[Rcpp-devel] building RInside under debian

Dirk Eddelbuettel edd at debian.org
Mon Aug 31 00:17:01 CEST 2015 

Hi Jonathon,

On 30 August 2015 at 16:09, Jonathon Love wrote:
| hi,
| 
| i'm building RInside on debian, and am interested in the hardening
| arguments to g++

Sure.

I guess you understand we are now in a very OS-flavour specific environment?

| building RInside results in the following calls:
| 
|     g++ -I/usr/share/R/include -DNDEBUG -I. -I../inst/include/ 
| -I"/usr/lib/R/site-library/Rcpp/include"   -fpic  -g -O2
| -fstack-protector-strong -Wformat -Werror=format-security
| -D_FORTIFY_SOURCE=2 -g  -c MemBuf.cpp -o MemBuf.o
|     g++ -I/usr/share/R/include -DNDEBUG -I. -I../inst/include/ 
| -I"/usr/lib/R/site-library/Rcpp/include"   -fpic  -g -O2
| -fstack-protector-strong -Wformat -Werror=format-security
| -D_FORTIFY_SOURCE=2 -g  -c RInside.cpp -o RInside.o
|     g++ -shared -L/usr/lib/R/lib -Wl,-z,relro -o RInside.so MemBuf.o
| RInside.o -L/usr/lib/R/lib -lR
|     g++ -o libRInside.so MemBuf.o RInside.o -shared   -L/usr/lib/R/lib -lR
| 
| these are correct, and the hardening flags are present

Those flags are all OS defaults, and appear to be passed down to the CFLAGS
and PKG_CFLAGS (and CXX variants) automagically.

| (-D_FORTIFY_SOURCE, -Wl,-z,relro, etc. etc.), except for the fourth
| command, which is lacking them. if i drill down in Makevars to the line:
| 
|     $(USERLIB): $(OBJECTS)
|         $(SHLIB_CXXLD) -o $(USERLIB) $^ $(SHLIB_CXXLDFLAGS) $(ALL_LIBS)
| 
| then add a variable, and add it to the call:
| 
| HARDEN_LD = $(shell dpkg-buildflags --get LDFLAGS)

This is no longer portable as not all system using src/Makevars will have
dpkg-buildflags.   If we really wanted to we could test for presence of
/usr/bin/dpkg-buildflags just like the following line does to detect the OS X
use case where we need install_name_tool to do some magic for rpath.
 
|     $(USERLIB): $(OBJECTS)
|         $(SHLIB_CXXLD) -o $(USERLIB) $^ $(SHLIB_CXXLDFLAGS) $(HARDEN_LD)
| $(ALL_LIBS)
| 
| then the hardening works correctly.
| 
| (i also tried SHLIB_CXXLDFLAGS += $(shell dpkg-buildflags --get
| LDFLAGS), but that doesn't work, not sure why)
| 
| i'm wondering why this isn't working correctly by default. is there an
| issue with my system? is the Makevars file not quite correct? is there a
| "correct" way to achieve this without editing Makevars?

The general rule is to never ever write your own src/Makevars unless you
absolutely must.

And AFAIK only Rserve or RInside do -- by diverting the standard package
build process into something else to accomodate their need for building an
executable or special library.  And when you do something nonstandard like
this some nonstandard behaviour may follow.

To me it seems that you figured out what you needed for a local build, and we
are not really in a situation that warrants this for the overall case.

If we thought otherwise would add a configure script -- but adding one makes
the build longer and slower for everyone just to satisfy what seems like a
corner case for you.  And I say that as a Debian maintainer.

In short, no need to modify the general build case as best as I can tell.

Dirk

-- 
http://dirk.eddelbuettel.com | @eddelbuettel | edd at debian.org

More information about the Rcpp-devel mailing list