Using variables such as PKGSRC_USE_SSP in package Makefiles to disable SSP does
not work due to the parsing order in bsd.prefs.mk. Even if it did, it's not a
good idea to mix user and package settable variables, and would cause issues in
complex packages where bsd.prefs.mk is included early (e.g. Makefile.common).
Packages can now set {MKPIE,MKREPRO,FORTIFY,RELRO,SSP,STACK_CHECK}_SUPPORTED=no
to correctly disable security features if necessary.
Ninka can be installed from wip/ninka and analyzes each file individually,
thereby providing a much more detailed analysis than the ad-hoc method that
only looks at some COPYING files.
If Ninka is not installed, the naive fallback continues to be used.
Before, the first file that looked like a license file was considered.
The others were completely ignored. This led to a wrong license for
cross/arm-none-eabi-gcc. To prevent these cases in the future, the license
is only guessed if there is exactly one file with a typical license name.
This approach is still naive, but at least a little more precise. Replacing
the guess-license with a determine-licenses is much more complicated
though, since each source code file may have its own license declared, and
handling all these special cases leads to very complex license expressions
(like "gnu-gpl-v3 for all files, except for special.c, which is apache-2.0
or mit). This is very hard to do correctly.
It compares the license file from the package with the available licenses
in licenses/ and shows the diff to the best match.
This will hopefully make it easier for package authors to include the
LICENSE variable in the package Makefile. This variable being missing is
one of the most frequent error messages from pkglint (4187 out of 20044).
Third-party (i.e. non-pkgsrc) C toolchains (I am using chromebrew)
install to /usr/local, as that is where you can have write access.
With this, a bootstrap on ChromeOS finishes successfully.
When not using cwrappers, so far PKGSRC_MKPIE was only automatically
applied when linking using gcc(1) (when enabled). This is now also the
case for packages using ld(1) to link executables.
This is only relevant for PKGSRC_MKPIE. It partly reflects a fix that
was committed to the cwrappers for MKPIE, where the "-pie" flag was
automatically added in spite of the linker not actually creating an
executable.
This solves an issue with the command sink component of the MKPIE
wrapper for GCC, where the contents of the _MKPIE_CFLAGS.gcc and
_MKPIE_LDFLAGS.gcc variables was guessed. It is now communicated to
cmd-sink-mkpie-gcc through the environment instead.
The cmd-sink-mkpie-gcc component for PKGSRC_MKPIE support on GCC was
lagging behind the generic one. This makes sure it cannot happen again,
by invoking the generic sink right away.
It currently tackles two problems:
- gcc(1) hard-coding full paths in debugging information (with one
caveat at the moment)
- ar(1) hard-coding user IDs in archive headers
This allows packages built from the same tree and options to produce
identical results bit by bit. This option should be combined with ASLR
and PKGSRC_MKPIE to avoid predictable address offsets for attackers
attempting to exploit security vulnerabilities.
This is still disabled by default, and only supports NetBSD so far.
As discussed on tech-pkg@
Match cwrappers' expectations and place an argument per line in the
configuration. Tokenize the arguments when writing the configuration
instead of inside cwrappers.
This should fix PKGSRC_MKPIE.
This makes sure a simple "cc -o hello hello.c" will still build a valid
executable. It does not let us detect when CFLAGS or LDFLAGS are
ignored anymore, but it is legitimate for packages to expect it to work
without any additional parameter.
ld(1) does not expect "-fPIC" but it seems to be ignored by our wrappers
in this case, so no disruption is expected there.
This adds a detection for Chrome OS and Chromium OS based on /etc/lsb-release,
which sets LOWER_VENDOR, like for other Linux distros. It also sets OS_VARIANT
to the value of LOWER_VENDOR, so we can have conditionals for ChromeOS. It is
missing some things that are silently assumed to be part of Linux base
systems, such as POSIX attr support, NIS and more.
ok jperkin@
