[arch-dev-public] RFC: go-pie removal in favour of GOFLAGS

Levente Polyak anthraxx at archlinux.org
Thu May 14 07:54:10 UTC 2020


On 5/14/20 9:46 AM, Morten Linderud wrote:
> On Thu, May 14, 2020 at 09:39:58AM +0200, Levente Polyak via arch-dev-public wrote:
>>> At the end of the month I'll make a todo with the remaining packages depending
>>> on `go-pie`.
>>>
>>> The complete future Go PKGBUILD is attached to this email below.
>>>
>> PS: shouldn't we look into Go getting those flags as well? The Go
>> compiler itself doesn't have RELRO and fortified sources :)
> 
> Because everything, sadly, breaks. I'd much rather try look into reproducibility
> before actually caring about binary hardening.
> 
> If we PIE compile the test suite upstream fails quite badly. Evidently upstream
> doesn't test the go compiler with PIE/RELRO enabled. Unsure if they care at all
> even. If we also try define `CGO_CFLAGS` we end up with errors like:
> 
> /usr/include/features.h:397:4: error: #warning _FORTIFY_SOURCE requires compiling with optimization (-O) [-Werror=cpp]
> 
> `-buildmode=pie` is also going to land you in trouble with the race detection in
> their test suite.
> 
> So not quite there yet for the compiler itself.
> 


/o\ @ upstream

not sure what else to say :P

If you wanna take an adventure in the future, feel invited to ping me
for the ultimate quest to explore the rabbit hole in detail and maybe at
least get RELRO or something.

cheers,
Levente

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20200514/4f041eef/attachment-0001.sig>


More information about the arch-dev-public mailing list