Using the new time-machine results in warnings about consistently using
keyword arguments:
```bash
guix environment: warning: 'cross-kernel-headers' must be used with keyword arguments
guix environment: warning: 'cross-libc' must be used with keyword arguments
```
This is required for bumping the time-machine, for compatibility with
OpenSSL:
oscrypto: openssl backend, 1.2.1, /tmp/guix-build-python-oscrypto-1.2.1.drv-0/source/oscrypto
Traceback (most recent call last):
File "/tmp/guix-build-python-oscrypto-1.2.1.drv-0/source/oscrypto/_openssl/_libcrypto_ctypes.py", line 304, in <module>
libcrypto.EVP_PKEY_size.argtypes = [
File "/gnu/store/9dkl9fnidcdpw19ncw5pk0p7dljx7ijb-python-3.10.7/lib/python3.10/ctypes/__init__.py", line 387, in __getattr__
func = self.__getitem__(name)
File "/gnu/store/9dkl9fnidcdpw19ncw5pk0p7dljx7ijb-python-3.10.7/lib/python3.10/ctypes/__init__.py", line 392, in __getitem__
func = self._FuncPtr((name_or_ordinal, self))
AttributeError: /gnu/store/2hr7w64zhr6jjznidyc2xi40d5ynhj9c-openssl-3.0.8/lib/libcrypto.so.3: undefined symbol: EVP_PKEY_size. Did you mean: 'EVP_PKEY_free'?
Refactor our glibc 2.27 to be a single 'package', and avoid the use of
`package-with-extra-configure-variable`. This also lets us drop the
`enable_werror` workaround, and just use --disable-werror directly.
Employ the same workaround as the Guix glibc, to avoid a "permission
denied" failure during build:
```bash
make subdir=sunrpc -C sunrpc ..=../ subdir_install
make[2]: Entering directory '/tmp/guix-build-glibc-cross-x86_64-linux-gnu-2.27.drv-0/source/sunrpc'
.././scripts/mkinstalldirs /gnu/store/ga8jciqrd5lh52m572x3mk4q1smf5agq-glibc-cross-x86_64-linux-gnu-2.27/include/rpc
mkdir -p -- /gnu/store/ga8jciqrd5lh52m572x3mk4q1smf5agq-glibc-cross-x86_64-linux-gnu-2.27/include/rpc
/gnu/store/kvpvk5wh70wdbjnr83hh85rg22ysxm9h-coreutils-8.32/bin/install -c -m 644 rpc/netdb.h /gnu/store/ga8jciqrd5lh52m572x3mk4q1smf5agq-glibc-cross-x86_64-linux-gnu-2.27/include/rpc/netdb.h
.././scripts/mkinstalldirs /gnu/store/ga8jciqrd5lh52m572x3mk4q1smf5agq-glibc-cross-x86_64-linux-gnu-2.27/include/nfs
mkdir -p -- /gnu/store/ga8jciqrd5lh52m572x3mk4q1smf5agq-glibc-cross-x86_64-linux-gnu-2.27/include/nfs
/gnu/store/kvpvk5wh70wdbjnr83hh85rg22ysxm9h-coreutils-8.32/bin/install -c -m 644 ../sysdeps/unix/sysv/linux/nfs/nfs.h /gnu/store/ga8jciqrd5lh52m572x3mk4q1smf5agq-glibc-cross-x86_64-linux-gnu-2.27/include/nfs/nfs.h
/gnu/store/kvpvk5wh70wdbjnr83hh85rg22ysxm9h-coreutils-8.32/bin/install -c -m 644 /tmp/guix-build-glibc-cross-x86_64-linux-gnu-2.27.drv-0/build/gnu/lib-names-64.h /gnu/store/ga8jciqrd5lh52m572x3mk4q1smf5agq-glibc-cross-x86_64-linux-gnu-2.27/include/gnu/lib-names-64.h
/gnu/store/kvpvk5wh70wdbjnr83hh85rg22ysxm9h-coreutils-8.32/bin/install -c -m 644 etc.rpc /etc/rpc
/gnu/store/kvpvk5wh70wdbjnr83hh85rg22ysxm9h-coreutils-8.32/bin/install: cannot create regular file '/etc/rpc': Permission denied
make[2]: *** [Makefile:197: /etc/rpc] Error 1
```
Split out of #27897. This is some refactoring to the Windows Guix build
that facilitates bumping our Guix time-machine. Namely, avoiding
`package-with-extra-configure-variable`, which is non-functional in the
newer time-machine, see https://issues.guix.gnu.org/64436.
At the same time, consolidate our Windows GCC build into mingw-w64-base-gcc.
Rename `gcc-10-remap-guix-store.patch` to avoid changing it whenever GCC changes.
We move the old `building-on` inside `explicit-cross-configure`, so that
non-windows builds continue to work. Note that `explicit-cross-configure`
will be going away entirely (see #27897).
This change improves the maintainability of the manifest:
(1) It allows to remove the module when the specified symbols are no
longer used.
(2) It prevents accidental use of other symbols, such as `bash`
instead of `bash-minimal`.
529c92e837 guix: Update `python-lief` package to 0.13.2 (Hennadii Stepanov)
Pull request description:
The Guix's `python-lief` package is going to move to using external deps, rather than the bundled ones (https://lists.gnu.org/archive/html/guix-patches/2023-05/msg01302.html). We want to continue using our own package indefinitely, to keep the build simpler, and allow for easier updating.
Changes in `contrib/devtools/security-check.py` are caused by 6357c6370b.
Also see: https://github.com/bitcoin/bitcoin/pull/27507.
ACKs for top commit:
fanquake:
ACK 529c92e837
Tree-SHA512: ad81111b090a39b380fe25bb27b54a339e78a158f462c7adda25d5ee55f0d654107b1486b29b9687ad0808e27b01e04f53a0e8ffc6600b79103d6bd0dfec64ef
Unfortunately clang 10 does not understand "-mmacosx-version-min=11.0",
as it expects to see only 10.x.
Bump minimally to 11.1 to fix that problem. This will likely be our last
binary toolchain bump, as it will soon be replaced with usage of upstream
vanilla llvm.
These should only be relevant for a glibc that is built as part of a
Guix system, and should not be required for a glibc that is just being
built to compile our binaries against. A x86_64 linux bitcoind produced
with Guix using master vs this change has no difference. i.e:
```diff
@@ -20311,15 +20311,15 @@
This is experimental software.
The source code is available from %s.
Please contribute if you find %s useful. Visit %s for further information about the software.
The %s developers
The Bitcoin Core developers
<https://bitcoincore.org/>
Copyright (C) %i-%i
-v25.99.0-gda0bf1d07639b0490791bbd6aec71bbea8aa2aThe %s developer<https://github.com/bitcoin/bitcDistributed under the MIT software license, see the accompanyingThis is experimeThe source code is available froPlease contribute if you find %s useful. Visit %s for further information about Copyright (C) %ibool BCLog::Logger::StartLogging()
+v25.99.0-gd7700d3a26478d9b1648463c188648c7047b1cThe %s developer<https://github.com/bitcoin/bitcDistributed under the MIT software license, see the accompanyingThis is experimeThe source code is available froPlease contribute if you find %s useful. Visit %s for further information about Copyright (C) %ibool BCLog::Logger::StartLogging()
std::string BCLog::Logger::LogLevelToStr(BCLog::Level) const
std::string LogCategoryToStr(BCLog::LogFlags)
void BCLog::Logger::LogPrintStr(const string&, const string&, const string&, int, BCLog::LogFlags, BCLog::Level)
void BCLog::Logger::ShrinkDebugFile()
Failed to shrink debug log file: fseek(...) failed
logging.cpp
m_buffering
```
```diff
@@ -1505889,15 +1505889,15 @@
call aa3380 <malloc@plt+0xa4edb0>
mov (%rsp),%rdx
movdqa 0x465540(%rip),%xmm0
mov %rax,0x7a0559(%rip)
lea 0x7a0552(%rip),%rsi
lea 0x3957bb(%rip),%rdi
mov %rdx,0x7a0554(%rip)
- mov $0x3038,%edx
+ mov $0x3036,%edx
movups %xmm0,(%rax)
movdqa 0x465524(%rip),%xmm0
mov %dx,0x30(%rax)
mov 0x7a0529(%rip),%rdx
movups %xmm0,0x10(%rax)
movdqa 0x46551d(%rip),%xmm0
movups %xmm0,0x20(%rax)
```
```diff
@@ -37238,17 +37238,17 @@
0x00b73730 65202573 20646576 656c6f70 65727300 e %s developers.
0x00b73740 54686520 42697463 6f696e20 436f7265 The Bitcoin Core
0x00b73750 20646576 656c6f70 65727300 434f5059 developers.COPY
0x00b73760 494e4700 3c687474 70733a2f 2f626974 ING.<https://bit
0x00b73770 636f696e 636f7265 2e6f7267 2f3e0043 coincore.org/>.C
0x00b73780 6f707972 69676874 20284329 2025692d opyright (C) %i-
0x00b73790 25690053 61746f73 68690000 00000000 %i.Satoshi......
- 0x00b737a0 7632352e 39392e30 2d676461 30626631 v25.99.0-gda0bf1
- 0x00b737b0 64303736 33396230 34393037 39316262 d07639b0490791bb
- 0x00b737c0 64366165 63373162 62656138 61613261 d6aec71bbea8aa2a
+ 0x00b737a0 7632352e 39392e30 2d676437 37303064 v25.99.0-gd7700d
+ 0x00b737b0 33613236 34373864 39623136 34383436 3a26478d9b164846
+ 0x00b737c0 33633138 38363438 63373034 37623163 3c188648c7047b1c
0x00b737d0 54686520 25732064 6576656c 6f706572 The %s developer
0x00b737e0 3c687474 70733a2f 2f676974 6875622e <https://github.
0x00b737f0 636f6d2f 62697463 6f696e2f 62697463 com/bitcoin/bitc
0x00b73800 44697374 72696275 74656420 756e6465 Distributed unde
0x00b73810 72207468 65204d49 5420736f 66747761 r the MIT softwa
0x00b73820 7265206c 6963656e 73652c20 73656520 re license, see
0x00b73830 74686520 6163636f 6d70616e 79696e67 the accompanying
```
```diff
@@ -1,5 +1,5 @@
Hex dump of section '.gnu_debuglink':
0x00000000 62697463 6f696e64 2e646267 00000000 bitcoind.dbg....
- 0x00000010 6b6e8eda kn..
+ 0x00000010 345cb865 4\.e
```
4becee396f guix: combine and document enable_werror (fanquake)
Pull request description:
Combine into `hardened-glibc`.
Document why we don't use `--disable-werror` directly.
https://www.gnu.org/software/libc/manual/html_node/Configuring-and-compiling.html
> By default, the GNU C Library is built with -Werror. If you wish
> to build without this option (for example, if building with a
> newer version of GCC than this version of the GNU C Library was
> tested with, so new warnings cause the build with -Werror to fail),
> you can configure with --disable-werror.
ACKs for top commit:
hebasto:
ACK 4becee396f, the diff is correct.
TheCharlatan:
ACK 4becee396f
Tree-SHA512: 8724415f51b4d72d40c4e797faf52c93a81147fb629332b9388ffd7f113f2b16db3b7496bf3063dd978ac629fd5bde3ec7df4f1ff1ed714cb56f316a9334d119
Combine into hardened-glibc.
Document why we don't use --disable-werror directly.
https://www.gnu.org/software/libc/manual/html_node/Configuring-and-compiling.html
> By default, the GNU C Library is built with -Werror. If you wish
> to build without this option (for example, if building with a
> newer version of GCC than this version of the GNU C Library was
> tested with, so new warnings cause the build with -Werror to fail),
> you can configure with --disable-werror.
This also fixes atleast one --no-substitues build failure I've seen,
where cmake dependencies wouldn't build:
```bash
The following derivations will be built:
/gnu/store/7qqvqq2g7l5ylrjv0gn6zha565a12kar-python-lief-0.12.1.drv
/gnu/store/f9zwh1ldy63ga0i5w6cbbqlj6sfq226j-cmake-3.21.4.drv
/gnu/store/3wg6ya847id503m5izhzhn1qqs464lfk-python-sphinx-4.2.0.drv
building /gnu/store/3wg6ya847id503m5izhzhn1qqs464lfk-python-sphinx-4.2.0.drv...
/ 'check' phasenote: keeping build directory `/tmp/guix-build-python-sphinx-4.2.0.drv-5'
builder for `/gnu/store/3wg6ya847id503m5izhzhn1qqs464lfk-python-sphinx-4.2.0.drv' failed with exit code 1
build of /gnu/store/3wg6ya847id503m5izhzhn1qqs464lfk-python-sphinx-4.2.0.drv failed
View build log at '/var/log/guix/drvs/3w/g6ya847id503m5izhzhn1qqs464lfk-python-sphinx-4.2.0.drv.gz'.
cannot build derivation `/gnu/store/f9zwh1ldy63ga0i5w6cbbqlj6sfq226j-cmake-3.21.4.drv': 1 dependencies couldn't be built
cannot build derivation `/gnu/store/7qqvqq2g7l5ylrjv0gn6zha565a12kar-python-lief-0.12.1.drv': 1 dependencies couldn't be built
guix environment: error: build of `/gnu/store/7qqvqq2g7l5ylrjv0gn6zha565a12kar-python-lief-0.12.1.drv' failed
```
285edfadca guix: use osslsigncode 2.5 (fanquake)
Pull request description:
Switches to using a newer version of [osslsigncode](https://github.com/mtrojnar/osslsigncode) in our Guix environment.
achow101 can you test this with some sort of WIndows code-signing dry-run (no-rush).
ACKs for top commit:
achow101:
ACK 285edfadca
Tree-SHA512: 2ab8f65e506bd97e74e76f24e791ae20694e567a751cc57d3a27f31f0733e3530d058ef19825a35dc21d1342e3fffc52d8d643258198c669cc68b6db41bda629
d0433a3153 guix: Drop perl package (Hennadii Stepanov)
55e468f149 build: Add `-no-mimetype-database` option to qt package in depends (Hennadii Stepanov)
Pull request description:
Perl is required only in Qt to create its own MIME database, which we never use.
Guix build on `x86_64`:
```
b63983137239de664edba06834d48fbfc1957d4c56aaf1b2c4cd253bad2856f9 guix-build-d0433a31534d/output/aarch64-linux-gnu/SHA256SUMS.part
f4ea6d24a0248f573a0e6e207f872a964ad061459837e3c44ddc2257871349f9 guix-build-d0433a31534d/output/aarch64-linux-gnu/bitcoin-d0433a31534d-aarch64-linux-gnu-debug.tar.gz
00efef73311e2a231255f7e2010d5a77ec986b60be26be10f27dc24aa84382c7 guix-build-d0433a31534d/output/aarch64-linux-gnu/bitcoin-d0433a31534d-aarch64-linux-gnu.tar.gz
8eaf54f1d867b8279e5bf7db9d57a86b9d63dbb7f17bc8df131336781325ca25 guix-build-d0433a31534d/output/arm-linux-gnueabihf/SHA256SUMS.part
1fc60e3086e09cefef8f3848787c4bf601a017a5e75a1dd322c81916ad737d30 guix-build-d0433a31534d/output/arm-linux-gnueabihf/bitcoin-d0433a31534d-arm-linux-gnueabihf-debug.tar.gz
92b51c48dd7aeb1853345bc17f433c56c3704755008fbe2d5b203145af87b667 guix-build-d0433a31534d/output/arm-linux-gnueabihf/bitcoin-d0433a31534d-arm-linux-gnueabihf.tar.gz
7daadc27af84bfeab98802481c3dbce852613b712db1711f5bf67c36ad54414a guix-build-d0433a31534d/output/arm64-apple-darwin/SHA256SUMS.part
2d1de48b0acfdd6aa3a5dd7c97557463d11ef8a2a12b2227bf555a8d387c3db9 guix-build-d0433a31534d/output/arm64-apple-darwin/bitcoin-d0433a31534d-arm64-apple-darwin-unsigned.dmg
a1fd2d0103295b4a3bda8f8be39df2bb3cef1be18235c20f7a4f13e4f839b9b0 guix-build-d0433a31534d/output/arm64-apple-darwin/bitcoin-d0433a31534d-arm64-apple-darwin-unsigned.tar.gz
abb9c9f2a2506205a236240de3fc602d9bc884a19a8d64ede2d9abf03c29141c guix-build-d0433a31534d/output/arm64-apple-darwin/bitcoin-d0433a31534d-arm64-apple-darwin.tar.gz
13f21eb33c2d0719da0bd5227ea58e5bb625a7fd0bd2af8d1a13efe7a00ab46c guix-build-d0433a31534d/output/dist-archive/bitcoin-d0433a31534d.tar.gz
0a83e8b591fd79d0493f381f1fc849ed89428e43794c9f791e5ee36fa6b945b8 guix-build-d0433a31534d/output/powerpc64-linux-gnu/SHA256SUMS.part
56b592cf691ef22557a03d6083a0603b45caa6ebfd17c0dda6fc870c8612a19f guix-build-d0433a31534d/output/powerpc64-linux-gnu/bitcoin-d0433a31534d-powerpc64-linux-gnu-debug.tar.gz
9d72a57f5bd509aaf48c18bf7d8b27861722242aa85036e7c6512983e6f102ee guix-build-d0433a31534d/output/powerpc64-linux-gnu/bitcoin-d0433a31534d-powerpc64-linux-gnu.tar.gz
0512992f6ee3ca2693121cd4bcb45a23de7759ccd87db67e4f091ada75fca3e1 guix-build-d0433a31534d/output/powerpc64le-linux-gnu/SHA256SUMS.part
b3ccdeac6bc7c36ce5792018dbad81b18a6fb62c4fc67df820796e70f4630100 guix-build-d0433a31534d/output/powerpc64le-linux-gnu/bitcoin-d0433a31534d-powerpc64le-linux-gnu-debug.tar.gz
f4c11cbd56431f5d257dff881a46d7ddf83b3d3a2e05c5e88e5575c4bb552960 guix-build-d0433a31534d/output/powerpc64le-linux-gnu/bitcoin-d0433a31534d-powerpc64le-linux-gnu.tar.gz
ad71196a5af12eedb906fb009b8f635933fa2bf83586b4b2360f6b84f52998ca guix-build-d0433a31534d/output/riscv64-linux-gnu/SHA256SUMS.part
6fe7dbb772e91dccec781b4d7a47cc8179ba0fb4614a3da6423679a4539ae96e guix-build-d0433a31534d/output/riscv64-linux-gnu/bitcoin-d0433a31534d-riscv64-linux-gnu-debug.tar.gz
f8fb450f627791b20e56d00bc9544984120fe22d9644318bc01cf027914b7338 guix-build-d0433a31534d/output/riscv64-linux-gnu/bitcoin-d0433a31534d-riscv64-linux-gnu.tar.gz
fb741950e3699fe2ffa44754e493a28b06c00ce12f9a4c073e38dd960bfe805d guix-build-d0433a31534d/output/x86_64-apple-darwin/SHA256SUMS.part
47dfb3eb3526c319ed528c24f19dda4ee3e6e03ca36d62f31207bad65083be76 guix-build-d0433a31534d/output/x86_64-apple-darwin/bitcoin-d0433a31534d-x86_64-apple-darwin-unsigned.dmg
4e306e35e7c885791694762d10fbc4e563466a2240036c3e1fc877c2806ac583 guix-build-d0433a31534d/output/x86_64-apple-darwin/bitcoin-d0433a31534d-x86_64-apple-darwin-unsigned.tar.gz
ac71e5164142225fc018f47d278d5450a28de05259f41437a7c4183708d8681d guix-build-d0433a31534d/output/x86_64-apple-darwin/bitcoin-d0433a31534d-x86_64-apple-darwin.tar.gz
f670fbe6652211d57dca9c79a6e37023b40d32117cf5e0d28dd9ba6247af1d61 guix-build-d0433a31534d/output/x86_64-linux-gnu/SHA256SUMS.part
94b23c572cac60f7ce1f7851e1aa0c8d41cc5fa5863089027aa8d524b6940d91 guix-build-d0433a31534d/output/x86_64-linux-gnu/bitcoin-d0433a31534d-x86_64-linux-gnu-debug.tar.gz
6d48a676f126eea585ab352c6bc923341903d891da6e8c4d4e2e168b8d6c4820 guix-build-d0433a31534d/output/x86_64-linux-gnu/bitcoin-d0433a31534d-x86_64-linux-gnu.tar.gz
23bb6919646725bfe35f4e3eb1beedb3ee4f49dc0b410d47185a2e06fb0184e3 guix-build-d0433a31534d/output/x86_64-w64-mingw32/SHA256SUMS.part
a92202b0c397aede252c433dbf83d5094141d5263f32d1078a052da7cf23059b guix-build-d0433a31534d/output/x86_64-w64-mingw32/bitcoin-d0433a31534d-win64-debug.zip
11d84ad174e12f3342764b47f42e32a55bd6d277416dcf6b05556173ace48430 guix-build-d0433a31534d/output/x86_64-w64-mingw32/bitcoin-d0433a31534d-win64-setup-unsigned.exe
436364e555e57090472600b5486af8bdefe0baaab7441b919e23f90d01a3347f guix-build-d0433a31534d/output/x86_64-w64-mingw32/bitcoin-d0433a31534d-win64-unsigned.tar.gz
e193bf3179194d68d88e295d0ef830ef77ddb504bc0f9aa17f84b537b275ddde guix-build-d0433a31534d/output/x86_64-w64-mingw32/bitcoin-d0433a31534d-win64.zip
```
ACKs for top commit:
fanquake:
ACK d0433a3153 - with the cavaet that I haven't looked at the qt changes, or the effects of using the `-no-mimetype-database` flag, at all. Also performed a Guix build from scratch with this branch rebased on master.
jarolrod:
ACK d0433a3153
Tree-SHA512: d6dc9bb19e793027d818aee0e248e59fdbf4f4ff46d55538f30e1731254c4739de342a3e917ae7d3f3bc1b6451667b9e8984a6522a1fcece7891c51502a420e8
From the git-minimal package definition:
> The size of the closure of 'git-minimal' is two thirds that of 'git'.
> Its test suite runs slightly faster and most importantly it doesn't
> depend on packages that are expensive to build such as Subversion.
We don't need any fancy / additional git functionality above the basics,
so switch to git-minimal and save some CPU, while also pruning the
greater dependency graph.
```diff
-name: git
+name: git-minimal
version: 2.37.3
outputs:
-+ send-email: see Appendix H
-+ svn: see Appendix H
-+ credential-netrc: see Appendix H
-+ credential-libsecret: see Appendix H
-+ subtree: see Appendix H
-+ gui: see Appendix H
+ out: everything else
-systems: x86_64-linux mips64el-linux aarch64-linux powerpc64le-linux i686-linux armhf-linux powerpc-linux
-dependencies: asciidoc@9.1.0 bash-minimal@5.1.8 bash@5.1.8 curl@7.79.1 docbook-xsl@1.79.2 expat@2.4.1 gettext-minimal@0.21 glib@2.70.2 libsecret@0.20.4 openssl@1.1.1l pcre2@10.37perl-authen-sasl@2.16perl-cgi@4.52
-+ perl-io-socket-ssl@2.068perl-net-smtp-ssl@1.04perl-term-readkey@2.38 perl@5.34.0 pkg-config@0.29.2 python@3.9.9 subversion@1.14.1 tcl@8.6.11 tk@8.6.11.1 xmlto@0.0.28 zlib@1.2.11
-location: gnu/packages/version-control.scm:222:2
+systems: x86_64-linux mips64el-linux aarch64-linux powerpc64le-linux riscv64-linux i686-linux armhf-linux powerpc-linux
+dependencies: bash-minimal@5.1.8 bash@5.1.8 curl@7.79.1 expat@2.4.1 gettext-minimal@0.21 openssl@1.1.1l perl@5.34.0 zlib@1.2.11
+location: gnu/packages/version-control.scm:608:2
homepage: https://git-scm.com/
license: GPL 2
synopsis: Distributed version control system
```
With the release of binutils/ld 2.36, ld swapped to much improved
default settings when producing windows binaries with mingw-w64. One of
these changes was to stop stripping the .reloc section from binaries,
which is required for working ASLR.
.reloc section stripping is something we've accounted for previously,
see #18702. The related upstream discussion is in this thread:
https://sourceware.org/bugzilla/show_bug.cgi?id=19011.
When we switched to using a newer Guix time-machine in #23778, we begun
using binutils 2.37 to produce releases. Since then, our windows
installer (produced with makensis) has not functioned correctly when run on
a Windows system with the "Force randomization for images (Mandatory ASLR)"
option enabled. Note that all of our other release binaries, which all
contain .reloc sections, function fine under the same option, so it
cannot be just the presence of a .reloc section that is the issue.
For now, restore makensis to it's pre-binutils-2.36 behaviour, which
fixes the produced installer. The underlying issue can be further
investigated in future.
Similar to 8588591965.
```bash
ERROR: test_revocation_mode_soft (tests.test_validate.ValidateTests)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/tmp/guix-build-python-certvalidator-0.1-1.a145bf2.drv-0/source/tests/test_validate.py", line 85, in test_revocation_mode_soft
validate_path(context, path)
File "/tmp/guix-build-python-certvalidator-0.1-1.a145bf2.drv-0/source/tests/../certvalidator/validate.py", line 50, in validate_path
return _validate_path(validation_context, path)
File "/tmp/guix-build-python-certvalidator-0.1-1.a145bf2.drv-0/source/tests/../certvalidator/validate.py", line 358, in _validate_path
raise PathValidationError(pretty_message(
certvalidator.errors.PathValidationError: The path could not be validated because the end-entity certificate expired 2022-07-27 12:00:00Z
```
Pass `--enable-default-pie` and `--enable-default-ssp` when configuring
our GCCs. This achieves the following:
--enable-default-pie
Turn on -fPIE and -pie by default.
--enable-default-ssp
Turn on -fstack-protector-strong by default.
Note that this isn't a replacement for passing hardneing flags
ourselves, but introduces some redundency, and there isn't really a
reason to not build a more "hardenings enabled" toolchain by default.
See also:
https://gcc.gnu.org/install/configure.html
Both glibcs we build support `--enable-bind-now`:
Disable lazy binding for installed shared objects and programs.
This provides additional security hardening because it enables full RELRO
and a read-only global offset table (GOT), at the cost of slightly
increased program load times.
See:
https://www.gnu.org/software/libc/manual/html_node/Configuring-and-compiling.html
Pass `--enable-stack-protector=all` when building the glibc used for the
RISC-V toolchain, to enable stack smashing protection on all functions,
in the glibc code.
