On 26/06/21 09:02 PM, Peymaneh Nejad wrote:
Hi,
I am working on packaging zlint and have trouble compiling the binaries
correctly. I pushed my work so far to salsa[1] and also the packaging for
github.com/zmap/zcrypto[2] (also WIP) that is needed for building zlint
Lintian complains that the produced binaries lack hardening and that I
should set the appropriate harding flags (hardening-no-bindnow,
hardening-no-relro)
I tried something
--- a/debian/rules
+++ b/debian/rules
@@ -10,16 +10,19 @@ export DH_GOLANG_BUILDPKG := $(DH_GOPKG)/v3/cmd/zlint \
VERSION = $(shell dpkg-parsechangelog --show-field Version | cut -d- -f1)
REVISION = $(shell dpkg-parsechangelog --show-field Version | cut -d- -f2)
+export CGO_ENABLED := 0
LDFLAGS := -ldflags \
- '-X "main.version=$(VERSION)" \
+ '-extldflags -Wl,-z,now \
+ -X "main.version=$(VERSION)" \
-X "main.revision=$(REVISION)"'
%:
dh $@ --builddirectory=_build --buildsystem=golang --with=golang
override_dh_auto_build:
- dh_auto_build -- $(LDFLAGS)
+ dh_auto_build -- -buildmode=pie \
+ $(LDFLAGS)
override_dh_install-indep:
rm -rf debian/tmp/usr/share/gocode/src/github.com/zmap/zlint/v3/cmd
But now this ends with: "zlint: shared-library-lacks-prerequisites
usr/bin/zlint*"
I'm not sure if it is safe to ignore this warning, probably it is, but
I'm not fully certain
But if I look at the build log, go env prints the following compiler flags
that seem fine to me:
CGO_CFLAGS="-g -O2 -ffile-prefix-map=/<<PKGBUILDDIR>>=.
-fstack-protector-strong -Wformat -Werror=format-security"
CGO_CPPFLAGS="-Wdate-time -D_FORTIFY_SOURCE=2"
CGO_CXXFLAGS="-g -O2 -ffile-prefix-map=/<<PKGBUILDDIR>>=.
-fstack-protector-strong -Wformat -Werror=format-security"
CGO_FFLAGS="-g -O2 -ffile-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong"
CGO_LDFLAGS="-Wl,-z,relro"
I assumed that if `go env` can read these flags, then `go install` would
also pick them up. But that doesn't seem to happen. The only difference to
other binary builds that I did in the past is that I had to use a specific
go version because golang-any is too old, but I didn't find any hint if
orwhy go-1.16 might behave any different.
No, this is completely wrong. Use golang-any instead for B-D, it can
build with golang-1.15, should be fine.
The problem is sooner or later golang-1.16 will be removed when new
versions come up (see for example anything less than golang-1.13)