1 |
commit: ba26a8dafe2ab11ca59c6cacbaf545b687e62f5c |
2 |
Author: Sam James <sam <AT> gentoo <DOT> org> |
3 |
AuthorDate: Thu May 19 05:12:25 2022 +0000 |
4 |
Commit: Sam James <sam <AT> gentoo <DOT> org> |
5 |
CommitDate: Thu May 19 05:17:46 2022 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ba26a8da |
7 |
|
8 |
dev-libs/openssl: explain why -fno-strict-aliasing |
9 |
|
10 |
OpenSSL has a scary number of strict aliasing violations |
11 |
within its codebase and it is *extremely* unsafe to build |
12 |
OpenSSL without this option. |
13 |
|
14 |
Hence we continue to build with -fno-strict-aliasing, |
15 |
like we have done for the last 10 years, but explain |
16 |
why in the ebuild. |
17 |
|
18 |
Signed-off-by: Sam James <sam <AT> gentoo.org> |
19 |
|
20 |
dev-libs/openssl/openssl-1.1.1o.ebuild | 12 +++++++++++- |
21 |
dev-libs/openssl/openssl-3.0.3.ebuild | 9 +++++++++ |
22 |
2 files changed, 20 insertions(+), 1 deletion(-) |
23 |
|
24 |
diff --git a/dev-libs/openssl/openssl-1.1.1o.ebuild b/dev-libs/openssl/openssl-1.1.1o.ebuild |
25 |
index ff2f6ac9a728..48e5e8265b39 100644 |
26 |
--- a/dev-libs/openssl/openssl-1.1.1o.ebuild |
27 |
+++ b/dev-libs/openssl/openssl-1.1.1o.ebuild |
28 |
@@ -106,10 +106,20 @@ src_prepare() { |
29 |
# and 'make depend' uses -Werror for added fun (#417795 again) |
30 |
[[ ${CC} == *clang* ]] && append-flags -Qunused-arguments |
31 |
|
32 |
+ # We really, really need to build OpenSSL w/ strict aliasing disabled. |
33 |
+ # It's filled with violations and it *will* result in miscompiled |
34 |
+ # code. This has been in the ebuild for > 10 years but even in 2022, |
35 |
+ # it's still relevant: |
36 |
+ # - https://github.com/llvm/llvm-project/issues/55255 |
37 |
+ # - https://github.com/openssl/openssl/issues/18225 |
38 |
+ # Don't remove the no strict aliasing bits below! |
39 |
+ filter-flags -fstrict-aliasing |
40 |
append-flags -fno-strict-aliasing |
41 |
- append-flags $(test-flags-CC -Wa,--noexecstack) |
42 |
+ |
43 |
append-cppflags -DOPENSSL_NO_BUF_FREELISTS |
44 |
|
45 |
+ append-flags $(test-flags-CC -Wa,--noexecstack) |
46 |
+ |
47 |
# Prefixify Configure shebang (#141906) |
48 |
sed \ |
49 |
-e "1s,/usr/bin/env,${EPREFIX}&," \ |
50 |
|
51 |
diff --git a/dev-libs/openssl/openssl-3.0.3.ebuild b/dev-libs/openssl/openssl-3.0.3.ebuild |
52 |
index 514ea991ddcc..2af0d8bf7020 100644 |
53 |
--- a/dev-libs/openssl/openssl-3.0.3.ebuild |
54 |
+++ b/dev-libs/openssl/openssl-3.0.3.ebuild |
55 |
@@ -124,7 +124,16 @@ src_prepare() { |
56 |
# and 'make depend' uses -Werror for added fun (bug #417795 again) |
57 |
tc-is-clang && append-flags -Qunused-arguments |
58 |
|
59 |
+ # We really, really need to build OpenSSL w/ strict aliasing disabled. |
60 |
+ # It's filled with violations and it *will* result in miscompiled |
61 |
+ # code. This has been in the ebuild for > 10 years but even in 2022, |
62 |
+ # it's still relevant: |
63 |
+ # - https://github.com/llvm/llvm-project/issues/55255 |
64 |
+ # - https://github.com/openssl/openssl/issues/18225 |
65 |
+ # Don't remove the no strict aliasing bits below! |
66 |
+ filter-flags -fstrict-aliasing |
67 |
append-flags -fno-strict-aliasing |
68 |
+ |
69 |
append-flags $(test-flags-CC -Wa,--noexecstack) |
70 |
|
71 |
# Prefixify Configure shebang (bug #141906) |