This is only actually in use where known supported.
Prepared for a while, also the default in the base system (for NetBSD and
numerous others), introduced on mailing-lists and in my talk "Hardening
pkgsrc", and finally accepted unanimously during pkgsrcCon 2017.
Used by Joyent already (according to jperkin@) and tested in EdgeBSD for a
couple years now (amd64 and i386).
This is only performed if PKG_DEVELOPER and RELRO are in use.
After a suggestion during my talk at BSDCan 2017; thanks!
Also, submitted on tech-pkg@ for review mid-June.
As a next step, it seems this can be extended to libraries, just like the
check for SHLIBS does (from which this is inspired).
Reference the notion of making compilers visible to the build
environment. Mention setting --std flags. Note that the text is
currently aspirtational relative to gcc and C++.
(Comment change only.)
ccache needs to call real compiler and it detects it with looking in $PATH.
In case of usage of /usr/local/bin/clang as the desired pkgsrc $CC option,
it will be shadowed by /usr/pkg/bin/clang if someone will build it in as a
package. Workaround the problem with setting CCACHE_PATH through
PKGSRC_MAKE_ENV. Little bit overzelaously set it to
${CCPATH:H}:${CXXPATH:H}:${CPPATH:H}, just in case that they might be in
different paths. To ensure that they are not shadowed in narrow cases,
there is an option to rename clang to xclang or similar and use it this
way in $PKG_CC.
While there, introduce new user settable option: CCACHE_LOGFILE.
If set, ccache logs to file specified in ${CCACHE_LOGFILE:Q}.
+# CCACHE_LOGFILE
+# If set to a file path, ccache will write information on what it is
+# doing to the specified file. This is useful for tracking down
+# problems.
This fixes another set of problems building large projects like Clang, LLVM
with ccache.
Sponsored by <The NetBSD Foundation>
Introduce Icon Theme cache handling framework
Icon Theme cache files are used by GTK+ and maintained with the
gtk-update-icon-cache tool. Each Icon Theme package duplicates
its own maintainance scripts: only the specified icon theme directory
differs. With this framework, if packages have ICON_THEMES=yes,
associated icon themes will be detected and their cache files will
be maintained automatically.
Change cache handling behaviour as follows:
* Icon theme caches will be updated if either gtk2+ or gtk3+
gtk-update-icon-cache tool is available.
* With installation of gtk2+ package, not only hicolor icon theme but
also any other icon theme cache files will be updated.
* Prevent removal of icon caches at deinstall, gtk3+ may be installed and
using them.
* Ditto with gtk3+, gtk2+ may not be installed now, so caches must be
maintained by gtk3+.
there are further issues with circular dependencies which need to be resolved
before the change to using find from coreutils can be made.
Revert previous change for now.
The ccache.mk file was checking for languages "c" and "c++".
New framework for C++ dialects (or revisions) was setting implicitly c++,
translating e.g. c++11 to c++.
compiler.mk set this c++ after including ccache.mk, so c++ was undefined
and ccache was ignored.
This helps to build large projects like LLVM+Clang+LLDB with ccache.
Sponsored by <The NetBSD Foundation>
@TYPE1INST@ should be replaced with ${TOOLS_PATH.type1inst}.
Before this change, the sed(1) script being generated was not
replaced @TYPE1INST@ at all, and instead generating a no-op
substitution pattern for TTMKFDIR.
LDCONFIG_ADD_CMD and LDCONFIG_REMOVE_CMD are set by emulator/*.mk
in order to update the library search paths in the emulated system
directories. Substitute for those values, but default them to the
empty string so that the default action taken by the "shlibs" task
can be used.
${CROSSBASE} and ${VARBASE} both point to important directories
for installed packages, so always substitute those values into
deinstall/install scripts.
The header template loads pkgtasks' load.subr unconditionally, so
if any script templates are used, then they imply a dependency on
pkgtasks. Trigger the dependency in the "pkgtasks" framework by
setting USE_PKGTASKS to "yes".
Add missing feature from "pkginstall" framework where the config
directory ${PKG_SYSCONFDIR} was automatically created if one of
the following conditions were true:
* PKG_SYSCONFSUBDIR was defined and non-empty.
* Any configuration files were copied into ${PKG_SYSCONFDIR}.
The platform/${OPSYS}.mk files now use platform-specific code to
set ${_OPSYS_SHLIB_TYPE} which is the default value for
${SHLIB_TYPE}. All previous uses of this script to detect the
native shared library type or native executable format have been
removed from pkgsrc.
If ${_USE_NEW_PKGINSTALL} is "yes", then use the new "pkgtasks",
"init", and "pkgformat/pkg"-scripts frameworks instead of the
existing "pkginstall" framework.
Move the files needed to generate +DEINSTALL and +INSTALL scripts
for the "pkg" format into pkgsrc/mk/pkgformat/pkg.
Create new script templates that make use of "pkgtasks" to perform
the actual tasks.
${INIT_SYSTEM} is used to select the type of init system in use on
the system, and currently can be either "rc.d" for the NetBSD rc.d
system, or "smf" for the Solaris Service Management Facility
system.
pkgsrc/mk/init/smf.mk is pkgsrc/mk/smf.mk with some very minor
modifications to fit into the "init" framework.
A full dependency on the "pkgtasks" package will be added if a
non-empty data file is generated by the framework.
This framework is not yet hooked into bsd.pkg.mk, pending some
other changes.
Assert MAKE_DIRS_PERMS and OWN_DIRS_PERMS have the right number of
words before using a multivariable .for loop over those variables.
This prevents errors in parsing the makefiles.
Only four platforms, all BSDs, need to resolve "ELF/a.out" into
either ELF or a.out. Calculate it directly in the platform file
and return the value in ${_OPSYS_SHLIB_TYPE} and export that value
in bsd.prefs.mk as ${SHLIB_TYPE}.
Instead of requiring the file(1) tool, we can expect the base
system of those BSDs to have /usr/bin/file, so make use of it
directly.
while ago, but since then any packages that included both curses and
terminfo ended up with conflicting BUILDLINK_TRANSFORM entries, leaving it
to include ordering to determine whether the builtin or pkgsrc curses was
used. This keeps them in sync, at least by default, though ideally we'd
ensure that at an infrastructure level.
the exec option up until version 9 (Leopard). sysutils/findutils should be used on
prior releases.
This resolves packaging Python modules which utilise lang/python/egg.mk. find(1)
is called here with '{}' +; passed to exec option.
This allows packages to specify the version of the standard that they
require, and the infrastructure then distils that down in a similar way
to GCC_REQD to the newest standard, avoiding clashes with different -std
requirements based on CXXFLAGS.
Broad concensus on tech-pkg and tested in bulk builds.
than on all of the rpaths. We can't always exclude the rpath being added,
for example when the compiler adds its own behind our back, so this avoids
false positives.
The new options are, for FORTIFY:
"no" Do not pass any flags for FORTIFY
"weak" Pass -D_FORTIFY_SOURCE=1
"strong" Pass -D_FORTIFY_SOURCE=2
This allows users to reduce the level of FORTIFY specified if necessary
or desired. The previous setting as "yes" is now equivalent to "strong"
(the default when enabling).
The new options are, for RELRO:
"no" Do not pass any flags for RELRO
"partial" Pass -Wl,-z,relro
"full" Pass -Wl,-z,relro -Wl,-z,now
This allows users to reduce the level of RELRO specified if necessary or
desired. The previous setting as "yes" is now equivalent to "full" (the
default when enabling).
This is intended to match the changes committed by jperkin@ (for SSP)
after our discussion a (long) while back.
No functional change intended (with the settings supported so far).
Changes since 2.4.2 are too numerous to mention, with over 4,700 lines
in the ChangeLog file. However, this release does at least fix a large
number of build failures on SmartOS, and doesn't appear to cause any
obvious regressions in bulk builds performed by Joerg and myself.
Some pkgsrc cleanups while here, including merging the MirBSD patches
correctly. It couldn't be made much clearer how to properly integrate
patches here to ensure they are not lost. Next time you might not be so
fortunate!
When necessary, the flex version is obtained from the version string reported
by running flex. Generally, the first word of the version string is flex and
and the second is a version number. At least for MacOS, there is a third
vendor-specific word. The sed command previously used to capture the flex
version captured the last word, not the second one, because the first capture
group was too greedy and could capture more than a single word. Instead,
force the capture groups to capture only words, i.e., no blanks, and use the
second word for the version.
of this feature has exploded over recent years, this avoids quadratic
complexity for many packages during scan and build phase of a bulk
build. Pbulk logic for exploiting this feature will be committed
separately. Over all, this saves ~66% for wm/xfce4-wm
with initially empty cache and ~90% when the cache is populated. Total
scan time can be cut in half.
- remove three defunct mirrors
- remove xemacs.org - its hoster tux.org went down,
and the master site as well as all the *.xemacs.org
DNS entries are gone
- add two mirrors that run under their own domain name
This large commit accomplishes the following:
1) Switch USE_LANGUAGES=ada to require lang/gcc5-aux (gcc 5.4) instead
of lang/gcc-aux (gcc 4.9.2) on gcc.mk
2) Bump affected ports and fix paths as necessary
3) Upgrade devel/gprbuild to the latest release
- No longer requires lang/gnat_util
- gprslave requires gcc6-aux, so it was disabled for now
4) Fix lang/gnat_util but set PKG_SKIP_REASON
- It has no further purpose in the pkgsrc tree
- It has no practical purpose outside of the pkgsrc tree
- Indicate intent to remove from tree in Jan. 2017
5) Set devel/GPS as failed with PKG_FAIL_REASON
- This version of GPS is several years old and at the time they were
strongly tied to compiler.
- Latest release of GPS require gcc6-aux (not available) and several
new and complex dependencies
- maintainer (me) has no interest to continue supporting it
- Leaving GPS in place until Jan 2017 to give another person chance to
upgrade and take over support
- Latest version in FreeBSD Ports Collection as a reference point
to "auto", which will enable cwrappers if the _OPSYS_SUPPORTS_CWRAPPERS
platform variable is set to "yes".
Switch over to cwrappers by default for Darwin, Linux, and SunOS (except when
using the sunpro compiler).
It's going on 10 years since gcc 3.4 and gcc 4.1 were part of DragonFly.
DF Release 4.4 is the earliest with any kind of support and the earliest
possible GCC version is 4.7 there.
By default CMAKE_INSTALL_PREFIX points to PREFIX, but some software requres
custom subprefix. At least blender and brlcad are in this category.
To set new prefix it's sufficient to set CMAKE_INSTALL_PREFIX in a package,
for example (in brlcad):
CMAKE_INSTALL_PREFIX=${PREFIX}/brlcad
Reviewed by <joerg> and <jperkin>.
In destdir mode (the default), make replace creates the replacement
binary package without modifying the installed system, and then
installs it via pkg_add -u. Thus, the new package is known to have
built and packaged ok before the system is changed, and the risk of
trouble is low; thus the benefit of tarring up the installed package
is very low, especially since the newly-tarred-up package is removed
by "make clean". Using pkg_tarup costs cycles to run and more
importantly causes users to have to install it since it is not an
automatic dependency.
In addition, binary packages are now kept by default when building, so
the old version should be accessible in case of trouble.
This commit does not change the non-destdir case. Almost no one uses
that method, and the relative benefit of tarup is much higher.
simplifies _OPSYS_SYSTEM_RPATH and _OPSYS_LIB_DIRS
permitting lots of stuff using LIBABISUFFIX to work now.
TODO: probably similar for the armv7 platforms as
the pattern '${MACHINE_ARCH}-${LOWER_OPSYS}-gnu${APPEND_ABI}'
seems like it should work for both.
modified patch from Rin Okuyama
PR pkg/50722: do not hardcode lang/gcc48 in gfortran.mk
"looks ok, needs docs" - wiz
"it'll do for now, ideally I'd like something more robust and possibly
integrate into gcc.mk's path selection" - jperkin
in the default environment and provide a config.site overriding the
default libdir settings. This breaks havoc with our PLISTs and expected
library paths, so kill it.
In particular:
OS_VERSION
MACHINE_GNU_PLATFORM
MACHINE_ARCH
MACHINE_GNU_ARCH
LOWER_OS_VERSION
Reason: Only very few packages really need these, many other have false
positives.
Ok jperkin@
- set a sensible default for OCAML_FINDLIB_DIRS (and factorise out
OCAML_SITELIBDIR)
- make it possible not to register any directory by setting
OCAML_FINDLIB_REGISTER to no
"no" Do not pass any stack protection flags (the default)
"yes" Pass -fstack-protector
"strong" Pass -fstack-protector-strong
"all" Pass -fstack-protector-all
This allows users to configure the level of stack smashing protection they
require, and ensures consistent behaviour across platforms. Users running
on NetBSD who previously used the option will need to change "yes" to "all"
to match the previous default configuration for that platform.
While here use _WRAP_EXTRA_ARGS to ensure the flag gets passed regardless
of whether the package honours CFLAGS, and support additional wrappers.
Discussed a while back with khorben, and used in production for the SmartOS
2016Q1 package sets with the "strong" option.
PKG_VERBOSE.
PKG_VERBOSE currently is mostly used consistently in order to pass the `-v'
option to various commands (FETCH_CMD, PATCH, plist/doc-compress,
pkg_delete(1)).
It is also used internally (and a bit less consistently) in other cases to
provide more information mostly useful only for debugging.
ok <bsiegert>
This allows setting flags for PaX on select binaries. Two new variables
are introduced for packages: NOT_PAX_ASLR_SAFE and NOT_PAX_MPROTECT_SAFE.
They both expect a list of binaries are known to not support PaX ASLR
and/or PaX MPROTECT, respectively.
"Please commit" wiz@
with what packages such as multimedia/ffmpeg2 expect, and as so few
packages have texi2html in USE_TOOLS it may be causing more problems
that it is worth to save a few dependencies. PR#51113.
script included in the ocaml-findlib package) and removes the need to call
said script explicitly from PLIST.
Packages that use findlib will now automatically add directories that are
in OCAML_FINDLIB_DIRS (set by default to $(OCAML_SITELIBDIR)/${PKGBASE})
to the file ${PREFIX}/lib/ocaml/ld.conf. This behaviour can be disabled by
undefining OCAML_FINDLIB_REGISTER.
been broken due to NATIVE_MACHINE_ARCH no longer being set to x86_64. Fix
this by introducing HOST_MACHINE_ARCH which refers to the underlying host
architecture rather than bmake's native architecture, thus differentiating
between cross-compiling and multilib.
This is currently only set on Linux as the only OPSYS which currently
requires such a test, but can be expanded to other OPSYS as necessary.
This allows fixing an issue with PKGSRC_MKPIE, where "gcc source.c" would
not work. Some packages rely on this test to determine if a working
compiler is available.
- change Linux x86 from sun-jdk6 to oracle-jdk8
- change SunOS x86 from openjdk7 to openjdk8
- change DragonFly from openjdk7 to openjdk8
leave Darwin at sun-jdk6 for now, not sure how the builtin stuff works ...
- No _GCC_* anything in mk/bsd.prefs.mk;
- No compiler flags in platform files.
Tested again on NetBSD/amd64, with and without cwrappers, with the same
outcome.
With feedback from jperkin@
- Revisit (and rename) support for FORTIFY as PKGSRC_USE_FORTIFY (instead
of PKGSRC_USE_FORT) for easier support outside NetBSD/gcc;
- PKGSRC_USE_SSP is no longer enabled by default when PKGSRC_USE_FORTIFY
is enabled;
- PKGSRC_MKPIE builds executables as PIE (to leverage userland ASLR)
- PKGSRC_USE_RELRO builds with a read-only GOT to prevent some exploits
from functioning.
Tested on NetBSD/amd64 by myself, in every combination, with and without
pkgtools/cwrappers. MKPIE is not supported at the moment with cwrappers.
Also, MKPIE is known to still break a number of packages when enabled (and
actually supported).
Tested on SunOS by jperkin@, thank you!
As discussed on tech-pkg@, the default behavior is not changed, except
where noted above.
ok bsiegert@
