Is DEB_CFLAGS_MAINT_SET & DEB_CXXFLAGS_MAINT_SET intentional?

[dviererbe]

I just had an unrelated discussion with Simon about the DEB_flag_MAINT_SET dpkg-buildflags(1). They should not be used, because they overwrite all flags and if they are used a comment should explain why it had to be used.

Our rules file contains the DEB_CFLAGS_MAINT_SET & DEB_CXXFLAGS_MAINT_SET flags for arm64 on mantic (Ubuntu 23.10) or later: https://github.com/canonical/dotnet-source-build/blob/29a2a8c248451a9c5edc7eaa5999103f0e264e52/src/rules#L34-L35

In the archive it is further just limited to dotnet6 & dotnet7. dotnet8 does not set these flags.

The commit that adds it to this repo is 450bf967b5b2711a55c62816936edc8eac9e24a3, but that is just a sync from the pre-existing package state. One change it does is apply it consistently to all .NET versions.

The reason for this flag was to fix "Cannot find mkstemps nor mkstemp on this platform." build errors and was added in git-ubuntu with commit 031db21dcde4c97ee01d1e6ba66e59e29e78c660.

See also this (Canonical internal) mattermost thread: https://chat.canonical.com/canonical/pl/xrrbchjfgbnaxkajo4jxgf7iyy

Question 1: Why is this just in the dotnet6 and dotnet7 packages? Question 2: Is the DEB_*_MAINT_SET style strictly needed? Can it be replaced with something differently like DEB_*_MAINT_APPEND or DEB_*_MAINT_PREPEND?

If it turns out that the DEB_*_MAINT_SET style is strictly needed, than we should add a comment that explains why, as Simon suggested.

[dviererbe]

CC: @mateusrodrigues as you worked with Miriam on this. See this (Canonical internal) mattermost thread: https://chat.canonical.com/canonical/pl/aokmic4z77dmfmjdhguc63ue5r

[dviererbe]

From what I read it looks like

1. you originally proposed:

   export DEB_CFLAGS_MAINT_STRIP = -fstack-clash-protection -mbranch-protection=standard
   export DEB_CXXFLAGS_MAINT_STRIP = -fstack-clash-protection -mbranch-protection=standard

2. then Miriam suggested setting branch-protection to bti , because stripping would remove all branch protections and standard is equivalent to bti+pac-ret (see the ARM developer documentation), therefore setting branch-protection to bti effectively would just strip the pac-ret protection.
3. you incorporated this change with

   export DEB_CFLAGS_MAINT_STRIP = -fstack-clash-protection
   export DEB_CXXFLAGS_MAINT_STRIP = -fstack-clash-protection
   export DEB_CFLAGS_MAINT_SET = -mbranch-protection=bti
   export DEB_CXXFLAGS_MAINT_SET = -mbranch-protection=bti

Note: Apparently other libraries using libunwind also failed to build from source on arm64 with branch-protection=standard set at the time. Setting branch-protection to bti was a common solution. I will ask Miriam if she had to use DEB_CFLAGS_MAINT_SET and DEB_CXXFLAGS_MAINT_SET.

[dviererbe]

Miriam agreed that DEB_flag_MAINT_SET should be avoided and using DEB_flag_MAINT_APPEND would be better. She shared how it was implemented in dovcot: https://code.launchpad.net/~mirespace/ubuntu/+source/dovecot/+git/dovecot/+merge/452825

Applied to this situation we would like to change it to:

export DEB_CFLAGS_MAINT_STRIP += -fstack-clash-protection -mbranch-protection=standard
export DEB_CXXFLAGS_MAINT_STRIP += -fstack-clash-protection -mbranch-protection=standard
export DEB_CFLAGS_MAINT_APPEND += -mbranch-protection=bti
export DEB_CXXFLAGS_MAINT_APPEND += -mbranch-protection=bti

I also want to try out to apply this to all Ubunt/.NET versions. I think that previous build errors are caused by the DEB_flag_MAINT_SET overwrite.

[dviererbe]

Nope, this will fail on jammy with "Cannot find mkstemps nor mkstemp on this platform.", but the good message is that it works for mantic, noble and oracular.

Example error section from build log

``` Invoking "/<>/src/runtime/artifacts/source-build/self/src/eng/native/gen-buildsys.sh" "/<>/src/runtime/artifacts/source-build/self/src/src/coreclr" "/<>/src/runtime/artifacts/source-build/self/src/artifacts/obj/coreclr/Linux.arm64.Release" arm64 clang "" "" Release "" -DCLR_CMAKE_PGO_INSTRUMENT=0 -DCLR_CMAKE_OPTDATA_PATH= -DCLR_CMAKE_PGO_OPTIMIZE=0 -DFEATURE_DISTRO_AGNOSTIC_SSL=1 -DCLR_CMAKE_KEEP_NATIVE_SYMBOLS=true /<>/src/runtime/artifacts/source-build/self/src/artifacts/obj/coreclr/Linux.arm64.Release /<>/src/runtime/artifacts/source-build/self/src/src/coreclr Not searching for unused variables given on the command line. Re-run cmake no build system arguments -- The C compiler identification is Clang 14.0.0 -- The CXX compiler identification is Clang 14.0.0 -- Detecting C compiler ABI info -- Detecting C compiler ABI info - done -- Check for working C compiler: /usr/bin/clang-14 - skipped -- Detecting C compile features -- Detecting C compile features - done -- Detecting CXX compiler ABI info -- Detecting CXX compiler ABI info - done -- Check for working CXX compiler: /usr/bin/clang++-14 - skipped -- Detecting CXX compile features -- Detecting CXX compile features - done Detected Linux ARM64 -- Performing Test COMPILER_SUPPORTS_F_STACK_PROTECTOR_STRONG -- Performing Test COMPILER_SUPPORTS_F_STACK_PROTECTOR_STRONG - Success -- Performing Test COMPILER_SUPPORTS_W_IMPLICIT_FALLTHROUGH -- Performing Test COMPILER_SUPPORTS_W_IMPLICIT_FALLTHROUGH - Success -- The ASM compiler identification is Clang 14.0.0 with GNU-like command-line -- Found assembler: /usr/bin/clang-14 -- Performing Test HAVE_LTO -- Performing Test HAVE_LTO - Success -- Performing Test COMPILER_SUPPORTS_F_ALIGNED_NEW -- Performing Test COMPILER_SUPPORTS_F_ALIGNED_NEW - Success -- Performing Test HAVE_DIRENT_D_TYPE -- Performing Test HAVE_DIRENT_D_TYPE - Success -- Looking for getauxval -- Looking for getauxval - found -- Looking for include file GSS/GSS.h -- Looking for include file GSS/GSS.h - not found -- Found ZLIB: /usr/lib/aarch64-linux-gnu/libz.so (found version "1.2.11") -- Found OpenSSL: /usr/lib/aarch64-linux-gnu/libcrypto.so (found version "3.0.2") -- Performing Test C_SUPPORTS_WUNGUARDED_AVAILABILITY -- Performing Test C_SUPPORTS_WUNGUARDED_AVAILABILITY - Failed -- Performing Test COMPILER_SUPPORTS_W_NO_STRICT_PROTOTYPES -- Performing Test COMPILER_SUPPORTS_W_NO_STRICT_PROTOTYPES - Failed -- Looking for include files sys/socket.h, linux/in.h -- Looking for include files sys/socket.h, linux/in.h - not found -- Performing Test HAVE_IN_PKTINFO -- Performing Test HAVE_IN_PKTINFO - Failed -- Performing Test HAVE_IP_MREQN -- Performing Test HAVE_IP_MREQN - Failed -- Performing Test HAVE_STATFS_VFS -- Performing Test HAVE_STATFS_VFS - Failed -- Performing Test HAVE_STATFS_MOUNT -- Performing Test HAVE_STATFS_MOUNT - Failed -- Performing Test HAVE_FLOCK64 -- Performing Test HAVE_FLOCK64 - Failed -- Looking for O_CLOEXEC -- Looking for O_CLOEXEC - not found -- Looking for F_DUPFD_CLOEXEC -- Looking for F_DUPFD_CLOEXEC - not found -- Looking for F_FULLFSYNC -- Looking for F_FULLFSYNC - not found -- Looking for getifaddrs -- Looking for getifaddrs - not found -- Looking for fork -- Looking for fork - not found -- Looking for lseek64 -- Looking for lseek64 - not found -- Looking for mmap64 -- Looking for mmap64 - not found -- Looking for ftruncate64 -- Looking for ftruncate64 - not found -- Looking for posix_fadvise64 -- Looking for posix_fadvise64 - not found -- Looking for stat64 -- Looking for stat64 - not found -- Looking for vfork -- Looking for vfork - not found -- Looking for pipe2 -- Looking for pipe2 - not found -- Looking for getmntinfo -- Looking for getmntinfo - not found -- Looking for strcpy_s -- Looking for strcpy_s - not found -- Looking for strlcpy -- Looking for strlcpy - not found -- Looking for strcat_s -- Looking for strcat_s - not found -- Looking for strlcat -- Looking for strlcat - not found -- Looking for posix_fadvise -- Looking for posix_fadvise - not found -- Looking for fallocate -- Looking for fallocate - not found -- Looking for preadv -- Looking for preadv - not found -- Looking for pwritev -- Looking for pwritev - not found -- Looking for ioctl -- Looking for ioctl - not found -- Looking for sched_getaffinity -- Looking for sched_getaffinity - not found -- Looking for sched_setaffinity -- Looking for sched_setaffinity - not found -- Looking for pthread_setcancelstate -- Looking for pthread_setcancelstate - not found -- Looking for arc4random_buf -- Looking for arc4random_buf - not found -- Looking for TIOCGWINSZ -- Looking for TIOCGWINSZ - not found -- Looking for tcgetattr -- Looking for tcgetattr - not found -- Looking for tcsetattr -- Looking for tcsetattr - not found -- Looking for ECHO -- Looking for ECHO - not found -- Looking for ICANON -- Looking for ICANON - not found -- Looking for TCSANOW -- Looking for TCSANOW - not found -- Looking for cfsetspeed -- Looking for cfsetspeed - not found -- Looking for cfmakeraw -- Looking for cfmakeraw - not found -- Performing Test HAVE_UTSNAME_DOMAINNAME -- Performing Test HAVE_UTSNAME_DOMAINNAME - Failed -- Performing Test HAVE_STAT_BIRTHTIME -- Performing Test HAVE_STAT_BIRTHTIME - Failed -- Performing Test HAVE_STAT_FLAGS -- Performing Test HAVE_STAT_FLAGS - Failed -- Looking for lchflags -- Looking for lchflags - not found -- Performing Test HAVE_STAT_TIMESPEC -- Performing Test HAVE_STAT_TIMESPEC - Failed -- Performing Test HAVE_STAT_TIM -- Performing Test HAVE_STAT_TIM - Failed -- Performing Test HAVE_STAT_NSEC -- Performing Test HAVE_STAT_NSEC - Failed -- Performing Test HAVE_DIRENT_NAME_LEN -- Performing Test HAVE_DIRENT_NAME_LEN - Failed -- Performing Test HAVE_STATFS_FSTYPENAME -- Performing Test HAVE_STATFS_FSTYPENAME - Failed -- Performing Test HAVE_STATVFS_FSTYPENAME -- Performing Test HAVE_STATVFS_FSTYPENAME - Failed -- Looking for statfs -- Looking for statfs - not found -- Check size of struct statfs -- Check size of struct statfs - failed -- Performing Test HAVE_GNU_STRERROR_R -- Performing Test HAVE_GNU_STRERROR_R - Failed -- Performing Test HAVE_READDIR_R -- Performing Test HAVE_READDIR_R - Failed -- Performing Test KEVENT_HAS_VOID_UDATA -- Performing Test KEVENT_HAS_VOID_UDATA - Failed -- Performing Test HAVE_FDS_BITS -- Performing Test HAVE_FDS_BITS - Failed -- Performing Test HAVE_PRIVATE_FDS_BITS -- Performing Test HAVE_PRIVATE_FDS_BITS - Failed -- Performing Test HAVE_SENDFILE_4 -- Performing Test HAVE_SENDFILE_4 - Failed -- Performing Test HAVE_SENDFILE_6 -- Performing Test HAVE_SENDFILE_6 - Failed -- Performing Test HAVE_SENDFILE_7 -- Performing Test HAVE_SENDFILE_7 - Failed -- Looking for fcopyfile -- Looking for fcopyfile - not found -- Looking for include file sys/sockio.h -- Looking for include file sys/sockio.h - not found -- Looking for include file linux/ethtool.h -- Looking for include file linux/ethtool.h - not found -- Looking for include file sys/poll.h -- Looking for include file sys/poll.h - not found -- Looking for include file sys/proc_info.h -- Looking for include file sys/proc_info.h - not found -- Looking for epoll_create1 -- Looking for epoll_create1 - not found -- Looking for accept4 -- Looking for accept4 - not found -- Looking for kqueue -- Looking for kqueue - not found -- Looking for disconnectx -- Looking for disconnectx - not found -- Performing Test HAVE_GETNAMEINFO_SIGNED_FLAGS -- Performing Test HAVE_GETNAMEINFO_SIGNED_FLAGS - Failed -- Looking for malloc_size -- Looking for malloc_size - not found -- Looking for malloc_usable_size -- Looking for malloc_usable_size - not found -- Looking for malloc_usable_size -- Looking for malloc_usable_size - not found -- Looking for posix_memalign -- Looking for posix_memalign - not found -- Looking for aligned_alloc -- Looking for aligned_alloc - not found -- Performing Test HAVE_SHM_OPEN_THAT_WORKS_WELL_ENOUGH_WITH_MMAP -- Performing Test HAVE_SHM_OPEN_THAT_WORKS_WELL_ENOUGH_WITH_MMAP - Failed -- Performing Test HAVE_CLOCK_MONOTONIC -- Performing Test HAVE_CLOCK_MONOTONIC - Failed -- Performing Test HAVE_CLOCK_REALTIME -- Performing Test HAVE_CLOCK_REALTIME - Failed -- Looking for clock_gettime_nsec_np -- Looking for clock_gettime_nsec_np - not found -- Looking for pthread_condattr_setclock in pthread -- Looking for pthread_condattr_setclock in pthread - not found -- Looking for futimes -- Looking for futimes - not found -- Looking for futimens -- Looking for futimens - not found -- Looking for utimensat -- Looking for utimensat - not found -- Performing Test BIND_ADDRLEN_UNSIGNED -- Performing Test BIND_ADDRLEN_UNSIGNED - Failed -- Performing Test IPV6MR_INTERFACE_UNSIGNED -- Performing Test IPV6MR_INTERFACE_UNSIGNED - Failed -- Looking for include file sys/inotify.h -- Looking for include file sys/inotify.h - not found -- Performing Test INOTIFY_RM_WATCH_WD_UNSIGNED -- Performing Test INOTIFY_RM_WATCH_WD_UNSIGNED - Failed -- Checking prototype getpriority for PRIORITY_REQUIRES_INT_WHO -- Checking prototype getpriority for PRIORITY_REQUIRES_INT_WHO - False -- Checking prototype kevent for KEVENT_REQUIRES_INT_PARAMS -- Checking prototype kevent for KEVENT_REQUIRES_INT_PARAMS - False -- Checking prototype statfs for HAVE_NON_LEGACY_STATFS -- Checking prototype statfs for HAVE_NON_LEGACY_STATFS - False -- Performing Test HAVE_MKSTEMPS -- Performing Test HAVE_MKSTEMPS - Failed -- Performing Test HAVE_MKSTEMP -- Performing Test HAVE_MKSTEMP - Failed CMake Error at /<>/src/runtime/artifacts/source-build/self/src/src/libraries/Native/Unix/configure.cmake:794 (message): Cannot find mkstemps nor mkstemp on this platform. Call Stack (most recent call first): /<>/src/runtime/artifacts/source-build/self/src/src/libraries/Native/Unix/CMakeLists.txt:278 (include) ```

See the full build logs for:

• dotnet8 (jammy/arm64): https://launchpadlibrarian.net/737965681/buildlog_ubuntu-jammy-arm64.dotnet8_8.0.105-8.0.5-0ubuntu1~22.04.2~ppa1_BUILDING.txt.gz
• dotnet7 (jammy/arm64): https://launchpad.net/~dviererbe/+archive/ubuntu/dn-src-build-testing-6/+build/28627981/+files/buildlog_ubuntu-jammy-arm64.dotnet7_7.0.119-0ubuntu1~22.04.2~ppa1_BUILDING.txt.gz
• dotnet6 (jammy/arm64): https://launchpad.net/~dviererbe/+archive/ubuntu/dn-src-build-testing-6/+build/28627975/+files/buildlog_ubuntu-jammy-arm64.dotnet6_6.0.130-0ubuntu1~22.04.2~ppa1_BUILDING.txt.gz

So we have to continue doing this for mantic+

[mateusrodrigues]

I don't recall exactly why I went with DEB_flag_MAINT_SET, but DEB_flag_MAINT_APPEND should suffice.

What I do recall is that "Cannot find mkstemps nor mkstemp on this platform." is not representative of the actual error. Since it failed in Jammy, you should look at the configure logs to see what the actual problem was.

I wish I could remember the actual name of the file, but if you build locally with sbuild, let it fail, then find . -type f -name CMakeConfigureLog* within the sbuild build directory, you should get to it (based on the name I got from the docs).