Re: [WIP] golang-github-zmap-zlint

To: Peymaneh Nejad <p.nejad@posteo.de>
Cc: debian-go@lists.debian.org
Subject: Re: [WIP] golang-github-zmap-zlint
From: Nilesh Patra <nilesh@debian.org>
Date: Sun, 27 Jun 2021 04:17:46 +0530
Message-id: <[🔎] YNeuklZgP+8QO4ia@debian>
In-reply-to: <[🔎] a7cc7a24-2d37-3485-6d9f-a2fa3a6929c5@posteo.de>
References: <[🔎] a7cc7a24-2d37-3485-6d9f-a2fa3a6929c5@posteo.de>

On 26/06/21 09:02 PM, Peymaneh Nejad wrote:
> Hi,
> 
> I am working on packaging zlint and have trouble compiling the binaries
> correctly. I pushed my work so far to salsa[1] and also the packaging for
> github.com/zmap/zcrypto[2] (also WIP) that is needed for building zlint
> 
> Lintian complains that the produced binaries lack hardening and that I
> should set the appropriate harding flags (hardening-no-bindnow,
> hardening-no-relro)

I tried something

--- a/debian/rules
+++ b/debian/rules
@@ -10,16 +10,19 @@ export DH_GOLANG_BUILDPKG := $(DH_GOPKG)/v3/cmd/zlint \

 VERSION = $(shell dpkg-parsechangelog --show-field Version | cut -d- -f1)
 REVISION = $(shell dpkg-parsechangelog --show-field Version | cut -d- -f2)
+export CGO_ENABLED := 0

 LDFLAGS := -ldflags \
-         '-X "main.version=$(VERSION)" \
+         '-extldflags -Wl,-z,now \
+           -X "main.version=$(VERSION)" \
           -X "main.revision=$(REVISION)"'

 %:
        dh $@ --builddirectory=_build --buildsystem=golang --with=golang

 override_dh_auto_build:
-       dh_auto_build -- $(LDFLAGS)
+       dh_auto_build -- -buildmode=pie \
+                       $(LDFLAGS)

 override_dh_install-indep:
        rm -rf debian/tmp/usr/share/gocode/src/github.com/zmap/zlint/v3/cmd

But now this ends with: "zlint: shared-library-lacks-prerequisites
usr/bin/zlint*"
I'm not sure if it is safe to ignore this warning, probably it is, but
I'm not fully certain

> But if I look at the build log, go env prints the following compiler flags
> that seem fine to me:
> 
> CGO_CFLAGS="-g -O2 -ffile-prefix-map=/<<PKGBUILDDIR>>=.
> -fstack-protector-strong -Wformat -Werror=format-security"
> CGO_CPPFLAGS="-Wdate-time -D_FORTIFY_SOURCE=2"
> CGO_CXXFLAGS="-g -O2 -ffile-prefix-map=/<<PKGBUILDDIR>>=.
> -fstack-protector-strong -Wformat -Werror=format-security"
> CGO_FFLAGS="-g -O2 -ffile-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong"
> CGO_LDFLAGS="-Wl,-z,relro"
> 
> I assumed that if `go env` can read these flags, then `go install` would
> also pick them up. But that doesn't seem to happen. The only difference to
> other binary builds that I did in the past is that I had to use a specific
> go version because golang-any is too old, but I didn't find any hint if
> orwhy go-1.16 might behave any different.

No, this is completely wrong. Use golang-any instead for B-D, it can
build with golang-1.15, should be fine.
The problem is sooner or later golang-1.16 will be removed when new
versions come up (see for example anything less than golang-1.13)

> [1] https://salsa.debian.org/go-team/packages/golang-github-zmap-zlint/-/tree/debian/sid
> [2] https://salsa.debian.org/go-team/packages/golang-github-zmap-zcrypto/-/tree/debian/sid

Please make debian/sid the default branches for this repository (I guess
you should have the permissions for doing so)

Nilesh

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: [WIP] golang-github-zmap-zlint
  - From: Peymaneh Nejad <p.nejad@posteo.de>

References:
- [WIP] golang-github-zmap-zlint
  - From: Peymaneh Nejad <p.nejad@posteo.de>

Prev by Date: [WIP] golang-github-zmap-zlint
Next by Date: Re: [WIP] golang-github-zmap-zlint
Previous by thread: [WIP] golang-github-zmap-zlint
Next by thread: Re: [WIP] golang-github-zmap-zlint
Index(es):
- Date
- Thread