> I hoped setting:
>
> export LDFLAGS+=-Wl,-z,noexecstack
>
> in the terminal where I compiled Cinelerra-5.1 would compile it the
> right way.
>
I am not familiar with noexecstack, but it may be used to enforce the
nx bit (no execute). if it is, it is not likely that I would be able to
tell
if it works or not but, for what its worth, here is a way to give it a try.
cd cinelerra5/cinelerra-5.1
echo "EXTRA_LIBS += -lva" >> global_config
echo "EXTRA_LIBS += -Wl,-z,noexecstack" >> global_config
sed -e '1,1c#!/usr/bin/python2.7' -i guicast/bccmdl.py
sed -e '/^bcxfer.C:/,+1s/python/python2.7/' -i guicast/Makefile
./configure shared
make >& log
I tried this line in global_config to apply the -Wl,-z,noexecstack flag
to the cinelerra link. It did compile and link in fedora23, and I
can see the flags was used in cinelerra-5.1/x86_64/objs. it is not
clear if it works, the effect is seen in the page tables, not user space.
This feature is pretty exotic, and may not be of practical use, since
most people who own their computer already know the root password.
It is most useful for institutional systems, and I am not sure cinelerra
would be in use in these cases. Given the hack at Sony studios,
maybe... maybe.... anyhow, it is sort of interesting, hope it is useful
for you.
On Wed, Apr 27, 2016 at 11:22 AM, Miroslav Rovis <
miro.rovis@???> wrote:
> I pulled the changes and recompiled a few times, with the attempt below.
>
> I hoped setting:
>
> export LDFLAGS+=-Wl,-z,noexecstack
>
> in the terminal where I compiled Cinelerra-5.1 would compile it the
> right way.
>
> There are results at:
>
> http://www.croatiafidelis.hr/foss/gentoo/cinelerra-160427-logs/
>
> There is the script that I used:
> cin-compile.sh
>
> and the
>
> cinelerra-cv-gg_160427_<the-remaing-timestamp>_make.log
>
> logs that are marked with an empty file:
>
> cinelerra-cv-gg_160427_<the-remaing-timestamp>_make.log_noexecstack
>
> of the same timestamp have been done with the uncommented out line
> (which is commented in the posted script):
>
> export LDFLAGS+=-Wl,-z,noexecstack && echo $LDFLAGS; read FAKE;
> ./configure shared |& tee \
> /var/log/no-portage-tmp/cinelerra-cv-gg_$(date
> +%y%m%d_%H%M)_configure_shared.log
>
> I wasn't sure, so I retried without your recent changes that I pulled
> in, that is, I didn't keep track which is which, except for the last
> one, that only compiled without errors, but that is also the only one
> that was compilid after clearing the LDFLAGS:
>
> export LDFLAGS=""
> ...
> I didn't keep track which is which, because with and without your today's
> change, it's the same error like below if the noexecstack is set to LDFLAGS.
>
> You can see what libraries can not be compiled with noexecstack, say:
>
> $ grep -ai '\*\*\*.*error'
>
> /var/www/localhost/htdocs/rovis_org/CroatiaFidelis/foss/gentoo/cinelerra-160427-logs/cinelerra-cv-gg_160427_1911_make.log
> make[5]: *** [esd] Error 1
> make[4]: *** [all-recursive] Error 1
> make[3]: *** [all] Error 2
> make[2]: ***
> [/usr/src/cinelerra5/cinelerra-5.1/thirdparty/build/esound.built] Error
> 2
> make[2]: *** [x86_64/hveg2enc] Error 1
> make[2]: *** [x86_64/mplexlo] Error 1
> make[2]: *** [x86_64/cutads] Error 1
> make[3]: *** [../..//bin/plugins/transforms/1080to480.plugin] Error 1
> make[2]: *** [1080to480] Error 2
> make[3]: *** [../..//bin/plugins/transforms/720to480.plugin] Error 1
> make[2]: *** [720to480] Error 2
> make[3]: *** [../..//bin/plugins/transforms/1080to540.plugin] Error 1
> make[2]: *** [1080to540] Error 2
> make[3]: *** [../..//bin/plugins/colors/C41.plugin] Error 1
> make[2]: *** [C41] Error 2
> make[3]: *** [../..//bin/plugins/video_transitions/bandwipe.plugin]
> Error 1
> make[2]: *** [bandwipe] Error 2
> make[3]: *** [../..//bin/plugins/audio_tools/audioscope.plugin] Error 1
> make[2]: *** [audioscope] Error 2
> make[3]: *** [../..//bin/plugins/video_transitions/bandslide.plugin]
> Error 1
> make[2]: *** [bandslide] Error 2
> make[3]: *** [../..//bin/plugins/colors/brightness.plugin] Error 1
> make[2]: *** [brightness] Error 2
> make[3]: *** [../..//bin/plugins/video_tools/blur.plugin] Error 1
> make[2]: *** [blur] Error 2
> make[3]: *** [../..//bin/plugins/colors/bluebanana.plugin] Error 1
> make[2]: *** [bluebanana] Error 2
> $
>
> Cinelerra-5.1 cannot compile with noexecstack..
>
> Of course I don't completely understand.
>
> This is beyond be... I know far too little programming to help here.
>
> But I still hope this is helpful.
>
> ---- -Forwarded message from Miroslav Rovis <miro.rovis@???>
> -----
>
> Date: Wed, 27 Apr 2016 17:20:29 +0200
> From: Miroslav Rovis <miro.rovis@???>
> To: Good Guy <good1.2guy@???>
> Subject: Re: [CinCV TNG] Building in Gentoo
>
> On 160427-07:31-0600, Good Guy wrote:
> > the diff in the install listing is due to the last commit in the repo:
> >
> > > # cd /mnt0/cinelerra5/
> > > # git log
> > > commit b2106cd755a98389f1f6d373a71201b68377d74f
> > > Author: Good Guy <good1.2guy@???>
> > > Date: Tue Apr 26 10:49:10 2016 -0600
> > >
> > > fix popupmenu remove_item vs del_item, mv downsample from aud to
> vid
> > >
> > when you have time, do a git pull in your repo, or git clone a new copy
> to
> > acquire the new changes. the popmenu fix is prevents a inf loop,
> recommend.
> >
>
> I sure will!
>
> > I will take a few hours, but I will see if I can get gentoo installed
> > into a spare partition somewhere.
> You must have a really fast system. It takes two days pure compilations
> installing it on my fastest systems.
> Something like in the range of 10 times faster is any other system that
> is prepackaged.
> You must have a really fast system to be able to do it in just a few
> hours.
>
> > The thread library issue is damning
> > and has my attention. gentoo seems to be ahead of the rest of the
> > distos on the timeline, but slightly fragile.
>
> It is ahead, just as grsecurity-hardened kernel based Gentoo is the best
> there is in the world (some of us call the SELinux prevalent big
> business competing hardening, and which is supported, so sad to tell, by
> Torvalds and, silently, by Richard Matthew Stallman, we call it the
> NSA-Linux ). Pls. keep Cinelerra supportive to grsec-hardening!
>
> I am not imagining when I say there have been obstacles to grsec. Have a
> look at:
>
> GNU debugger checking for PaX and refusing to work with it
> https://forums.gentoo.org/viewtopic-t-1011162.html
>
> And now pls. allow me to bundle our correspondence to a non-searchable
> copy of my SOHO-only Lurker archive (which I would first create --but
> that I know how to do it), that I would post and link to it from my
> articles of which the last currently is:
>
> http://www.croatiafidelis.hr/foss/gentoo/cinelerra-out-of-4.php
> .
>
> I've asked that question on the Cinelerra-CV ML:
> [CinCV TNG] Re: Building in Gentoo
> http://lists.cinelerra-cv.org/pipermail/cinelerra/2016q2/004712.html
>
> Let me paste it here to, to be in the clear (I have seen posts vanish,
> yes I have, and very informative posts, for reasons usually of vanity of
> admins and such (not talking my posts, it's not simple to remove them, I
> use my https://github.com/miroR/uncenz to track all that I'm doing, I
> might be able to cry foul very loudly...):
>
> (
> And if I get the permission from Good Guy, I would like to post our
> correspondence that is now missing from Cinelerra CV with its
> information, as a non-searchable but all-links-working Lurker archive,
> such as I did with this other correspondence:
>
> http://www.croatiafidelis.hr/foss/cenz/iskon-tcom-mr/
> or with this:
> http://www.vankina2-10.com/posta/
> Most of the messages will be well arranged in threads like:
>
> http://www.vankina2-10.com/posta/thread/20160318.120836.542657d7.en.html#i20160318.120836.542657d7
> or better.
>
> Why? Because there are great advice, and examples, there from Good Guy,
> how to solve some issues in development. I'm still amazed. I'm sure some
> readers of Cinelerra-CV ML will like it.
> )
>
> Didn't I correctly explain why it would be a good thing to do it?
>
> Regarding what is left to do to install Cinelerra-5.1, I believe even I
> might solve the hardening issues that are left to do to get your repos'
> Cinelerra-5.1 installed. I just take longer. But I'm already studying
> like PaX Team
> (
> Building Cinelerra and stack exec and mprotect issues
> https://forums.grsecurity.net/viewtopic.php?f=3&t=4453#p16227
> )
> suggested to me to do.
>
> And then I'll try and tell people at gentoo-dev ML that Cinelerra is so
> great (
> like I hope I'll be able to see for myself that it's grown more, and
> that its faster than the 2014 version available in Gentoo Portage
> --which is very slow on my old AMD systems
> (
> https://packages.gentoo.org/packages/media-video/cinelerra
> )
> )
>
> Good Guy, if you don't reply to the above, can I take that you permit me
> to post our correspondence, so other users can benefit from it a little
> and I make a contribution so future Gentoo users of Cinelerra can
> install it?
>
> > This is an alert that thread trouble may be on the way to me. Please
> > let me know how this plays out.
> >
>
> Very gladly I will!
>
> --
> Miroslav Rovis
> Zagreb, Croatia
> http://www.CroatiaFidelis.hr
>
> > gg
> >
> >
> > On Tue, Apr 26, 2016 at 11:11 PM, Miroslav Rovis <
> > miro.rovis@???> wrote:
> >
> > > No, no files whatsoever are missing in the installation.
> > >
> > > I ran:
> > >
> > > cat l2 | sort -u > l2-su
> > >
> > > on your file, and then it compares:
> > >
> > > $ diff l2-su l2-miro-su
> > > 1c1
> > > < .
> > > ---
> > > > ./
> > > 332a333
> > > > ./plugins/audio_tools/downsample.plugin
> > > 743d743
> > > < ./plugins/video_tools/downsample.plugin
> > >
> > > with my file, which I attach.
>
>
> ----- End forwarded message -----
>
> --
> Miroslav Rovis
> Zagreb, Croatia
> http://www.CroatiaFidelis.hr
>
(text/plain)