FS#71055 - [godot] use system dependencies and enable PIE

Attached to Project: Community Packages
Opened by loqs (loqs) - Saturday, 29 May 2021, 19:55 GMT
Last edited by Alexander F. Rødseth (xyproto) - Thursday, 29 July 2021, 13:15 GMT
Task Type Feature Request
Category Packages
Status Closed
Assigned To Alexander F. Rødseth (xyproto)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
godot can use systemd provided packages for some of its dependencies instead of its bundled copies.
[1] unbundles bullet certs embree freetype libogg libpng libtheora libvorbis libvpx libwebp mbedtls miniupnpc opus pcre2 zlib zstd
Not unbundled:
enet contains none upstreamed IPv6 support
libwebm AUR
recast no package
squish AUR libsquish
wslay AUR
xatlas no package

godor purposely disables PIE [2]. The commit leads to pull request [3]. Which has two reasons for the change:

Miss-detection in some file managers of the binary as a library.
Incompatibility with dynamic module loading. [4]

The former does not to me justify such a change which can not be altered at build time.
The latter seems a surprising incompatibility to me. So I reverted the change. This required manually adjusting the commit to apply to the current source.
The modified built package passed namcap's pie detection. It dynamically loads ALSA and pulse and can play audio.
This would seem to demonstrate pie and the dynamic loading approach godot is using are not incompatible.

Are you or the security team aware of an compatibility between PIE and dynamic module loading?
Can you reproduce my results of functionality with PIE enabled?
I am happy to take this upstream but would like confirmation that it is possible to use PIE with their use case.

Additional info:
* godot 3.3.2-1
[1] PKGBUILD.diff
[2] https://github.com/godotengine/godot/commit/06c42d151cf7b70b73dda42eba78e91b05c12814
[3] https://github.com/godotengine/godot/pull/23542
[4] https://github.com/hpvb/dynamic-linktime-load
This task depends upon

Closed by  Alexander F. Rødseth (xyproto)
Thursday, 29 July 2021, 13:15 GMT
Reason for closing:  Fixed
Comment by Alexander F. Rødseth (xyproto) - Monday, 07 June 2021, 14:06 GMT
Thanks for reporting! I'm not aware of an incompatibility between PIE and dynamic loading, but I can ask around.

I will try rebuilding Godot with PIE enabled. I agree that it sounds like a good idea.
Comment by Alexander F. Rødseth (xyproto) - Thursday, 22 July 2021, 14:24 GMT
I applied the patch to the PKGBUILD and updated the package. Thanks!

PIE is still pending. I see that https://github.com/godotengine/godot/pull/23542 has been merged now, so perhaps this will be resolved by upstream with the next release of Godot?
Comment by Levente Polyak (anthraxx) - Thursday, 22 July 2021, 15:19 GMT
Reading through that bug report it looks to me that upstream is a bit confused. Turning off PIE is not the way to tackle what they try to fix. They are artificially lowering the security of all exported projects. That patch should be NACKed
Comment by Alexander F. Rødseth (xyproto) - Thursday, 22 July 2021, 16:14 GMT
Thanks for the input, Levente Polyak. I'll see if I can enable PIE.

Loading...