Bug#823014: golang: Package compiled stdlib for PIE build mode

Wed, 22 Jun 2016 17:03:29 -0700 

Dear Debian Go compiler team,

I have pushed commits for golang (pc/debian-sid) and golang-defaults
(pc/master) that each add a package with the compiled Go stdlib for
building position-independent executables.

Please review the proposed changes before I push to master, and feel
free to suggest a package name other than golang-X.Y-pie-dev.

You can test PIE mode with the attached patch for acmetool, e.g.,

  gbp clone https://anonscm.debian.org/git/letsencrypt/acmetool.git
  cd acmetool && pristine-tar checkout acmetool_0.0.51.orig.tar.gz
  git am acmetool-build-with-pie-and-bindnow-hardening-flags.patch

  sbuild --extra-package=../golang-1.6-pie-dev_1.6.2-1_amd64.deb 
--extra-package=../pkg-golang/golang-pie-dev_1.6.1+1_amd64.deb

Note the absent lintian warnings hardening-no-pie/hardening-no-bindnow.

Once PIE-mode stdlib is in the archive, I will adapt dh-golang to
support DEB_BUILD_MAINT_OPTIONS = hardening=+all in debian/rules.

Regards,
Peter

From 2d80d129940626c67c791abc705573b8344301ec Mon Sep 17 00:00:00 2001
From: Peter Colberg <pe...@colberg.org>
Date: Wed, 22 Jun 2016 19:31:28 -0400
Subject: [PATCH] Build with pie and bindnow hardening flags

---
 debian/control | 1 +
 debian/rules   | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/debian/control b/debian/control
index 11c21f6..e4d5992 100644
--- a/debian/control
+++ b/debian/control
@@ -22,6 +22,7 @@ Build-Depends: debhelper (>= 9),
                golang-gopkg-hlandau-svcutils.v1-dev,
                golang-gopkg-square-go-jose.v1-dev,
                golang-gopkg-tylerb-graceful.v1-dev,
+               golang-pie-dev,
                golang-yaml.v2-dev
 Standards-Version: 3.9.8
 Homepage: https://hlandau.github.io/acme
diff --git a/debian/rules b/debian/rules
index d4fb8f9..bc7ff03 100755
--- a/debian/rules
+++ b/debian/rules
@@ -11,7 +11,7 @@ GO_LDFLAGS += -X github.com/hlandau/degoutils/buildinfo.RawBuildInfo=$(shell ech
 	dh $@ --buildsystem=golang --with=golang
 
 override_dh_auto_build:
-	dh_auto_build -O--buildsystem=golang -- -ldflags "$(GO_LDFLAGS)"
+	dh_auto_build -O--buildsystem=golang -- -buildmode=pie -ldflags "-extldflags=-Wl,-z,now,-z,relro $(GO_LDFLAGS)"
 
 # Disable OCSP test to avoid network access
 override_dh_auto_test:
-- 
2.8.1

Attachment: signature.asc
Description: PGP signature

Reply via email to