Re: [WIP] golang-github-zmap-zlint

[Peymaneh Nejad <p.nejad@posteo.de>]

Am 27.06.21 um 00:47 schrieb Nilesh Patra:
> On 26/06/21 09:02 PM, Peymaneh Nejad wrote:
> > Hi,
> >
> > I am working on packaging zlint and have trouble compiling the binaries
> > correctly. I pushed my work so far to salsa[1] and also the packaging for
> > github.com/zmap/zcrypto[2] (also WIP) that is needed for building zlint
> >
> > Lintian complains that the produced binaries lack hardening and that I
> > should set the appropriate harding flags (hardening-no-bindnow,
> > hardening-no-relro)
>
> I tried something
>
> --- a/debian/rules
> +++ b/debian/rules
> @@ -10,16 +10,19 @@ export DH_GOLANG_BUILDPKG := $(DH_GOPKG)/v3/cmd/zlint \
>
>   VERSION = $(shell dpkg-parsechangelog --show-field Version | cut -d- -f1)
>   REVISION = $(shell dpkg-parsechangelog --show-field Version | cut -d- -f2)
> +export CGO_ENABLED := 0
>
>   LDFLAGS := -ldflags \
> -         '-X "main.version=$(VERSION)" \
> +         '-extldflags -Wl,-z,now \
> +           -X "main.version=$(VERSION)" \
>             -X "main.revision=$(REVISION)"'
>
>   %:
>          dh $@ --builddirectory=_build --buildsystem=golang --with=golang
>
>   override_dh_auto_build:
> -       dh_auto_build -- $(LDFLAGS)
> +       dh_auto_build -- -buildmode=pie \
> +                       $(LDFLAGS)
>
>   override_dh_install-indep:
>          rm -rf debian/tmp/usr/share/gocode/src/github.com/zmap/zlint/v3/cmd
>
> But now this ends with: "zlint: shared-library-lacks-prerequisites
> usr/bin/zlint*"
> I'm not sure if it is safe to ignore this warning, probably it is, but
> I'm not fully certain
>
> > But if I look at the build log, go env prints the following compiler flags
> > that seem fine to me:
> >
> > CGO_CFLAGS="-g -O2 -ffile-prefix-map=/<<PKGBUILDDIR>>=.
> > -fstack-protector-strong -Wformat -Werror=format-security"
> > CGO_CPPFLAGS="-Wdate-time -D_FORTIFY_SOURCE=2"
> > CGO_CXXFLAGS="-g -O2 -ffile-prefix-map=/<<PKGBUILDDIR>>=.
> > -fstack-protector-strong -Wformat -Werror=format-security"
> > CGO_FFLAGS="-g -O2 -ffile-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong"
> > CGO_LDFLAGS="-Wl,-z,relro"
> >
> > I assumed that if `go env` can read these flags, then `go install` would
> > also pick them up. But that doesn't seem to happen. The only difference to
> > other binary builds that I did in the past is that I had to use a specific
> > go version because golang-any is too old, but I didn't find any hint if
> > orwhy go-1.16 might behave any different.
>
> No, this is completely wrong. Use golang-any instead for B-D, it can
> build with golang-1.15, should be fine.
> The problem is sooner or later golang-1.16 will be removed when new
> versions come up (see for example anything less than golang-1.13)

Okay. The entire issue with the build flags is resolved with golang-any as B-D 
instead of golang-1.16.
I thought 1.16 would be necessary because the go.mod and specifies it and I had 
some trouble initially getting the build done, but it seems it's just fine as is 
with golang-any

> > [1] https://salsa.debian.org/go-team/packages/golang-github-zmap-zlint/-/tree/debian/sid
> > [2] https://salsa.debian.org/go-team/packages/golang-github-zmap-zcrypto/-/tree/debian/sid
>
> Please make debian/sid the default branches for this repository (I guess
> you should have the permissions for doing so)

I don't have the permission to change any of the repo settings but mejo fixed 
that :)

Peymaneh