The new options are, for FORTIFY:
"no" Do not pass any flags for FORTIFY
"weak" Pass -D_FORTIFY_SOURCE=1
"strong" Pass -D_FORTIFY_SOURCE=2
This allows users to reduce the level of FORTIFY specified if necessary
or desired. The previous setting as "yes" is now equivalent to "strong"
(the default when enabling).
The new options are, for RELRO:
"no" Do not pass any flags for RELRO
"partial" Pass -Wl,-z,relro
"full" Pass -Wl,-z,relro -Wl,-z,now
This allows users to reduce the level of RELRO specified if necessary or
desired. The previous setting as "yes" is now equivalent to "full" (the
default when enabling).
This is intended to match the changes committed by jperkin@ (for SSP)
after our discussion a (long) while back.
No functional change intended (with the settings supported so far).
to "auto", which will enable cwrappers if the _OPSYS_SUPPORTS_CWRAPPERS
platform variable is set to "yes".
Switch over to cwrappers by default for Darwin, Linux, and SunOS (except when
using the sunpro compiler).
"no" Do not pass any stack protection flags (the default)
"yes" Pass -fstack-protector
"strong" Pass -fstack-protector-strong
"all" Pass -fstack-protector-all
This allows users to configure the level of stack smashing protection they
require, and ensures consistent behaviour across platforms. Users running
on NetBSD who previously used the option will need to change "yes" to "all"
to match the previous default configuration for that platform.
While here use _WRAP_EXTRA_ARGS to ensure the flag gets passed regardless
of whether the package honours CFLAGS, and support additional wrappers.
Discussed a while back with khorben, and used in production for the SmartOS
2016Q1 package sets with the "strong" option.
been broken due to NATIVE_MACHINE_ARCH no longer being set to x86_64. Fix
this by introducing HOST_MACHINE_ARCH which refers to the underlying host
architecture rather than bmake's native architecture, thus differentiating
between cross-compiling and multilib.
This is currently only set on Linux as the only OPSYS which currently
requires such a test, but can be expanded to other OPSYS as necessary.
- No _GCC_* anything in mk/bsd.prefs.mk;
- No compiler flags in platform files.
Tested again on NetBSD/amd64, with and without cwrappers, with the same
outcome.
With feedback from jperkin@
- Revisit (and rename) support for FORTIFY as PKGSRC_USE_FORTIFY (instead
of PKGSRC_USE_FORT) for easier support outside NetBSD/gcc;
- PKGSRC_USE_SSP is no longer enabled by default when PKGSRC_USE_FORTIFY
is enabled;
- PKGSRC_MKPIE builds executables as PIE (to leverage userland ASLR)
- PKGSRC_USE_RELRO builds with a read-only GOT to prevent some exploits
from functioning.
Tested on NetBSD/amd64 by myself, in every combination, with and without
pkgtools/cwrappers. MKPIE is not supported at the moment with cwrappers.
Also, MKPIE is known to still break a number of packages when enabled (and
actually supported).
Tested on SunOS by jperkin@, thank you!
As discussed on tech-pkg@, the default behavior is not changed, except
where noted above.
ok bsiegert@
Previously there were at least 5 different ways MACHINE_ARCH could be set,
some statically and some at run time, and in many cases these settings
differed, leading to issues at pkg_add time where there was conflict
between the setting encoded into the package and that used by pkg_install.
Instead, move to a single source of truth where the correct value based on
the host and the chosen (or default) ABI is determined in the bootstrap
script. The value can still be overridden in mk.conf if necessary, e.g.
for cross-compiling.
ABI is now set by default and if unset a default is calculated based on
MACHINE_ARCH. This fixes some OS, e.g. Linux, where the wrong default was
previously chosen.
As a result of the refactoring there is no need for LOWER_ARCH, with
references to it replaced by MACHINE_ARCH. SPARC_TARGET_ARCH is also
removed.
Operating Systems.
For SmartOS, store the result from running uname -v & trimming the joyent_
prefix.
For OmniOS, store the result from processing /etc/release with awk(1)
Reviewed by joerg@ bsiegert@
Initial patchset to add support by rodent@
Further adjustments made based on feedback by joerg@
Tested by myself with numerous bulkbuilds thanks to Patrick Wildt @ Bitrig
Reviewed by bsiegert@ joerg@ wiz@
they won't create the subdirectory either. Since the SUBST targets try
to change to WRKSRC first, they fail. This is seen with meta packages
depending on Freetype2 when using X11_TYPE=native.
This is necessary to match what NetBSD `build.sh tools' generates for
cross-compiler toolchains on earm.
Also, split APPEND_ELF into APPEND_ELF and NATIVE_APPEND_ELF, so we
don't get a spurious netbsdelf in NATIVE_MACHINE_GNU_PLATFORM when
cross-compiling on amd64 for earm.
discussion on tech-pkg.
BROKEN_ON_PLATFORM and NOT_FOR_PLATFORM are the same, except that
(now) BROKEN_ON_PLATFORM sets PKG_FAIL_REASON and NOT_FOR_PLATFORM
sets PKG_SKIP_REASON. BROKEN_EXCEPT_FOR_PLATFORM and ONLY_FOR_PLATFORM
correspond in the same way.
The idea is that going forward we will distinguish unbuildable
packages that theoretically ought to be fixed (these are BROKEN) from
packages where it doesn't make sense to build (these are NOT_FOR)...
examples of the former include most non-64-bit-clean packges; examples
of the latter include OS-specific language bindings.
A general review of the uses of NOT_FOR_PLATFORM and ONLY_FOR_PLATFORM
(converting many of them to BROKEN...) is coming up.
Similarly, a general review of the uses of PKG_FAIL_REASON and
PKG_SKIP_REASON is coming up.
For this to become useful, pbulk needs to be taught to report failing
and skipped packages differently - the idea is that failing packages
should be reported up front and skipped packages don't need to be. This
has not been done yet, but one set of things at a time...
This definition controls whether the binary package which is built
during package installation will be copied to pkgsrc/packages/All.
To retain binary packages in pkgsrc/packages/All, set
PKGSRC_KEEP_BIN_PKGS=yes
in environment or MAKECONF. If this is not set, binary packages
will not be preserved after their WRKDIR is removed. This may not
be what you want.
To preserve the status quo since 2013/05/22, and just delete the
binary package after it's built, the default for PKGSRC_KEEP_BIN_PKGS
is "no", or it can be explicitly set.
As reviewed on tech-pkg.
