bindp currently compiles for its debian package.
Compiling during postinstall has its disadvantages (root, not standard in debian), but offers the advantage of making it crossplatform (qubes, 64, 86).
Description
Description
Details
Details
- Impact
- Normal
Related Objects
Related Objects
- Mentioned In
- T714: Whonix live mode / grub-live
- Mentioned Here
- T599: bindp libindp.so C code fixes
Event Timeline
Comment Actions
For reference, the (relevant, i think) flags that bindp make currently uses:
-ldl -D_GNU_SOURCE -Wdate-time -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wl,-z,relro -Wl,-z,now
Comment Actions
Due to T599#13695...
gcc -nostartfiles -fpic -shared --entry main bindp.c -o libindp.so -ldl -D_GNU_SOURCE -pie -Wdate-time -D_FORTIFY_SOURCE=2 -g -O2 -fdebug-prefix-map=/build/bindp-0.3=. -fstack-protector-strong -Wformat -Werror=format-security -Wl,-z,relro -Wl,-z,now
To check everything is fine:
checksec --file /usr/lib/bindp/libindp.so
( https://github.com/slimm609/checksec.sh )
RELRO STACK CANARY NX PIE RPATH RUNPATH FILE Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH /usr/lib/bindp/libindp.so
Comment Actions
Btw this ticket will probably result in users of Non-Qubes-Whonix 13 (i686) being able to upgrade to Non-Qubes-Whonix 14. @HulaHoop
It's because compilation will be done at package installation (upgrade) time for the platform the user is currently using.
Such Non-Qubes-Whonix 13 -> Non-Qubes-Whonix 14 upgraded systems will stay i686 forever. Probably no free resources to think about how to upgrade from i686 to amd64. (Probably same as Debian if that possible at all.)
Downloadable Non-Qubes-Whonix 14 builds will be amd64 only. (Yes, these also run on Intel.)
Comment Actions
Agreed. If they really want to stick to i686 then they can if they know what they are doing. Otherwise I don't think its a good use of time to support this officially. especially with the recent changes for the KVM version where its just easier to delete and start over.
Comment Actions
https://github.com/Whonix/bindppost
git clone git@github.com:Whonix/bindppost.git cd bindppost make deb-icup
It places bindp.c in /usr/lib and compiles it to a .so file. It doesn't remove the .c file.
Running the compile command manually will show a compiler warning, but it doesn't show during package install.
I tried to make the most minimal package possible so we can convert it to a template later.
There was a dh-helper warning. Something about #dh-helper# token not being in bindp.postinst. I'm not what to do there.
Comment Actions
JasonJAyalaP (Jason J. Ayala P.):
JasonJAyalaP added a comment.
https://github.com/Whonix/bindppost
Please don't create a new package for that. The existing bindp package
should be ported.
If you are unsure about to commit to master, a separate git branch would
be better.
Comment Actions
There was a dh-helper warning. Something about #dh-helper# token not being in bindp.postinst. I'm not what to do there.
Example:
https://github.com/Whonix/sdwdate/blob/master/debian/sdwdate.postinst#L64
It will be replaced by code from debhelper during package build. Such as
for packages using systemd it will add the necessary code.
Comment Actions
JasonJAyalaP (Jason J. Ayala P.):
It doesn't remove the .c file.
That's good. It shouldn't remove the source file.
Comment Actions
git clone git@github.com:Whonix/bindp.git cd bindp git checkout bindppost make deb-icup
If the goal is simply put the libindp.so file into /usr/lib, I think I was successful. @Patrick If it tests fine for you, please merge to master and close this ticket.
Comment Actions
The diff looked very weird. Somehow you reverted to an earlier version of bindp.c. Fixed in master.