Wednesday, 16 August 2017

Potential indirect fallout due to toolchain updates

Hi,
all of this is just FYI in case you run into something similar.

Recently nut became an FTBFS package, triggered by a combo of:
1. nut's build system having an error
2. nut has default hardening=+all
3. net-snmp configure options disabled -pie
4. changes to our toolchain around PIE

TL;DR:
- due to PIE now being default chaning hardening= now behaves differently (former "-fPIE" became "", and former "" became "-specs=/usr/share/dpkg/no-pie-compile.specs")
- if set on cflags in general LDflags need the matching no-pie-link.specs to work
- if you had cases where cflags and ldflags didn't match properly there are chances they break while before tolerating the issue


--
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd