Checking the archive
Once you've created the package, you can check it follows the guidelines with the command lintian:
lintian "${PACKAGE_NAME}.deb" --info
Here is the list of potential problems: https://lintian.debian.org/tags.html
With Lazarus, you will get by default the hardening-no-pie (and hardening-no-bindnow warnings in mentors). To avoid such warnings, add the following compiler options in the project options:
-Cg
-k-pie
-k-znow
W: myprog: hardening-no-pie usr/bin/myprog
With Lazarus, you will get by default the hardening-no-pie (and hardening-no-bindnow warnings in mentors). To avoid such warnings, add the following compiler options in the project options:
-Cg
-k-pie
-k-znow
9015) Linking myprog
/usr/bin/ld: /home/fred/fpc3.2.2/units/x86_64-linux/rtl/si_c.o: warning: relocation in read-only section `.text.n_si_c_$$__fpc_libc_start'
/usr/bin/ld: /home/fred/fpc3.2.2/units/x86_64-linux/rtl/si_c.o: relocation R_X86_64_PC32 against symbol `__libc_start_main@@GLIBC_2.2.5'
can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld: final link failed: bad value
Error: (9013) Error while linking
Fatal: (10026) There were 1 errors compiling module, stopping
Fatal: (1018) Compilation aborted
Dear Fre;D
Debian is a good and stable sysem for servers.
But it is horrible for the desktop.
There are so many linux distros.
Leave Debian
Winni
fred@fredvs ~> lintian --info lazpaint7.1.6_linux64.deb
W: lazpaint: hardening-no-pie usr/bin/lazpaint
N:
W: hardening-no-pie
N:
N: This package provides an ELF executable that was not compiled as a
N: position independent executable (PIE).
N:
N: In Debian, since version 6.2.0-7 of the gcc-6 package GCC will compile
N: ELF binaries with PIE by default. In most cases a simple rebuild will
N: be sufficient to remove this tag.
N:
N: PIE is required for fully enabling Address Space Layout Randomization
N: (ASLR), which makes "Return-oriented" attacks more difficult.
N:
N: Historically, PIE has been associated with noticeable performance
N: overhead on i386. However, GCC >= 5 has implemented an optimization
N: that can reduce the overhead significantly.
N:
N: If you use dpkg-buildflags with hardening=+all,-pie in
N: DEB_BUILD_MAINT_OPTIONS, remove the -pie.
N:
N: Refer to https://wiki.debian.org/Hardening,
N: https://gcc.gnu.org/gcc-5/changes.html, and
N: https://software.intel.com/en-us/blogs/2014/12/26/new-optimizations-for-x86-in-upcoming-gcc-50-32bit-pic-mode
N: for details.
N:
N: Severity: warning
N:
N: Check: binaries
N:
" -Cg -k-pie -k-znow "
lintian -IiE --pedantic *.changes
Fred, I useCode: [Select]" -Cg -k-pie -k-znow "
with my app and it compiles fine with FPC320, I manage to get the lintian test down to one or two unimportant warnings, this is the lintian command that 'mentors' like you to use -Code: [Select]lintian -IiE --pedantic *.changes
Running that command on most non-repository deb packages can be quite scary ! My build script does not do anything else to make those compiler switches acceptable, so, I suspect maybe there is something in your code that does not want to be relocated ? I really cannot imagine what ....
Davo
Fred, I useCode: [Select]" -Cg -k-pie -k-znow "
9015) Linking myprog
/usr/bin/ld: /home/fred/fpc3.2.2/units/x86_64-linux/rtl/si_c.o: warning: relocation in read-only section `.text.n_si_c_$$__fpc_libc_start'
/usr/bin/ld: /home/fred/fpc3.2.2/units/x86_64-linux/rtl/si_c.o: relocation R_X86_64_PC32 against symbol `__libc_start_main@@GLIBC_2.2.5'
can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld: final link failed: bad value
Error: (9013) Error while linking
Fatal: (10026) There were 1 errors compiling module, stopping
Fatal: (1018) Compilation aborted
If I look at that linking error, it sounds like the startup code was not compiled with -Cg (which is probably FPC's equivalent for -fPIE)
If this is a very new install, it might also have to do something with the glibc changes that Fedora users complain about.
Note that compiling with fpc 3.0.4 or 3.0.5 and -Cg -k-pie -k-znow is ok, no error.
But with fpc 3.2.0 it does not link.
W: tomboy-ng: hardening-no-pie usr/bin/tomboy-ng
N:
W: hardening-no-pie
N:
N: This package provides an ELF executable that was not compiled as a
N: position independent executable (PIE).
N:
N: In Debian, since version 6.2.0-7 of the gcc-6 package GCC will compile
N: ELF binaries with PIE by default. In most cases a simple rebuild will
N: be sufficient to remove this tag.
N:
N: PIE is required for fully enabling Address Space Layout Randomization
N: (ASLR), which makes "Return-oriented" attacks more difficult.
N:
N: Historically, PIE has been associated with noticeable performance
N: overhead on i386. However, GCC >= 5 has implemented an optimization
N: that can reduce the overhead significantly.
N:
N: If you use dpkg-buildflags with hardening=+all,-pie in
N: DEB_BUILD_MAINT_OPTIONS, remove the -pie.
N:
N: Refer to https://wiki.debian.org/Hardening,
N: https://gcc.gnu.org/gcc-5/changes.html, and
N: https://software.intel.com/en-us/blogs/2014/12/26/new-optimizations-for-x86-in-upcoming-gcc-50-32bit-pic-mode
N: for details.
N:
N: Severity: warning
N:
N: Check: binaries
N:
W: tomboy-ng: synopsis-too-long
N:
W: synopsis-too-long
N:
N: The first line of the "Description:" must be less than 80 characters
N: long.
N:
N: Refer to Debian Policy Manual section 3.4.1 (The single line synopsis)
N: for details.
N:
N: Severity: warning
N:
N: Check: fields/description
N:
N: Renamed from: description-too-long
N:
W: tomboy-ng: syntax-error-in-debian-changelog line 3 "badly formatted heading line"
N:
W: syntax-error-in-debian-changelog
N:
N: While parsing the Debian changelog, a syntax error was found. If you
N: have old changelog entries that don't follow the current syntax but
N: that you want to keep as-is for the historical record, add the line:
N:
N: Old Changelog:
N:
N: with no leading whitespace before the legacy entries. This line and
N: everything after it will be ignored.
N:
N: Refer to Debian Policy Manual section 4.4 (Debian changelog:
N: debian/changelog) for details.
N:
N: Severity: warning
N:
N: Check: debian/changelog
N:
W: tomboy-ng: syntax-error-in-debian-changelog line 3 "found eof where expected more change data or trailer"
Note that compiling with fpc 3.0.4 or 3.0.5 and -Cg -k-pie -k-znow is ok, no error.
But with fpc 3.2.0 it does not link.
The startup code is part of the compiler distribution. Again, when compiling FPC make sure the startup code is compiled with -Cg. It might not be that (it could be that there is an assembler section in that file that doesn't support PIE), but it is worth double checking. Anyway, surprising that x86_64 are not PIE in the first place, I thought that was a given
Sorry but I dont understand The startup code is part of the compiler distribution.
What is the startup code?
Sorry but I dont understand The startup code is part of the compiler distribution.
What is the startup code?
si_c is the startup code for x86_64, iow the piece of code that starts executing when the binary is loaded. Under Linux it is pascal unit (rtl/linux/si_c.pp), but with some assembler parts.
Was there change in that unit in fpc 3.2.0 vs fpc 3.0.4 ?
Hello Davo.
Hum, I downloaded your last release and this is the result I get with lintian:
...
W: hardening-no-pie
9015) Linking strumpract
/usr/bin/ld: /usr/lib/fpc/3.3.1/units/x86_64-linux/rtl/si_c.o: warning: relocation against `SI_C_$$_INI_DUMMY' in read-only section `.text.n_si_c_$$__fpc_libc_start'
/usr/bin/ld: warning: creating DT_TEXTREL in a PIE
(1008) 568211 lines compiled, 13.9 sec, 4011360 bytes code, 2658232 bytes data
(1021) 175 warning(s) issued
(1022) 3111 hint(s) issued
(1023) 407 note(s) issued
/home/fred/strumpract/src/strumpract: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.4.0, stripped
Sorry Fred, I have to disagree. If you tried what I suggested, you would too !
Davo
savenote.pas(476,9) Error: Identifier not found "BulletOne"
savenote.pas(476,21) Error: Constant Expression expected
savenote.pas(477,9) Error: Identifier not found "BulletTwo"
savenote.pas(477,21) Error: Constant Expression expected
savenote.pas(477,21) Error: duplicate case label
savenote.pas(478,9) Error: Identifier not found "BulletThree"
savenote.pas(478,21) Error: Constant Expression expected
savenote.pas(478,21) Error: duplicate case label
savenote.pas(479,9) Error: Identifier not found "BulletFour"
savenote.pas(479,21) Error: Constant Expression expected
savenote.pas(479,21) Error: duplicate case label
savenote.pas(480,9) Error: Identifier not found "BulletFive"
savenote.pas(480,21) Error: Constant Expression expected
savenote.pas(480,21) Error: duplicate case label
savenote.pas(481,9) Error: Identifier not found "BulletSix"
savenote.pas(481,21) Error: Constant Expression expected
savenote.pas(481,21) Error: duplicate case label
savenote.pas(482,9) Error: Identifier not found "BulletSeven"
savenote.pas(482,21) Error: Constant Expression expected
savenote.pas(482,21) Error: duplicate case label
savenote.pas(483,9) Error: Identifier not found "BulletEight"
savenote.pas(483,21) Error: Constant Expression expected
savenote.pas(483,21) Error: duplicate case label
Free Pascal Compiler version 3.2.0+dfsg-12 [2021/01/25] for x86_64
Copyright (c) 1993-2020 by Florian Klaempfl and others
Hint: (11030) Start of reading config file /etc/fpc.cfg
Hint: (11031) End of reading config file /etc/fpc.cfg
Free Pascal Compiler version 3.2.0+dfsg-12 [2021/01/25] for x86_64
Copyright (c) 1993-2020 by Florian Klaempfl and others
(1002) Target OS: Linux for x86-64
(3104) Compiling strumpract.pas
...
/usr/bin/ld.bfd: units/filelistform.o: relocation R_X86_64_32S against symbol `TC_$MAIN_$$_HASINIT' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: units/msegui.o: relocation R_X86_64_32S against `.bss.n_u_$msegui_$$_appinst' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: units/main.o: relocation R_X86_64_32S against symbol `U_$RANDOMNOTE_$$_RANDOMNOTEFO' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: units/drums.o: relocation R_X86_64_32S against symbol `TC_$DRUMS_$$_WASCREATED' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: units/songplayer.o: relocation R_X86_64_32S against symbol `_$SONGPLAYER$_Ld1' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: units/commander.o: relocation R_X86_64_32S against symbol `TC_$COMMANDER_$$_DOCALLBACK' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: units/config.o: relocation R_X86_64_32S against symbol `U_$UOS_FLAT_$$_UOSDEVICECOUNT' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: units/guitars.o: relocation R_X86_64_32S against symbol `U_$GUITARS_$$_AGUITAR' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: units/recorder.o: relocation R_X86_64_32S against symbol `U_$RECORDER_$$_XRECLIVE' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: units/imagedancer.o: relocation R_X86_64_32S against symbol `_$IMAGEDANCER$_Ld1' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: units/status.o: relocation R_X86_64_32S against symbol `TC_$STATUS_$$_TYPSTAT' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: units/spectrum1.o: relocation R_X86_64_32S against symbol `U_$MAIN_$$_MAINFO' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: units/waveform.o: relocation R_X86_64_32S against symbol `U_$SONGPLAYER_$$_SONGPLAYERFO' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: units/randomnote.o: relocation R_X86_64_32S against symbol `_$RANDOMNOTE$_Ld1' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: units/equalizer.o: relocation R_X86_64_32S against symbol `_$EQUALIZER$_Ld1' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: units/findmessage.o: relocation R_X86_64_32S against symbol `TC_$FINDMESSAGE_$$_IMESSAGES' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: units/dialogfiles.o: relocation R_X86_64_32S against symbol `TC_$SYSUTILS_$$_DEFAULTFORMATSETTINGS' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: units/dockpanel1.o: relocation R_X86_64_32S against symbol `TC_$MSEGRAPHUTILS_$$_NULLPOINT' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: units/mseguiintf.o: relocation R_X86_64_32S against `.bss.n_u_$mseguiintf_$$_stringatom' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: units/msemenus.o: relocation R_X86_64_32S against symbol `RESSTR_$RTLCONSTS_$$_SLISTINDEXERROR' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: units/msefileutils.o: relocation R_X86_64_32S against symbol `TC_$MSEFILEUTILS_$$_SORTFLAGS' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: units/msegraphics.o: relocation R_X86_64_32S against symbol `U_$MSEGRAPHICS_$$_FLUSHGDI' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: units/msegraphutils.o: relocation R_X86_64_32S against symbol `TC_$MSEGRAPHUTILS_$$_DEFAULTNAMEDRGB' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: units/mseclasses.o: relocation R_X86_64_32S against `.bss.n_u_$mseclasses_$$_fmodules' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: units/mseforms.o: relocation R_X86_64_32S against `.data.n_TC_$MSEFORMS_$$_CONTAINERCOMMONFLAGS' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: units/msedock.o: relocation R_X86_64_32S against symbol `_$MSEDOCK$_Ld2' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: units/bgrapen.o: relocation R_X86_64_32S against symbol `_$BGRAPEN$_Ld3' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: units/bgrapath.o: relocation R_X86_64_32S against symbol `_$BGRAPATH$_Ld1' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: units/bgrapolygon.o: relocation R_X86_64_32S against symbol `_$BGRAPOLYGON$_Ld1' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: units/bgrapolygonaliased.o: relocation R_X86_64_32S against symbol `U_$BGRABITMAPTYPES_$$_GAMMAEXPANSIONTAB' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: units/bgrablend.o: relocation R_X86_64_32S against symbol `U_$BGRABITMAPTYPES_$$_GAMMAEXPANSIONTAB' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: units/bgraresample.o: relocation R_X86_64_32S against symbol `U_$BGRABITMAPTYPES_$$_BGRAPIXELTRANSPARENT' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: units/bgrafillinfo.o: relocation R_X86_64_32S against symbol `_$BGRAFILLINFO$_Ld1' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: units/bgragradientscanner.o: relocation R_X86_64_32S against symbol `U_$BGRABITMAPTYPES_$$_GAMMAEXPANSIONTAB' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: units/bgrasse.o: relocation R_X86_64_32S against symbol `_$BGRASSE$_Ld1' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: units/bgraarrow.o: relocation R_X86_64_32S against symbol `_$BGRAARROW$_Ld1' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: units/msedatanodes.o: relocation R_X86_64_32S against symbol `TC_$MSEDATANODES_$$_STATSTATES' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: units/mseedit.o: relocation R_X86_64_32S against symbol
/usr/bin/ld.bfd: units/msefpreadpng.o: relocation R_X86_64_32S against symbol `TC_$MSEPNGCOMN_$$_CHUNKTYPES' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: units/mse_zstream.o: relocation R_X86_64_32S against symbol `RESSTR_$MSE_ZSTREAM_$$_SSEEK_FAILED' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: units/msefpimgcmn.o: relocation R_X86_64_32S against `.bss.n_u_$msefpimgcmn_$$_crctable' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: /usr/lib/x86_64-linux-gnu/fpc/3.2.0/units/x86_64-linux/rtl/si_c.o: warning: relocation in read-only section `.text.n_si_c_$$__fpc_libc_start'
Error: (9013) Error while linking
Fatal: (10026) There were 1 errors compiling module, stopping
Fatal: (1018) Compilation aborted
Error: /usr/bin/ppcx64 returned an error exitcode
....
I dont have plan to give deb files for Debian repository, it is for testing the fpc feature and the possibility to create pie binary for msegui.
....
....
I dont have plan to give deb files for Debian repository, it is for testing the fpc feature and the possibility to create pie binary for msegui.
....
Ah, I assumed, incorrectly, that you needed hardening to comply with Debian requirements. I should not guess.
Good luck with msegui, its a long way out of my limited experience space.
Davo
I have tried the compiler options "-Cg -k-pie -k-znow" but it creates a shared library rather then an executable. Does anybody know how to avoid that?
I have installed the latest trunk using Fpcupdeluxe but it also happens with Lazurus 2.0.12
Han
/path_of_your_pie/yourpieexecutablet: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.4.0, strippedIf there is a " pie" in the result, then ... it is a PIE executable.
What is the reason to prevent execution by a file explorer? Security?
In Ubuntu I get this for file ./executable:
ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.4.0, stripped
In Debian:
ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.4.0, stripped
The explorer of Debian LXQt is also calling it a shared library.
In Ubuntu I get this for file ./executable:
ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.4.0, stripped
In Debian:
ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.4.0, stripped
That is VERY strange, are you sure it is the same file?The explorer of Debian LXQt is also calling it a shared library.
Yes, I know, I find it strange too.
If you take a look into /usr/sbin/ directory, all the executables are called "Shared Library".
In fact they are PIE executables, not libraries (or maybe a PIE executable is called shared library by the purists).
See picture of my /usr/sbin/