| 1 |
On Tue, 2004-06-22 at 07:41, Peter S. Mazinger wrote: |
| 2 |
> On 21 Jun 2004, Ned Ludd wrote: |
| 3 |
> |
| 4 |
> > Peter, |
| 5 |
> > |
| 6 |
> > Ok the only remaining things now are uClibc itself and any package that |
| 7 |
> > conditionally has a PROVIDE=. For the ones that conditionally provide a |
| 8 |
> > PROVIDE= I assume we can just leave them out of the profile in the first |
| 9 |
> > place (not sure about the nocompress one till uclibc works). |
| 10 |
> |
| 11 |
> could be left out, the only that we really need (but can be replaced by a |
| 12 |
> versioning condition is gnuconfig-uclibc) |
| 13 |
> |
| 14 |
> > |
| 15 |
> > Next the uClibc. |
| 16 |
> > I had to look around a bit but found the missing do_rem patch on the |
| 17 |
> > uClibc mailing list, after getting that one in I went to merge the |
| 18 |
> > uClibc on a hardened system and we failed with misc ssp errors. |
| 19 |
> |
| 20 |
> sorry, if I have forgotten to send it to you |
| 21 |
No biggie. |
| 22 |
|
| 23 |
> |
| 24 |
> > |
| 25 |
> > Attempted to drop the uclibc-patches tarball and compile without any of |
| 26 |
> > those misc patches as they all seem pie-ssp related or unneeded cruft |
| 27 |
> > that really does not apply to uClibc at all like -z relro. |
| 28 |
> |
| 29 |
> I do not use the relro/now patches, the ebuild removes them for now (they |
| 30 |
> are only for completeness) |
| 31 |
|
| 32 |
After talking to mjn3 I don't think relro will even be considered for |
| 33 |
uClibc till some time after 1.0 |
| 34 |
|
| 35 |
> |
| 36 |
> > |
| 37 |
> > USE="-*" ebuild uclibc-0.9.26-r1.ebuild clean unpack compile |
| 38 |
> |
| 39 |
> have you done this in a buildroot, or on a glibc portage based system? |
| 40 |
|
| 41 |
glibc.. Has to be glibc at first as there exists no seed stage yet with |
| 42 |
supporting portage shared objects. |
| 43 |
Point being is that the uclibc.ebuild is a no go.. I can't merge |
| 44 |
something that fails to test properly. If it fails on a glibc system |
| 45 |
then it will never be accepted into portage. uClibc (old wrapper style) |
| 46 |
is already used by misc gentoo projects for PXE netbooting etc. |
| 47 |
|
| 48 |
> I do not support any glibc system, only uclibc based (cross-compiling and |
| 49 |
> so on should be left out), |
| 50 |
|
| 51 |
> also nls should be disabled (as I said nls the |
| 52 |
> only usable way would be to have uclibc w/o locale and get libintl.* files |
| 53 |
> from gettext. |
| 54 |
|
| 55 |
Yeah I encountered the nls thing on the arm at first and then opted to |
| 56 |
USE="-*" |
| 57 |
|
| 58 |
|
| 59 |
|
| 60 |
> |
| 61 |
> > .... |
| 62 |
> > |
| 63 |
> > * |
| 64 |
> > * uClibc development/debugging options |
| 65 |
> > * |
| 66 |
> > Build uClibc with debugging symbols (DODEBUG) [N/y/?] n |
| 67 |
> > Build uClibc with run-time assertion testing (DOASSERTS) [N/y/?] n |
| 68 |
> > Build the shared library loader with debugging support |
| 69 |
> > (SUPPORT_LD_DEBUG) [N/y/?] n |
| 70 |
> > Build the shared library loader with early debugging support |
| 71 |
> > (SUPPORT_LD_DEBUG_EARLY) [N/y/?] n |
| 72 |
> > Manuel's hidden warnings (UCLIBC_MJN3_ONLY) [N/y/?] n |
| 73 |
> > + ./extra/scripts/fix_includes.sh -k /usr -t i386 |
| 74 |
> > |
| 75 |
> > |
| 76 |
> > The file /usr/Makefile is missing! |
| 77 |
> |
| 78 |
> you need kernel-headers installed in /usr/include and my Makefile patch |
| 79 |
> |
| 80 |
> > Perhaps your kernel source is broken? |
| 81 |
> > ---------------------------------------------------- |
| 82 |
> > |
| 83 |
> > Next try with arch=arm (thanks spanky) |
| 84 |
> > |
| 85 |
> > Tested on an arm glibc system that's completely non hardened and |
| 86 |
> > encountered more or less the same ssp problem. |
| 87 |
> > |
| 88 |
> > USE="-*" CFLAGS="-fno-stack-protector" |
| 89 |
> > TARGET_CFLAGS="-fno-stack-protector" |
| 90 |
> > DISTDIR=/home/solar/overlay/distfiles/ |
| 91 |
> > PORTDIR_OVERLAY=/home/solar/overlay/ ebuild uclibc-0.9.26-r2.ebuild |
| 92 |
> > clean unpack compile |
| 93 |
> > And we fail with ldso errors. |
| 94 |
> |
| 95 |
> it's normal, because you haven't applied the ssp patches, that add |
| 96 |
> -fno-stack-protector[-all] to ldso and libc build makefiles |
| 97 |
> |
| 98 |
> > |
| 99 |
> > |
| 100 |
> > Anyway if you care to take another stab at the uclibc ebuild I'd be more |
| 101 |
> > than happy to test it on some arches and commit it when it's ready. |
| 102 |
> |
| 103 |
> maybe I can upload tomorrow my tbz2 files, so anybody could start from a |
| 104 |
> "clean" uclibc env. |
| 105 |
> |
| 106 |
> Peter |
| 107 |
> |
| 108 |
> > On Tue, 2004-06-15 at 11:51, Ned Ludd wrote: |
| 109 |
> > > I've mirrored two more of the files you have sent me to the following |
| 110 |
> > > location so others can get to them. |
| 111 |
> > > http://dev.gentoo.org/~solar/uclibc/peter_mirror/uClibc-0.9.26-cvs-update-20040613.patch.bz2 |
| 112 |
> > > http://dev.gentoo.org/~solar/uclibc/peter_mirror/uClibc-0.9.26-patches-1.0.tar.bz2 |
| 113 |
> > > |
| 114 |
> > > I've merged a small portion of the app-arch -> sys-apps |
| 115 |
> > > .ebuilds+uclibc/nls diffs last night till I about passed out. |
| 116 |
> > > |
| 117 |
> > > Saving binutils/gcc/uclibc for last. |
| 118 |
> > > All the .ebuilds with use uclibc &&|| in the global context or requiring |
| 119 |
> > > changes to virtual/* or PROVIDE= will likely be the ones that will take |
| 120 |
> > > me/us longer to get in. I want ask SpanKY/vapier to QA those parts. |
| 121 |
> > > |
| 122 |
> > > On Tue, 2004-06-15 at 09:13, Peter S. Mazinger wrote: |
| 123 |
> > > > On 15 Jun 2004, Ned Ludd wrote: |
| 124 |
> > > > |
| 125 |
> > > > > Quite impressive Peter. |
| 126 |
> > > > > I have mirrored your files to |
| 127 |
> > > > > http://dev.gentoo.org/~solar/uclibc/peter_mirror/portage-uclibc-overlay-20040614.tar.bz2 |
| 128 |
> > > > > and exploded the tarball to |
| 129 |
> > > > > http://dev.gentoo.org/~solar/uclibc/peter_mirror/portage-uclibc/ |
| 130 |
> > > > > then diffed out the .org files and the .ebuilds the ebuild's patch is |
| 131 |
> > > > > here |
| 132 |
> > > > > http://dev.gentoo.org/~solar/uclibc/peter_mirror/portage-uclibc-ebuilds-20040614.patch |
| 133 |
> > > > |
| 134 |
> > > > this is what I really meant, so others can check what changed |
| 135 |
> > > > |
| 136 |
> > > > > and the profile/script data is here |
| 137 |
> > > > |
| 138 |
> > > > the script data is yet untested, I have only removed glibc reference from |
| 139 |
> > > > there |
| 140 |
> > > > |
| 141 |
> > > > > http://dev.gentoo.org/~solar/uclibc/peter_mirror/org-uclibc-20040614.patch |
| 142 |
> > > > > This will be quite a bit of an undertaking I'm hoping mutex, dragonheat |
| 143 |
> > > > > can help with some of these commits. |
| 144 |
> > > > > |
| 145 |
> > > > > How may megs is your resulting stage/images after the initial bootstrap |
| 146 |
> > > > > process? |
| 147 |
> > > > |
| 148 |
> > > > I can't really tell, I do not have managed to build stages (any help |
| 149 |
> > > > appreciated how to do it from tbz2 files), and my env. has left over files |
| 150 |
> > > > from my earlier rpms (wouldn't be relevant if counted) |
| 151 |
> > > > |
| 152 |
> > > > I can tell that the packages/All directory is 58MB (for emerge system) + |
| 153 |
> > > > ccache, catalyst |
| 154 |
> > > > |
| 155 |
> > > > bigger than 1MB are kbd (the keyboard files are next candidates to strip |
| 156 |
> > > > down),miscfiles(although stripped, gzipped), ncurses (although not so |
| 157 |
> > > > many terminfo files, and no additional libs, like menu,panel,form), db4, |
| 158 |
> > > > automake |
| 159 |
> > > > bigger than 2MB are libperl, openssl |
| 160 |
> > > > bigger than 3MB are binutils |
| 161 |
> > > > bigger than 4MB are python |
| 162 |
> > > > bigger than 12MB gcc, perl (13MB) |
| 163 |
> > > > |
| 164 |
> > > > Is there some way to query portage to tell how much the installed stuff |
| 165 |
> > > > is? |
| 166 |
> > > > |
| 167 |
> > > > I haven't checked how much of this is man-pages and info-files, if the |
| 168 |
> > > > binaries are really stripped all of them where possible. |
| 169 |
> > > > |
| 170 |
> > > > I have attached 2 missing files from distfiles (for uClibc) |
| 171 |
> > > > |
| 172 |
> > > > Busybox is not used at all yet. |
| 173 |
> > > > |
| 174 |
> > > > There are some things that have to be decide: |
| 175 |
> > > > 1. will gcc get a c++ use flag? |
| 176 |
> > > > 2. should groff/man/man-pages/info/install-info be in a stage3 |
| 177 |
> > > > 3. should ncurses include the full stuff (all libs) |
| 178 |
> > > > 4. I would remove all the *.so handling by scripts, if they are installed |
| 179 |
> > > > in /lib, they really only should be installed directly into /usr/lib. |
| 180 |
> > > > 5. what to do w/ perl (mini/micro-perl are alternatives for the build |
| 181 |
> > > > system (autotools should work w/ it) but not for a full featured one, no |
| 182 |
> > > > support for addons) |
| 183 |
> > > > 6. gettext: as I already said, I would put the *.m4 files into autotools |
| 184 |
> > > > and remove gettext from the stages |
| 185 |
> > > > 7. locale/nls support: the current only usable variant is to have uClibc |
| 186 |
> > > > w/o locale support, and use libintl.{a,h,so} from gettext. |
| 187 |
> > > > |
| 188 |
> > > > Peter |
| 189 |
> > > > |
| 190 |
> > > > > I'm CC: the hardened mailing list as others there may have an interest |
| 191 |
> > > > > in your work as this uses the hardened profile and all :) |
| 192 |
> > > > > |
| 193 |
> > > > > On Mon, 2004-06-14 at 19:25, Peter S. Mazinger wrote: |
| 194 |
> > > > > > Hello! |
| 195 |
> > > > > > |
| 196 |
> > > > > > This is the overlay directory I used parallel to portage (it has to be |
| 197 |
> > > > > > there for now, else the included links won't work), that allowed me to |
| 198 |
> > > > > > build gentoo fully uclibc based (starting from a buildroot config, |
| 199 |
> > > > > > building manually python/portage, running emerge sync ...) |
| 200 |
> > > > > > |
| 201 |
> > > > > > 1. the files directories have only new files and links to the originally |
| 202 |
> > > > > > used (for x86), the digest/Manifest files were needed to rebuild fully |
| 203 |
> > > > > > with these configs as an overlay directory, the links because portage |
| 204 |
> > > > > > can't handle "properly (my opinion)" the overlay directory |
| 205 |
> > > > > > |
| 206 |
> > > > > > 2. the ebuilds can be diffed to the corresponding version (as of emerge |
| 207 |
> > > > > > sync 20040613) to see what I have done |
| 208 |
> > > > > > |
| 209 |
> > > > > > 3. some of the changes are not directly uclibc related, they correct |
| 210 |
> > > > > > typos etc. in the originals, add support to build w/o nls, or strip down |
| 211 |
> > > > > > the package somewhat |
| 212 |
> > > > > > |
| 213 |
> > > > > > 4. the directories profiles, scripts include the original version (*.org) |
| 214 |
> > > > > > of files too, the new ones have to be copied over the original tree, the |
| 215 |
> > > > > > overlay support does not allow to have these files at another location. |
| 216 |
> > > > > > |
| 217 |
> > > > > > 5. distfiles include new patches for binutils-2.14.90/15.91 and gcc-3.3.3 |
| 218 |
> > > > > > (these have to be copied to the main distfiles, because again the overlay |
| 219 |
> > > > > > structure does not support it in another location) |
| 220 |
> > > > > > |
| 221 |
> > > > > > 6. I haven't tried yet cascaded profiles, the only profile tested is what |
| 222 |
> > > > > > I delivered. |
| 223 |
> > > > > > |
| 224 |
> > > > > > 7. it builds as it is (haven't tried w/ nls, and that is not really |
| 225 |
> > > > > > correct in uclibc yet), don't enable nls for now |
| 226 |
> > > > > > |
| 227 |
> > > > > > 8. stage building and bootstraping was not tested, because I didn't find |
| 228 |
> > > > > > an "elegant" way to make a stage1/2/3 from .tbz2 files (any help |
| 229 |
> > > > > > appreciated, then I could also provide a stage1) |
| 230 |
> > > > > > |
| 231 |
> > > > > > 9. for now gettext, yacc (replaced by bison -y), ncompress |
| 232 |
> > > > > > (uncompress replaced by gzip), bc, bin86, groff, man[-pages] are not a |
| 233 |
> > > > > > part of an 'emerge system', cracklib got support for gzipped files (so |
| 234 |
> > > > > > miscfiles is much smaller), w/o groff and man-pages it is not a |
| 235 |
> > > > > > requirement to have c++ compiler either (this is not implemented, should |
| 236 |
> > > > > > probably be a flag in gcc, like f77, objc), gnuconfig_update is only |
| 237 |
> > > > > > needed where configure is run directly, not by econf (econf is hacked to |
| 238 |
> > > > > > provide the same functionality, as gnuconfig_update), ncurses does not |
| 239 |
> > > > > > deliver the addon libraries (menu,panel,form). Some told me that gettext |
| 240 |
> > > > > > can't be removed, else autotools won't run, well I think, the .m4 from |
| 241 |
> > > > > > gettext could be added to autotools, and than it should be no problem w/o |
| 242 |
> > > > > > it. |
| 243 |
> > > > > > |
| 244 |
> > > > > > 10. added also my make.conf and package.keywords, to show which versions |
| 245 |
> > > > > > where used, the most is stable stuff, but some have to be ~x86. |
| 246 |
> > > > > > |
| 247 |
> > > > > > 11. mainly the shared libs will have problems, to add support for new |
| 248 |
> > > > > > libs, look at the libtool patches (ltconfig-uclibc for older configures |
| 249 |
> > > > > > and libtool-1.4.3-uclibc for newer ones) |
| 250 |
> > > > > > |
| 251 |
> > > > > > 12. be aware that you have to build the buildroot w/ the same config (and |
| 252 |
> > > > > > patches), as deduced from the uclibc.ebuild (using in both places the |
| 253 |
> > > > > > same cvs too). Do not start from uclibc-0.9.26 stable, because it is not |
| 254 |
> > > > > > binary compatible w/ the current cvs. |
| 255 |
> > > > > > |
| 256 |
> > > > > > 13. hardened stuff: gcc uses pie and ssp, but relro/now are disabled, |
| 257 |
> > > > > > relro is also completely removed from binutils, uclibc does not have |
| 258 |
> > > > > > support for it (any volunteer to add this to the uclibc's ldso?) |
| 259 |
> > > > > > |
| 260 |
> > > > > > 14. CHOST has to be set to *linux-uclibc (not linux-gnu) |
| 261 |
> > > > > > |
| 262 |
> > > > > > Peter |
| 263 |
> > > > > |
| 264 |
> > |
| 265 |
> |
| 266 |
> |
| 267 |
> |
| 268 |
> -- |
| 269 |
> gentoo-embedded@g.o mailing list |
| 270 |
-- |
| 271 |
Ned Ludd <solar@g.o> |
| 272 |
Gentoo (hardened,security,infrastructure,embedded,toolchain) Developer |
Archives