Hi,I am working on packaging zlint and have trouble compiling the binaries correctly. I pushed my work so far to salsa[1] and also the packaging for github.com/zmap/zcrypto[2] (also WIP) that is needed for building zlint
Lintian complains that the produced binaries lack hardening and that I should set the appropriate harding flags (hardening-no-bindnow, hardening-no-relro)
But if I look at the build log, go env prints the following compiler flags that seem fine to me:
CGO_CFLAGS="-g -O2 -ffile-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong -Wformat -Werror=format-security"
CGO_CPPFLAGS="-Wdate-time -D_FORTIFY_SOURCE=2"CGO_CXXFLAGS="-g -O2 -ffile-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong -Wformat -Werror=format-security"
CGO_FFLAGS="-g -O2 -ffile-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong" CGO_LDFLAGS="-Wl,-z,relro"I assumed that if `go env` can read these flags, then `go install` would also pick them up. But that doesn't seem to happen. The only difference to other binary builds that I did in the past is that I had to use a specific go version because golang-any is too old, but I didn't find any hint if orwhy go-1.16 might behave any different.
Any hint on what might be the issue here would be very appreciated. Peymaneh[1] https://salsa.debian.org/go-team/packages/golang-github-zmap-zlint/-/tree/debian/sid [2] https://salsa.debian.org/go-team/packages/golang-github-zmap-zcrypto/-/tree/debian/sid
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature