ID: 688PHID: PHID-TASK-gp57qichrfcnab66l3q4Author: JasonJAyalaPStatus at Migration Time: resolvedPriority at Migration Time: Normal
bindp currently compiles for its debian package.
Compiling during postinstall has its disadvantages (root, not standard in debian), but offers the advantage of making it crossplatform (qubes, 64, 86).
2017-06-15 20:26:42 UTC
For reference, the (relevant, i think) flags that bindp make currently uses:
-ldl -D_GNU_SOURCE -Wdate-time -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wl,-z,relro -Wl,-z,now
2017-06-16 15:43:05 UTC
Due to T599#13695…
gcc -nostartfiles -fpic -shared --entry main bindp.c -o libindp.so -ldl -D_GNU_SOURCE -pie -Wdate-time -D_FORTIFY_SOURCE=2 -g -O2 -fdebug-prefix-map=/build/bindp-0.3=. -fstack-protector-strong -Wformat -Werror=format-security -Wl,-z,relro -Wl,-z,now
To check everything is fine:
checksec --file /usr/lib/bindp/libindp.so
( GitHub - slimm609/checksec.sh: Checksec.sh )
RELRO STACK CANARY NX PIE RPATH RUNPATH FILE
Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH /usr/lib/bindp/libindp.so
2017-06-16 15:48:37 UTC
Btw this ticket will probably result in users of Non-Qubes-Whonix 13 (i686) being able to upgrade to Non-Qubes-Whonix 14. @HulaHoop
It’s because compilation will be done at package installation (upgrade) time for the platform the user is currently using.
Such Non-Qubes-Whonix 13 → Non-Qubes-Whonix 14 upgraded systems will stay i686 forever. Probably no free resources to think about how to upgrade from i686 to amd64. (Probably same as Debian if that possible at all.)
Downloadable Non-Qubes-Whonix 14 builds will be amd64 only. (Yes, these also run on Intel.)
2017-06-16 19:15:09 UTC
2017-07-08 01:57:45 UTC
https://github.com/Whonix/bindppost
git clone git@github.com:Whonix/bindppost.git
cd bindppost
make deb-icup
It places bindp.c in /usr/lib and compiles it to a .so file. It doesn’t remove the .c file.
Running the compile command manually will show a compiler warning, but it doesn’t show during package install.
I tried to make the most minimal package possible so we can convert it to a template later.
There was a dh-helper warning. Something about #dh-helper # token not being in bindp.postinst. I’m not what to do there.
2017-07-08 10:31:17 UTC
JasonJAyalaP (Jason J. Ayala P.):
JasonJAyalaP added a comment.
https://github.com/Whonix/bindppost
Please don’t create a new package for that. The existing bindp package
If you are unsure about to commit to master, a separate git branch would
2017-07-08 17:34:25 UTC
2017-07-08 17:35:13 UTC
2017-07-08 22:02:56 UTC
git clone git@github.com:Whonix/bindp.git
cd bindp
git checkout bindppost
make deb-icup
If the goal is simply put the libindp.so file into /usr/lib, I think I was successful. @Patrick If it tests fine for you, please merge to master and close this ticket.
2017-07-09 12:31:40 UTC
2017-11-21 17:17:58 UTC