On 26/06/21 09:02 PM, Peymaneh Nejad wrote: > Hi, > > I am working on packaging zlint and have trouble compiling the binaries > correctly. I pushed my work so far to salsa[1] and also the packaging for > github.com/zmap/zcrypto[2] (also WIP) that is needed for building zlint > > Lintian complains that the produced binaries lack hardening and that I > should set the appropriate harding flags (hardening-no-bindnow, > hardening-no-relro) I tried something --- a/debian/rules +++ b/debian/rules @@ -10,16 +10,19 @@ export DH_GOLANG_BUILDPKG := $(DH_GOPKG)/v3/cmd/zlint \ VERSION = $(shell dpkg-parsechangelog --show-field Version | cut -d- -f1) REVISION = $(shell dpkg-parsechangelog --show-field Version | cut -d- -f2) +export CGO_ENABLED := 0 LDFLAGS := -ldflags \ - '-X "main.version=$(VERSION)" \ + '-extldflags -Wl,-z,now \ + -X "main.version=$(VERSION)" \ -X "main.revision=$(REVISION)"' %: dh $@ --builddirectory=_build --buildsystem=golang --with=golang override_dh_auto_build: - dh_auto_build -- $(LDFLAGS) + dh_auto_build -- -buildmode=pie \ + $(LDFLAGS) override_dh_install-indep: rm -rf debian/tmp/usr/share/gocode/src/github.com/zmap/zlint/v3/cmd But now this ends with: "zlint: shared-library-lacks-prerequisites usr/bin/zlint*" I'm not sure if it is safe to ignore this warning, probably it is, but I'm not fully certain > But if I look at the build log, go env prints the following compiler flags > that seem fine to me: > > CGO_CFLAGS="-g -O2 -ffile-prefix-map=/<<PKGBUILDDIR>>=. > -fstack-protector-strong -Wformat -Werror=format-security" > CGO_CPPFLAGS="-Wdate-time -D_FORTIFY_SOURCE=2" > CGO_CXXFLAGS="-g -O2 -ffile-prefix-map=/<<PKGBUILDDIR>>=. > -fstack-protector-strong -Wformat -Werror=format-security" > CGO_FFLAGS="-g -O2 -ffile-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong" > CGO_LDFLAGS="-Wl,-z,relro" > > I assumed that if `go env` can read these flags, then `go install` would > also pick them up. But that doesn't seem to happen. The only difference to > other binary builds that I did in the past is that I had to use a specific > go version because golang-any is too old, but I didn't find any hint if > orwhy go-1.16 might behave any different. No, this is completely wrong. Use golang-any instead for B-D, it can build with golang-1.15, should be fine. The problem is sooner or later golang-1.16 will be removed when new versions come up (see for example anything less than golang-1.13) > [1] https://salsa.debian.org/go-team/packages/golang-github-zmap-zlint/-/tree/debian/sid > [2] https://salsa.debian.org/go-team/packages/golang-github-zmap-zcrypto/-/tree/debian/sid Please make debian/sid the default branches for this repository (I guess you should have the permissions for doing so) Nilesh
Attachment:
signature.asc
Description: PGP signature