Hi, I have a question regarding the static linking of Go programs:I added -buildmode=pie to the compiler flags for Caddy[1] for additional hardening. lintian now complains:
caddy: shared-library-lacks-prerequisites [usr/bin/caddy] The listed shared library doesn't include information about the other libraries against which it was linked. More specifically, "ldd foo.so" should report such other libraries. In your case, it reports "statically linked". The fix is to specify the libraries. One way to do so is to add something like "-lc" to the command-line options for "ld".
I am not sure what to think of this:First, Caddy is not a shared library even and, as any other Go executables, is usually statically linked.
For amd64 the Go compiler uses internal linking and % objdump -p $caddy-binary-armhf | grep NEEDED % is empty, but this is just as is should be.For some other platforms -buildmode=pie requires building with an external linker, and the Caddy binary built for those correctly includes this information:
% objdump -p $caddy-binary-armhf | grep NEEDED NEEDED libc.so.6it seems to me this lintian warning is incorrect. Would it be sensible to overwrite it?
cheers, Peymaneh[1] https://salsa.debian.org/go-team/packages/caddy/-/blob/b6f3fc1978b9974cbd4eb075b5e71305e9286484/debian/rules#L17
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature