binary compatibility with perl
    DEBPKG:debian/perlbug-editor - https://bugs.debian.org/922609 Use "editor" as the default perlbug editor, as per Debian policy
    DEBPKG:debian/eu-mm-perl-base - https://bugs.debian.org/962138 Suppress an ExtUtils::MakeMaker warning about our non-default @INC
    DEBPKG:fixes/io_socket_ip_ipv6 - Disable getaddrinfo(3) AI_ADDRCONFIG for localhost and IPv4 numeric addresses
    DEBPKG:debian/usrmerge-lib64 - https://bugs.debian.org/914128 Configure / libpth.U: Do not adjust glibpth when /usr/lib64 is present.
    DEBPKG:debian/usrmerge-realpath - https://bugs.debian.org/914128 Configure / libpth.U: use realpath --no-symlinks on Debian
    DEBPKG:fixes/x32-io-msg-skip - https://bugs.debian.org/922609 Skip io/msg.t on x32 due to broken System V message queues
    DEBPKG:debian/configure-regen - https://bugs.debian.org/762638 Regenerate Configure et al. after probe unit changes
    DEBPKG:fixes/bignum-recursion - https://bugs.debian.org/1012704 [rt.cpan.org #146411] Fix CPAN RT #146411
    DEBPKG:fixes/math-bigfloat-subclass - https://bugs.debian.org/1043234 Fix Math::BigFloat subclass numeric comparison
    DEBPKG:fixes/unbreak-locale-initialization - [GH #21366] https://bugs.debian.org/1060679 Revert "locale.c: Do uselocale() earlier in init process"
  Built under linux
  Compiled at May 30 2024 19:24:33
  %ENV:
    PERL5LIB="/home/gregoa/src/git-pkg-perl/meta/packages/pkg-perl-tools/lib"
    PERLDOC="-oMan"
  @INC:
    /home/gregoa/src/git-pkg-perl/meta/packages/pkg-perl-tools/lib
    /etc/perl
    /usr/local/lib/x86_64-linux-gnu/perl/5.38.2
    /usr/local/share/perl/5.38.2
    /usr/lib/x86_64-linux-gnu/perl5/5.38
    /usr/share/perl5
    /usr/lib/x86_64-linux-gnu/perl-base
    /usr/lib/x86_64-linux-gnu/perl/5.38
    /usr/share/perl/5.38
    /usr/local/lib/site_perl
Leont commented 3 months ago

I don't think I understand that output. You're setting it appropriately in the config_args, but I'm not seeing those values back in the listed ldflags or lddlflags. As far as I can tell it shouldn't be working with other tools either.

Clearly I'm missing something important here.

gregoa commented 3 months ago

I'm afraid I'm not the most qualified person to explain the details of how this all works together in Debian builds … Maybe @ntyni can help.

What I can say from experience is that various compiler and linker flags are set in the environment by Debian build tools, e.g.

CFLAGS=-g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/home/gregoa/src/git-pkg-perl/meta/packages/libextutils-builder-compiler-perl=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection
CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2
CXXFLAGS=-g -O2 -ffile-prefix-map=/home/gregoa/src/git-pkg-perl/meta/packages/libextutils-builder-compiler-perl=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection
LDFLAGS=-Wl,-z,relro

and typically¹ they are picked up by EUMM and Module::Build{,Tiny} without further ado.

¹ sometimes we have to add patches like

+push @extra_compiler_flags, Module::Build->split_like_shell($ENV{CPPFLAGS});

or

+    CCFLAGS => "$Config{ccflags} $ENV{CFLAGS} $ENV{CPPFLAGS}",
+    LDFLAGS => "$Config{lddlflags} $ENV{LDFLAGS}",
Leont commented 3 months ago

I just compiled a perl with -Dldflags=-Wl,-z,relro -Dlddlflags="-shared -Wl,-z,relro", and -Wl,-z,relro showed up in both ldflags and lddlflags. I don't understand why it doesn't for your perl.

Would you be able to post the build output of one of these modules? (it should print the commands it's executing). That may be enlightening.

gregoa commented 3 months ago

Sure, that's crypt-argon2:

…
dpkg-buildpackage: info: source package libcrypt-argon2-perl
dpkg-buildpackage: info: source version 0.026-1
dpkg-buildpackage: info: source distribution unstable
dpkg-buildpackage: info: source changed by gregor herrmann <gregoa@debian.org>
 dpkg-source --before-build .
dpkg-buildpackage: info: host architecture amd64
 debian/rules clean
dh clean
   dh_clean
 dpkg-source -b .
dpkg-source: info: using source format '3.0 (quilt)'
dpkg-source: info: building libcrypt-argon2-perl using existing ./libcrypt-argon2-perl_0.026.orig.tar.gz
dpkg-source: info: building libcrypt-argon2-perl in libcrypt-argon2-perl_0.026-1.debian.tar.xz
dpkg-source: info: building libcrypt-argon2-perl in libcrypt-argon2-perl_0.026-1.dsc
 debian/rules binary
dh binary
   dh_update_autotools_config
   dh_autoreconf
   dh_auto_configure
    /usr/bin/perl Build.PL --installdirs vendor --config "optimize=-g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/build/libcrypt-argon2-perl-0.026=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -Wdate-time -D_FORTIFY_SOURCE=2" --config "ld=x86_64-linux-gnu-gcc -g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/build/libcrypt-argon2-perl-0.026=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -Wl,-z,relro -Wl,-z,now"
x86_64-linux-gnu-gcc -msse3 -o try_compilerLKbo.o -c /tmp/Z2m9zN6je4/try_compilerLKbo.c
x86_64-linux-gnu-gcc -o try_compilerLKbo try_compilerLKbo.o
x86_64-linux-gnu-gcc -march=haswell -o try_compilersXht.o -c /tmp/UP5UAou_lR/try_compilersXht.c
x86_64-linux-gnu-gcc -o try_compilersXht try_compilersXht.o
x86_64-linux-gnu-gcc -march=skylake-avx512 -o try_compilerwlIX.o -c /tmp/6LzePID5ks/try_compilerwlIX.c
x86_64-linux-gnu-gcc -o try_compilerwlIX try_compilerwlIX.o
x86_64-linux-gnu-gcc -o try_compilerf4E6.o -c /tmp/4vt4pPWllO/try_compilerf4E6.c
x86_64-linux-gnu-gcc -o try_compilerf4E6 try_compilerf4E6.o
./try_compilerf4E6
Creating new 'Build' script for 'Crypt-Argon2' version '0.026'
   dh_auto_build
    /usr/bin/perl Build
mkdir blib/lib
mkdir blib/arch
mkdir blib/bindoc
mkdir blib/libdoc
mkdir blib/script
mkdir blib/bin
cp lib/Crypt/Argon2.pm blib/lib/Crypt/Argon2.pm
cp script/argon2-calibrate blib/script/argon2-calibrate
make_executable blib/script/argon2-calibrate
manify lib/Crypt/Argon2.pm blib/libdoc/Crypt::Argon2.3pm 3pm
manify script/argon2-calibrate blib/bindoc/argon2-calibrate.1p 1p
parse-xs lib/Crypt/Argon2.xs
x86_64-linux-gnu-gcc -Ilib/Crypt -Iinclude -I/usr/lib/x86_64-linux-gnu/perl/5.38/CORE -DVERSION="0.026" -DHAVE_SSE3 -DXS_VERSION="0.026" -DHAVE_AVX2 -DHAVE_AVX512 -DHAVE_IFUNC -fPIC -pthread -D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fwrapv -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/build/libcrypt-argon2-perl-0.026=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -Wdate-time -D_FORTIFY_SOURCE=2 -o lib/Crypt/Argon2.o -c lib/Crypt/Argon2.c
x86_64-linux-gnu-gcc -Iinclude -I/usr/lib/x86_64-linux-gnu/perl/5.38/CORE -DHAVE_IFUNC -DHAVE_AVX512 -DHAVE_AVX2 -DHAVE_SSE3 -fPIC -pthread -D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fwrapv -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/build/libcrypt-argon2-perl-0.026=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -Wdate-time -D_FORTIFY_SOURCE=2 -o src/argon2.o -c src/argon2.c
x86_64-linux-gnu-gcc -Iinclude -I/usr/lib/x86_64-linux-gnu/perl/5.38/CORE -DHAVE_SSE3 -DHAVE_AVX2 -DHAVE_AVX512 -DHAVE_IFUNC -fPIC -pthread -D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fwrapv -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/build/libcrypt-argon2-perl-0.026=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -Wdate-time -D_FORTIFY_SOURCE=2 -o src/core.o -c src/core.c
x86_64-linux-gnu-gcc -Iinclude -I/usr/lib/x86_64-linux-gnu/perl/5.38/CORE -DHAVE_SSE3 -DHAVE_AVX2 -DHAVE_AVX512 -DHAVE_IFUNC -fPIC -pthread -D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fwrapv -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/build/libcrypt-argon2-perl-0.026=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -Wdate-time -D_FORTIFY_SOURCE=2 -o src/encoding.o -c src/encoding.c
x86_64-linux-gnu-gcc -Iinclude -I/usr/lib/x86_64-linux-gnu/perl/5.38/CORE -DHAVE_AVX512 -DHAVE_IFUNC -DHAVE_SSE3 -DHAVE_AVX2 -fPIC -pthread -D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fwrapv -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/build/libcrypt-argon2-perl-0.026=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -Wdate-time -D_FORTIFY_SOURCE=2 -o src/thread.o -c src/thread.c
x86_64-linux-gnu-gcc -Iinclude -I/usr/lib/x86_64-linux-gnu/perl/5.38/CORE -DHAVE_IFUNC -DHAVE_AVX512 -DHAVE_SSE3 -DHAVE_AVX2 -fPIC -pthread -D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fwrapv -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/build/libcrypt-argon2-perl-0.026=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -Wdate-time -D_FORTIFY_SOURCE=2 -o src/blake2/blake2b.o -c src/blake2/blake2b.c
x86_64-linux-gnu-gcc -Iinclude -I/usr/lib/x86_64-linux-gnu/perl/5.38/CORE -DHAVE_SSE3 -DHAVE_AVX2 -DHAVE_IFUNC -DHAVE_AVX512 -fPIC -pthread -D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fwrapv -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/build/libcrypt-argon2-perl-0.026=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -Wdate-time -D_FORTIFY_SOURCE=2 -o src/switch.o -c src/switch.c
x86_64-linux-gnu-gcc -Iinclude -I/usr/lib/x86_64-linux-gnu/perl/5.38/CORE -DHAVE_AVX512 -DHAVE_IFUNC -Dfill_segment=fill_segment_ref -DHAVE_AVX2 -DHAVE_SSE3 -fPIC -pthread -D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fwrapv -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/build/libcrypt-argon2-perl-0.026=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -Wdate-time -D_FORTIFY_SOURCE=2 -o src/ref.o -c src/ref.c
x86_64-linux-gnu-gcc -Iinclude -I/usr/lib/x86_64-linux-gnu/perl/5.38/CORE -DHAVE_SSE3 -Dfill_segment=fill_segment_sse3 -DHAVE_AVX2 -DHAVE_IFUNC -DHAVE_AVX512 -fPIC -pthread -msse3 -D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fwrapv -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/build/libcrypt-argon2-perl-0.026=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -Wdate-time -D_FORTIFY_SOURCE=2 -o src/sse3.o -c src/opt.c
x86_64-linux-gnu-gcc -Iinclude -I/usr/lib/x86_64-linux-gnu/perl/5.38/CORE -Dfill_segment=fill_segment_avx2 -DHAVE_AVX2 -DHAVE_SSE3 -DHAVE_IFUNC -DHAVE_AVX512 -fPIC -pthread -march=haswell -D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fwrapv -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/build/libcrypt-argon2-perl-0.026=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -Wdate-time -D_FORTIFY_SOURCE=2 -o src/avx2.o -c src/opt.c
x86_64-linux-gnu-gcc -Iinclude -I/usr/lib/x86_64-linux-gnu/perl/5.38/CORE -DHAVE_AVX512 -DHAVE_IFUNC -Dfill_segment=fill_segment_avx512 -DHAVE_AVX2 -DHAVE_SSE3 -fPIC -pthread -march=skylake-avx512 -D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fwrapv -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/build/libcrypt-argon2-perl-0.026=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -Wdate-time -D_FORTIFY_SOURCE=2 -o src/avx512.o -c src/opt.c
mkdir blib/arch/auto/Crypt/Argon2
x86_64-linux-gnu-gcc -shared -o blib/arch/auto/Crypt/Argon2/Argon2.so lib/Crypt/Argon2.o src/argon2.o src/core.o src/encoding.o src/thread.o src/blake2/blake2b.o src/switch.o src/ref.o src/sse3.o src/avx2.o src/avx512.o -fstack-protector-strong -L/usr/local/lib -pthread
   dh_auto_test
    /usr/bin/perl Build test --verbose 1
prove
t/test.t .. 
# Subtest: argon2i(2, 64M, 1, password, somesalt)
    ok 1 - 2:64M:1(password, somesalt) encodes as expected
    ok 2 - 2:64M:1(password, somesalt) matches as expected
    ok 3 - 2:64M:1(password, somesalt) verifies as expected
    1..3
ok 1 - argon2i(2, 64M, 1, password, somesalt)
# Subtest: argon2i(2, 256k, 1, password, somesalt)
    ok 1 - 2:256k:1(password, somesalt) encodes as expected
    ok 2 - 2:256k:1(password, somesalt) matches as expected
    ok 3 - 2:256k:1(password, somesalt) verifies as expected
    1..3
ok 2 - argon2i(2, 256k, 1, password, somesalt)
# Subtest: argon2i(2, 256k, 2, password, somesalt)
    ok 1 - 2:256k:2(password, somesalt) encodes as expected
    ok 2 - 2:256k:2(password, somesalt) matches as expected
    ok 3 - 2:256k:2(password, somesalt) verifies as expected
    1..3
ok 3 - argon2i(2, 256k, 2, password, somesalt)
# Subtest: argon2i(1, 64M, 1, password, somesalt)
    ok 1 - 1:64M:1(password, somesalt) encodes as expected
    ok 2 - 1:64M:1(password, somesalt) matches as expected
    ok 3 - 1:64M:1(password, somesalt) verifies as expected
    1..3
ok 4 - argon2i(1, 64M, 1, password, somesalt)
# Subtest: argon2i(4, 64M, 1, password, somesalt)
    ok 1 - 4:64M:1(password, somesalt) encodes as expected
    ok 2 - 4:64M:1(password, somesalt) matches as expected
    ok 3 - 4:64M:1(password, somesalt) verifies as expected
    1..3
ok 5 - argon2i(4, 64M, 1, password, somesalt)
# Subtest: argon2i(2, 64M, 1, differentpassword, somesalt)
    ok 1 - 2:64M:1(differentpassword, somesalt) encodes as expected
    ok 2 - 2:64M:1(differentpassword, somesalt) matches as expected
    ok 3 - 2:64M:1(differentpassword, somesalt) verifies as expected
    1..3
ok 6 - argon2i(2, 64M, 1, differentpassword, somesalt)
# Subtest: argon2i(2, 64M, 1, password, diffsalt)
    ok 1 - 2:64M:1(password, diffsalt) encodes as expected
    ok 2 - 2:64M:1(password, diffsalt) matches as expected
    ok 3 - 2:64M:1(password, diffsalt) verifies as expected
    1..3
ok 7 - argon2i(2, 64M, 1, password, diffsalt)
# Subtest: needs_rehash
    ok 1 - No rehash with same parameters
    ok 2 - Rehash with different argon2 variant
    ok 3 - Rehash with different time cost
    ok 4 - Rehash with different memory cost
    ok 5 - Rehash with different parallelism
    ok 6 - Rehash with different output length
    ok 7 - Rehash with different salt length
    1..7
ok 8 - needs_rehash
1..8
ok
All tests successful.
Files=1, Tests=8,  1 wallclock secs ( 0.01 usr  0.01 sys +  1.22 cusr  0.38 csys =  1.62 CPU)
Result: PASS
   create-stamp debian/debhelper-build-stamp
   dh_prep
   dh_auto_install --destdir=debian/libcrypt-argon2-perl/
    /usr/bin/perl Build install --destdir /build/libcrypt-argon2-perl-0.026/debian/libcrypt-argon2-perl --create_packlist 0
install install_map HASH(0x564364ae21b0)
Files found in blib/arch: installing files in blib/lib into architecture dependent library tree
Installing /build/libcrypt-argon2-perl-0.026/debian/libcrypt-argon2-perl/usr/lib/x86_64-linux-gnu/perl5/5.38/auto/Crypt/Argon2/Argon2.so
Installing /build/libcrypt-argon2-perl-0.026/debian/libcrypt-argon2-perl/usr/share/man/man1/argon2-calibrate.1p
Installing /build/libcrypt-argon2-perl-0.026/debian/libcrypt-argon2-perl/usr/lib/x86_64-linux-gnu/perl5/5.38/Crypt/Argon2.pm
Installing /build/libcrypt-argon2-perl-0.026/debian/libcrypt-argon2-perl/usr/share/man/man3/Crypt::Argon2.3pm
Installing /build/libcrypt-argon2-perl-0.026/debian/libcrypt-argon2-perl/usr/bin/argon2-calibrate
…
ntyni commented 3 months ago

On Sat, Aug 10, 2024 at 07:01:48AM -0700, Leon Timmermans wrote:

I just compiled a perl with -Dldflags=-Wl,-z,relro -Dlddlflags="-shared -Wl,-z,relro", and -Wl,-z,relro showed up in both ldflags and lddlflags. I don't understand why it doesn't for your perl.

Hi, this is indeed a bit messy. Please accept my apologies for the confusion.

The reason they aren't in $Config{ldflags} and $Config{lddlflags} on Debian despite our Perl being built with them is that we're patching them away from %Config.

https://sources.debian.org/src/perl/5.38.2-5/debian/rules/#L189

The background for this is in https://bugs.debian.org/657853 , particularly https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657853#92 and onwards.

In a nutshell, when we started build Perl itself with hardening flags, we wanted to keep them opt-in for XS modules because there's a risk of breakage.

Both EU::MM and the M::B family indeed pass everything in $Config{ccflags} and $Config{ldflags} / $Config{lddlflags} down to XS module builds. So we'd be forcing them to all XS modules, both those packaged in Debian and those installed manually from CPAN etc.

We decided that this was too intrusive, so we patch the risky flags away from %Config after the Perl build. We still retain them in $Config{config_args} because doing otherwise would feel like lying.

For packaged modules, there's a Debian specific mechanism (dpkg-buildflags) for opting into the hardening flags, and each package is supposed to opt in (or stay out by default) independently. This is implemented by our toolchain (debhelper) calling EU::MM and M::B with appropriate arguments [1, 2] to use the build specific flags in addition to ccflags / ldflags from %Config.

[1] https://sources.debian.org/src/debhelper/13.16/lib/Debian/Debhelper/Buildsystem/perl_makemaker.pm/#L51

[2] https://sources.debian.org/src/debhelper/13.16/lib/Debian/Debhelper/Buildsystem/perl_build.pm/#L58

In this specific issue of Dist::Build apparently not passing linker flags through, our toolchain uses the Module::Build mechanism where we call Build.PL with --config optimize= and --config ld="$Config{ld}

". This is seen in the build log Gregor submitted: /usr/bin/perl Build.PL --installdirs vendor --config "optimize=-g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/build/libcrypt-argon2-perl-0.026=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -Wdate-time -D_FORTIFY_SOURCE=2" --config "ld=x86_64-linux-gnu-gcc -g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/build/libcrypt-argon2-perl-0.026=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -Wl,-z,relro -Wl,-z,now" So, contrary to Gregor's initial assessment we don't expect Dist::Build to look at $ENV{LDFLAGS}, but we would hope that it honours Build.PL --config optimize=xxx and --config ld=zzz like Module::Build does. (I didn't investigate further yet myself, so can't say if that is already the case and the problem is further down in the stack or whatever.) Hope this makes sense and I got the details right. Let me know if something doesn't fit. I'm sure these things could be done differently, but this is what we currently have and it's worked pretty well for us for more than ten years. Thanks for all the work you do on Perl, -- Niko
Leont commented 3 months ago

Thanks for the clarification @ntyni.

In this specific issue of Dist::Build apparently not passing linker flags through

I was using cc instead of ld because that's apparently needed on some unices (e.g. AIX), but I should probably limit that to only those unices. Therefore the ld override didn't work as expected.

This should be fixed with ExtUtils::Builder::Compiler 0.020.

gregoa commented 3 months ago

On Sat, 10 Aug 2024 09:17:00 -0700, Leon Timmermans wrote:

Thanks for the clarification @ntyni.

Indeed!

In this specific issue of Dist::Build apparently not passing linker flags through It's using cc instead of ld because that's apparently needed on some unices (e.g. AIX), but I should probably limit that to only those unices. This should be fixed with ExtUtils::Builder::Compiler 0.020.

Thanks alot!

I'll try and have a look later tonight and report back.

Cheers, gregor

-- .''. https://info.comodo.priv.at -- Debian Developer https://www.debian.org : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06 . ' Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe -

gregoa commented 3 months ago

I've updated ExtUtils::Builder::Compiler to 0.020 and rebuilt crypt-argon2 and syntax-infix-smartmatch locally against it, and I can confirm that the issue is fixed. Just FYI, extracts of the log for the latter:

 debian/rules binary
dh binary
   dh_update_autotools_config
   dh_autoreconf
   dh_auto_configure
    /usr/bin/perl Build.PL --installdirs vendor --config "optimize=-g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/build/libsyntax-infix-smartmatch-perl-0.007=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -Wdate-time -D_FORTIFY_SOURCE=2" --config "ld=x86_64-linux-gnu-gcc -g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/build/libsyntax-infix-smartmatch-perl-0.007=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -Wl,-z,relro -Wl,-z,now"
Creating new 'Build' script for 'Syntax-Infix-Smartmatch' version '0.007'
   dh_auto_build
    /usr/bin/perl Build
mkdir blib/lib
mkdir blib/arch
mkdir blib/bindoc
mkdir blib/libdoc
mkdir blib/script
mkdir blib/bin
cp lib/Syntax/Infix/Smartmatch.pm blib/lib/Syntax/Infix/Smartmatch.pm
manify lib/Syntax/Infix/Smartmatch.pm blib/libdoc/Syntax::Infix::Smartmatch.3pm 3pm
parse-xs lib/Syntax/Infix/Smartmatch.xs
x86_64-linux-gnu-gcc -Ilib/Syntax/Infix -I/usr/lib/x86_64-linux-gnu/perl/5.38/CORE -DVERSION="0.007" -DXS_VERSION="0.007" -fPIC -I/usr/lib/x86_64-linux-gnu/perl5/5.38/auto/share/dist/XS-Parse-Keyword/include -D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fwrapv -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/build/libsyntax-infix-smartmatch-perl-0.007=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -Wdate-time -D_FORTIFY_SOURCE=2 -o lib/Syntax/Infix/Smartmatch.o -c lib/Syntax/Infix/Smartmatch.c
mkdir blib/arch/auto/Syntax/Infix/Smartmatch
x86_64-linux-gnu-gcc -g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/build/libsyntax-infix-smartmatch-perl-0.007=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -Wl,-z,relro -Wl,-z,now -shared -o blib/arch/auto/Syntax/Infix/Smartmatch/Smartmatch.so lib/Syntax/Infix/Smartmatch.o -fstack-protector-strong -L/usr/local/lib
   dh_auto_test
    /usr/bin/perl Build test --verbose 1
prove
t/basic.t .. 
ok 1
ok 2
ok 3
ok 4
ok 5
ok 6
ok 7
ok 8
1..8
ok
All tests successful.
Files=1, Tests=8,  1 wallclock secs ( 0.02 usr  0.00 sys +  0.04 cusr  0.00 csys =  0.06 CPU)
Result: PASS
   create-stamp debian/debhelper-build-stamp
   dh_prep
   dh_auto_install --destdir=debian/libsyntax-infix-smartmatch-perl/
    /usr/bin/perl Build install --destdir /build/libsyntax-infix-smartmatch-perl-0.007/debian/libsyntax-infix-smartmatch-perl --create_packlist 0
install install_map HASH(0x55c4f7d53bc0)
Files found in blib/arch: installing files in blib/lib into architecture dependent library tree
Installing /build/libsyntax-infix-smartmatch-perl-0.007/debian/libsyntax-infix-smartmatch-perl/usr/lib/x86_64-linux-gnu/perl5/5.38/auto/Syntax/Infix/Smartmatch/Smartmatch.so
Installing /build/libsyntax-infix-smartmatch-perl-0.007/debian/libsyntax-infix-smartmatch-perl/usr/lib/x86_64-linux-gnu/perl5/5.38/Syntax/Infix/Smartmatch.pm
Installing /build/libsyntax-infix-smartmatch-perl-0.007/debian/libsyntax-infix-smartmatch-perl/usr/share/man/man3/Syntax::Infix::Smartmatch.3pm

Thanks again! gregor