Sergio Durigan Junior <sergiodj@ubuntu.com> schrieb am Fr., 29. Apr. 2022, 20:14:
On Friday, April 29 2022, Andreas Hasenack wrote:
> Hi,
>
> I disabled lto in a build according to the instructions from [1]:
>
> export DEB_BUILD_MAINT_OPTIONS=optimize=-lto
>
> But I saw that it was still present in some steps of the build.
> Notably when krb5/gssapi was used:
> ...
> -- Found GSSAPI: -L/usr/lib/x86_64-linux-gnu/mit-krb5
> -Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -flto=auto
> -Wl,-z,relro -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err
> ...
> /usr/bin/cc -fPIC -g -O2
> -ffile-prefix-map=/home/ubuntu/git/packages/mariadb/mariadb-10.6=.
> -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time
> -D_FORTIFY_SOURCE=2 -Wdate-time -D_FORTIFY_SOURCE=2 -pie -fPIC
> -fstack-protector --param=ssp-buffer-size=4 -Wunused -Wlogical-op
> -Wno-uninitialized -Wall -Wextra -Wformat-security -Wno-init-self
> -Wwrite-strings -Wshift-count-overflow -Wdeclaration-after-statement
> -Wno-undef -Wno-unknown-pragmas -O2 -g -static-libgcc
> -fno-omit-frame-pointer -fno-strict-aliasing -Wno-uninitialized
> -fno-omit-frame-pointer -D_FORTIFY_SOURCE=2 -DDBUG_OFF -Wall
> -Wdeclaration-after-statement -Wextra -Wformat-security
> -Wno-format-truncation -Wno-init-self -Wno-nonnull-compare
> -Wno-unused-parameter -Wvla -Wwrite-strings -DDBUG_OFF
> -Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,relro,-z,now -shared -o
> auth_gssapi_client.so
> CMakeFiles/auth_gssapi_client.dir/plugins/auth/auth_gssapi_client.c.o
> CMakeFiles/auth_gssapi_client.dir/plugins/auth/gssapi_client.c.o
> CMakeFiles/auth_gssapi_client.dir/plugins/auth/gssapi_errmsg.c.o
> -L/usr/lib/x86_64-linux-gnu/mit-krb5 -Wl,-Bsymbolic-functions
> -flto=auto -ffat-lto-objects -flto=auto -Wl,-z,relro -lgssapi_krb5
> -lkrb5 -lk5crypto -lcom_err
>
> Indeed in this case it comes from kerberos/gssapi:
>
> $ krb5-config --libs gssapi
> -L/usr/lib/x86_64-linux-gnu/mit-krb5 -Wl,-Bsymbolic-functions
> -flto=auto -ffat-lto-objects -flto=auto -Wl,-z,relro -lgssapi_krb5
> -lkrb5 -lk5crypto -lcom_err
>
> That sounds bad. It means only portions of the build will have lto
> disabled, while others will flip it back on. How to sort this out?
> Looks like the krb5 package needs some fixing, but I'm unsure how.
Just reiterating what I told you during standup, this leakage is wrong
and should be fixed in krb5's pkg-config definitions.
Wondering if it would make sense to have pkg-config (and pkgconf) strip stuff when reading the files, or do some fixup in debhelper that works everywhere rather than fixing this per package.
But I also don't know how it got there.
(sorry if phone messed up formatting)
