Re: lintian error: shared-library-lacks-prerequisites

To: debian-go@lists.debian.org
Subject: Re: lintian error: shared-library-lacks-prerequisites
From: Peymaneh <peymaneh@posteo.net>
Date: Sat, 14 Jan 2023 16:17:52 +0000
Message-id: <[🔎] cbadca02-4ecb-4433-0b6c-c20c7ff2c62d@posteo.net>
In-reply-to: <[🔎] CAFyCLW_ZTeEs79a9Lv23M+x21zakViEcV3XogLz72f+dACJWUA@mail.gmail.com>
References: <[🔎] d579f078-bf2a-ee3b-e413-de0f65b413e6@posteo.net> <[🔎] CAFyCLW_ZTeEs79a9Lv23M+x21zakViEcV3XogLz72f+dACJWUA@mail.gmail.com>

Hi,

Am 14.01.23 um 15:15 schrieb Shengjing Zhu:

On Sat, Jan 14, 2023 at 9:48 PM Peymaneh <peymaneh@posteo.net> wrote:


Hi,

I have a question regarding the static linking of Go programs:

I added -buildmode=pie to the compiler flags for Caddy[1] for additional
hardening. lintian now complains:

caddy: shared-library-lacks-prerequisites [usr/bin/caddy]
The listed shared library doesn't include information about the other libraries against which it was linked.

More specifically, "ldd foo.so" should report such other libraries. In your case, it reports "statically linked".

The fix is to specify the libraries. One way to do so is to add something like "-lc" to the command-line options for "ld".


I am not sure what to think of this:

First, Caddy is not a shared library even and, as any other Go
executables, is usually statically linked.

For amd64 the Go compiler uses internal linking and

% objdump -p $caddy-binary-armhf | grep NEEDED
%

is empty, but this is just as is should be.

For some other platforms -buildmode=pie requires building with an
external linker, and the Caddy binary built for those correctly includes
this information:

% objdump -p $caddy-binary-armhf | grep NEEDED
    NEEDED               libc.so.6

it seems to me this lintian warning is incorrect. Would it be sensible
to overwrite it?


I am inclined to lintian this time.

The binary is rather odd. It's statically linked, but the interpreter
is set as well.
The result comes from CGO_ENABLED=0 and -buildmode=pie. I'm not sure
if these options are sensible to use together.

But why do you want CGO_ENABLED=0? We should avoid this in Debian
packaging. Shared binary is much preferred for distribution packages.

I am not entirely sure, but I believe I tried to package Caddy withsmall as possible differences to upstream, who distribute a standaloneexecutable (with good reasons though, which admittedly do not apply fora distro package)


With CGO enabled, the whole thing is solved. thanks a lot for hint!


Generally speaking, I prefer not hacking build flags in individual
packages. This is the job of dh-golang.


Agreed :)

Peymaneh

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

Reply to:

References:
- lintian error: shared-library-lacks-prerequisites
  - From: Peymaneh <peymaneh@posteo.net>
- Re: lintian error: shared-library-lacks-prerequisites
  - From: Shengjing Zhu <zhsj@debian.org>

Prev by Date: Re: lintian error: shared-library-lacks-prerequisites
Next by Date: cri-o: new package in debian, need sponsor
Previous by thread: Re: lintian error: shared-library-lacks-prerequisites
Next by thread: cri-o: new package in debian, need sponsor
Index(es):
- Date
- Thread