| 1 |
Peter, |
| 2 |
|
| 3 |
Ok the only remaining things now are uClibc itself and any package that |
| 4 |
conditionally has a PROVIDE=. For the ones that conditionally provide a |
| 5 |
PROVIDE= I assume we can just leave them out of the profile in the first |
| 6 |
place (not sure about the nocompress one till uclibc works). |
| 7 |
|
| 8 |
Next the uClibc. |
| 9 |
I had to look around a bit but found the missing do_rem patch on the |
| 10 |
uClibc mailing list, after getting that one in I went to merge the |
| 11 |
uClibc on a hardened system and we failed with misc ssp errors. |
| 12 |
|
| 13 |
Attempted to drop the uclibc-patches tarball and compile without any of |
| 14 |
those misc patches as they all seem pie-ssp related or unneeded cruft |
| 15 |
that really does not apply to uClibc at all like -z relro. |
| 16 |
|
| 17 |
USE="-*" ebuild uclibc-0.9.26-r1.ebuild clean unpack compile |
| 18 |
.... |
| 19 |
|
| 20 |
* |
| 21 |
* uClibc development/debugging options |
| 22 |
* |
| 23 |
Build uClibc with debugging symbols (DODEBUG) [N/y/?] n |
| 24 |
Build uClibc with run-time assertion testing (DOASSERTS) [N/y/?] n |
| 25 |
Build the shared library loader with debugging support |
| 26 |
(SUPPORT_LD_DEBUG) [N/y/?] n |
| 27 |
Build the shared library loader with early debugging support |
| 28 |
(SUPPORT_LD_DEBUG_EARLY) [N/y/?] n |
| 29 |
Manuel's hidden warnings (UCLIBC_MJN3_ONLY) [N/y/?] n |
| 30 |
+ ./extra/scripts/fix_includes.sh -k /usr -t i386 |
| 31 |
|
| 32 |
|
| 33 |
The file /usr/Makefile is missing! |
| 34 |
Perhaps your kernel source is broken? |
| 35 |
---------------------------------------------------- |
| 36 |
|
| 37 |
Next try with arch=arm (thanks spanky) |
| 38 |
|
| 39 |
Tested on an arm glibc system that's completely non hardened and |
| 40 |
encountered more or less the same ssp problem. |
| 41 |
|
| 42 |
USE="-*" CFLAGS="-fno-stack-protector" |
| 43 |
TARGET_CFLAGS="-fno-stack-protector" |
| 44 |
DISTDIR=/home/solar/overlay/distfiles/ |
| 45 |
PORTDIR_OVERLAY=/home/solar/overlay/ ebuild uclibc-0.9.26-r2.ebuild |
| 46 |
clean unpack compile |
| 47 |
And we fail with ldso errors. |
| 48 |
|
| 49 |
|
| 50 |
Anyway if you care to take another stab at the uclibc ebuild I'd be more |
| 51 |
than happy to test it on some arches and commit it when it's ready. |
| 52 |
|
| 53 |
|
| 54 |
On Tue, 2004-06-15 at 11:51, Ned Ludd wrote: |
| 55 |
> I've mirrored two more of the files you have sent me to the following |
| 56 |
> location so others can get to them. |
| 57 |
> http://dev.gentoo.org/~solar/uclibc/peter_mirror/uClibc-0.9.26-cvs-update-20040613.patch.bz2 |
| 58 |
> http://dev.gentoo.org/~solar/uclibc/peter_mirror/uClibc-0.9.26-patches-1.0.tar.bz2 |
| 59 |
> |
| 60 |
> I've merged a small portion of the app-arch -> sys-apps |
| 61 |
> .ebuilds+uclibc/nls diffs last night till I about passed out. |
| 62 |
> |
| 63 |
> Saving binutils/gcc/uclibc for last. |
| 64 |
> All the .ebuilds with use uclibc &&|| in the global context or requiring |
| 65 |
> changes to virtual/* or PROVIDE= will likely be the ones that will take |
| 66 |
> me/us longer to get in. I want ask SpanKY/vapier to QA those parts. |
| 67 |
> |
| 68 |
> On Tue, 2004-06-15 at 09:13, Peter S. Mazinger wrote: |
| 69 |
> > On 15 Jun 2004, Ned Ludd wrote: |
| 70 |
> > |
| 71 |
> > > Quite impressive Peter. |
| 72 |
> > > I have mirrored your files to |
| 73 |
> > > http://dev.gentoo.org/~solar/uclibc/peter_mirror/portage-uclibc-overlay-20040614.tar.bz2 |
| 74 |
> > > and exploded the tarball to |
| 75 |
> > > http://dev.gentoo.org/~solar/uclibc/peter_mirror/portage-uclibc/ |
| 76 |
> > > then diffed out the .org files and the .ebuilds the ebuild's patch is |
| 77 |
> > > here |
| 78 |
> > > http://dev.gentoo.org/~solar/uclibc/peter_mirror/portage-uclibc-ebuilds-20040614.patch |
| 79 |
> > |
| 80 |
> > this is what I really meant, so others can check what changed |
| 81 |
> > |
| 82 |
> > > and the profile/script data is here |
| 83 |
> > |
| 84 |
> > the script data is yet untested, I have only removed glibc reference from |
| 85 |
> > there |
| 86 |
> > |
| 87 |
> > > http://dev.gentoo.org/~solar/uclibc/peter_mirror/org-uclibc-20040614.patch |
| 88 |
> > > This will be quite a bit of an undertaking I'm hoping mutex, dragonheat |
| 89 |
> > > can help with some of these commits. |
| 90 |
> > > |
| 91 |
> > > How may megs is your resulting stage/images after the initial bootstrap |
| 92 |
> > > process? |
| 93 |
> > |
| 94 |
> > I can't really tell, I do not have managed to build stages (any help |
| 95 |
> > appreciated how to do it from tbz2 files), and my env. has left over files |
| 96 |
> > from my earlier rpms (wouldn't be relevant if counted) |
| 97 |
> > |
| 98 |
> > I can tell that the packages/All directory is 58MB (for emerge system) + |
| 99 |
> > ccache, catalyst |
| 100 |
> > |
| 101 |
> > bigger than 1MB are kbd (the keyboard files are next candidates to strip |
| 102 |
> > down),miscfiles(although stripped, gzipped), ncurses (although not so |
| 103 |
> > many terminfo files, and no additional libs, like menu,panel,form), db4, |
| 104 |
> > automake |
| 105 |
> > bigger than 2MB are libperl, openssl |
| 106 |
> > bigger than 3MB are binutils |
| 107 |
> > bigger than 4MB are python |
| 108 |
> > bigger than 12MB gcc, perl (13MB) |
| 109 |
> > |
| 110 |
> > Is there some way to query portage to tell how much the installed stuff |
| 111 |
> > is? |
| 112 |
> > |
| 113 |
> > I haven't checked how much of this is man-pages and info-files, if the |
| 114 |
> > binaries are really stripped all of them where possible. |
| 115 |
> > |
| 116 |
> > I have attached 2 missing files from distfiles (for uClibc) |
| 117 |
> > |
| 118 |
> > Busybox is not used at all yet. |
| 119 |
> > |
| 120 |
> > There are some things that have to be decide: |
| 121 |
> > 1. will gcc get a c++ use flag? |
| 122 |
> > 2. should groff/man/man-pages/info/install-info be in a stage3 |
| 123 |
> > 3. should ncurses include the full stuff (all libs) |
| 124 |
> > 4. I would remove all the *.so handling by scripts, if they are installed |
| 125 |
> > in /lib, they really only should be installed directly into /usr/lib. |
| 126 |
> > 5. what to do w/ perl (mini/micro-perl are alternatives for the build |
| 127 |
> > system (autotools should work w/ it) but not for a full featured one, no |
| 128 |
> > support for addons) |
| 129 |
> > 6. gettext: as I already said, I would put the *.m4 files into autotools |
| 130 |
> > and remove gettext from the stages |
| 131 |
> > 7. locale/nls support: the current only usable variant is to have uClibc |
| 132 |
> > w/o locale support, and use libintl.{a,h,so} from gettext. |
| 133 |
> > |
| 134 |
> > Peter |
| 135 |
> > |
| 136 |
> > > I'm CC: the hardened mailing list as others there may have an interest |
| 137 |
> > > in your work as this uses the hardened profile and all :) |
| 138 |
> > > |
| 139 |
> > > On Mon, 2004-06-14 at 19:25, Peter S. Mazinger wrote: |
| 140 |
> > > > Hello! |
| 141 |
> > > > |
| 142 |
> > > > This is the overlay directory I used parallel to portage (it has to be |
| 143 |
> > > > there for now, else the included links won't work), that allowed me to |
| 144 |
> > > > build gentoo fully uclibc based (starting from a buildroot config, |
| 145 |
> > > > building manually python/portage, running emerge sync ...) |
| 146 |
> > > > |
| 147 |
> > > > 1. the files directories have only new files and links to the originally |
| 148 |
> > > > used (for x86), the digest/Manifest files were needed to rebuild fully |
| 149 |
> > > > with these configs as an overlay directory, the links because portage |
| 150 |
> > > > can't handle "properly (my opinion)" the overlay directory |
| 151 |
> > > > |
| 152 |
> > > > 2. the ebuilds can be diffed to the corresponding version (as of emerge |
| 153 |
> > > > sync 20040613) to see what I have done |
| 154 |
> > > > |
| 155 |
> > > > 3. some of the changes are not directly uclibc related, they correct |
| 156 |
> > > > typos etc. in the originals, add support to build w/o nls, or strip down |
| 157 |
> > > > the package somewhat |
| 158 |
> > > > |
| 159 |
> > > > 4. the directories profiles, scripts include the original version (*.org) |
| 160 |
> > > > of files too, the new ones have to be copied over the original tree, the |
| 161 |
> > > > overlay support does not allow to have these files at another location. |
| 162 |
> > > > |
| 163 |
> > > > 5. distfiles include new patches for binutils-2.14.90/15.91 and gcc-3.3.3 |
| 164 |
> > > > (these have to be copied to the main distfiles, because again the overlay |
| 165 |
> > > > structure does not support it in another location) |
| 166 |
> > > > |
| 167 |
> > > > 6. I haven't tried yet cascaded profiles, the only profile tested is what |
| 168 |
> > > > I delivered. |
| 169 |
> > > > |
| 170 |
> > > > 7. it builds as it is (haven't tried w/ nls, and that is not really |
| 171 |
> > > > correct in uclibc yet), don't enable nls for now |
| 172 |
> > > > |
| 173 |
> > > > 8. stage building and bootstraping was not tested, because I didn't find |
| 174 |
> > > > an "elegant" way to make a stage1/2/3 from .tbz2 files (any help |
| 175 |
> > > > appreciated, then I could also provide a stage1) |
| 176 |
> > > > |
| 177 |
> > > > 9. for now gettext, yacc (replaced by bison -y), ncompress |
| 178 |
> > > > (uncompress replaced by gzip), bc, bin86, groff, man[-pages] are not a |
| 179 |
> > > > part of an 'emerge system', cracklib got support for gzipped files (so |
| 180 |
> > > > miscfiles is much smaller), w/o groff and man-pages it is not a |
| 181 |
> > > > requirement to have c++ compiler either (this is not implemented, should |
| 182 |
> > > > probably be a flag in gcc, like f77, objc), gnuconfig_update is only |
| 183 |
> > > > needed where configure is run directly, not by econf (econf is hacked to |
| 184 |
> > > > provide the same functionality, as gnuconfig_update), ncurses does not |
| 185 |
> > > > deliver the addon libraries (menu,panel,form). Some told me that gettext |
| 186 |
> > > > can't be removed, else autotools won't run, well I think, the .m4 from |
| 187 |
> > > > gettext could be added to autotools, and than it should be no problem w/o |
| 188 |
> > > > it. |
| 189 |
> > > > |
| 190 |
> > > > 10. added also my make.conf and package.keywords, to show which versions |
| 191 |
> > > > where used, the most is stable stuff, but some have to be ~x86. |
| 192 |
> > > > |
| 193 |
> > > > 11. mainly the shared libs will have problems, to add support for new |
| 194 |
> > > > libs, look at the libtool patches (ltconfig-uclibc for older configures |
| 195 |
> > > > and libtool-1.4.3-uclibc for newer ones) |
| 196 |
> > > > |
| 197 |
> > > > 12. be aware that you have to build the buildroot w/ the same config (and |
| 198 |
> > > > patches), as deduced from the uclibc.ebuild (using in both places the |
| 199 |
> > > > same cvs too). Do not start from uclibc-0.9.26 stable, because it is not |
| 200 |
> > > > binary compatible w/ the current cvs. |
| 201 |
> > > > |
| 202 |
> > > > 13. hardened stuff: gcc uses pie and ssp, but relro/now are disabled, |
| 203 |
> > > > relro is also completely removed from binutils, uclibc does not have |
| 204 |
> > > > support for it (any volunteer to add this to the uclibc's ldso?) |
| 205 |
> > > > |
| 206 |
> > > > 14. CHOST has to be set to *linux-uclibc (not linux-gnu) |
| 207 |
> > > > |
| 208 |
> > > > Peter |
| 209 |
> > > |
| 210 |
-- |
| 211 |
Ned Ludd <solar@g.o> |
| 212 |
Gentoo (hardened,security,infrastructure,embedded,toolchain) Developer |
Archives