[pkg-golang-devel] Bug#821454: [pkg-go] Bug#821454: dh-golang: Position-independent executables (PIE)

Michael Hudson-Doyle michael.hudson at canonical.com
Tue Apr 26 10:29:51 UTC 2016 

I finally asked on golang-dev and Russ Cox pointed out the -pkgdir
argument to go install. This patch:

diff -Nru acmetool-0.0.49/debian/changelog acmetool-0.0.49/debian/changelog
--- acmetool-0.0.49/debian/changelog 2016-04-26 22:15:04.000000000 +1200
+++ acmetool-0.0.49/debian/changelog 2016-04-26 22:18:51.000000000 +1200
@@ -1,3 +1,9 @@
+acmetool (0.0.49-2) UNRELEASED; urgency=medium
+
+  * Everyone loves PIE
+
+ -- Michael Hudson-Doyle <michael.hudson at ubuntu.com>  Tue, 26 Apr
2016 22:18:34 +1200
+
 acmetool (0.0.49-1) unstable; urgency=medium

   * Initial release (Closes: #817091)
diff -Nru acmetool-0.0.49/debian/rules acmetool-0.0.49/debian/rules
--- acmetool-0.0.49/debian/rules 2016-04-26 22:15:04.000000000 +1200
+++ acmetool-0.0.49/debian/rules 2016-04-26 22:22:42.000000000 +1200
@@ -11,7 +11,7 @@
  dh $@ --buildsystem=golang --with=golang

 override_dh_auto_build:
- dh_auto_build -O--buildsystem=golang -- -ldflags "$(GO_LDFLAGS)"
+ dh_auto_build -O--buildsystem=golang -- -buildmode=pie
-pkgdir=$$(mktemp -d -p $(CURDIR)) -ldflags "$(GO_LDFLAGS)"

 override_dh_auto_install:
  dh_auto_install -O--buildsystem=golang

is obviously a bit of a hack but it seems to do approximately the right thing:

(master *)mwhudson at aeglos:/opt/opensource/deb/acmetool$ mkdir x
(master *)mwhudson at aeglos:/opt/opensource/deb/acmetool$ dpkg-deb -x
../acmetool_0.0.49-2_amd64.deb x
(master *)mwhudson at aeglos:/opt/opensource/deb/acmetool$
hardening-check x/usr/bin/acmetool
x/usr/bin/acmetool:
 Position Independent Executable: yes
 Stack protected: no, not found!
 Fortify Source functions: no, only unprotected functions found!
 Read-only relocations: no, not found!
 Immediate binding: no, not found!

(we could probably make dh-golang do something like this by default...)

Cheers,
mwh

On 19 April 2016 at 12:17, Michael Hudson-Doyle
<michael.hudson at canonical.com> wrote:
> This is like the cross-compilation / CGO_ENABLED=0 situations:
>
>  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818651#10
>  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776401#27
>
> I still don't really know of a good answer. I've been meaning to ask
> upstream if they have any ideas about this, maybe I'll get around to
> this today :-)
>
> Cheers,
> mwh
>
> On 19 April 2016 at 07:06, Peter Colberg <peter at colberg.org> wrote:
>> Package: dh-golang
>> Version: 1.15
>> Severity: normal
>>
>> Dear Debian Go team,
>>
>> In response to the lintian warning hardening-no-pie, I am trying to
>> build acmetool (#817091) as a position-independent executable (PIE).
>>
>> The Go compiler supports a -buildmode=pie since version 1.5.
>>
>> Building the package with this flag produces the following errror:
>>
>>   dpkg-buildpackage: source package acmetool
>>   dpkg-buildpackage: source version 0.0.49-1
>>   dpkg-buildpackage: source distribution unstable
>>    dpkg-source --before-build acmetool-0.0.49
>>   dpkg-buildpackage: host architecture amd64
>>    fakeroot debian/rules clean
>>   dh clean --buildsystem=golang --with=golang
>>      dh_testdir -O--buildsystem=golang
>>      dh_auto_clean -O--buildsystem=golang
>>      dh_clean -O--buildsystem=golang
>>    dpkg-source -b acmetool-0.0.49
>>   dpkg-source: info: using source format '3.0 (quilt)'
>>   dpkg-source: info: building acmetool using existing ./acmetool_0.0.49.orig.tar.gz
>>   dpkg-source: info: building acmetool in acmetool_0.0.49-1.debian.tar.xz
>>   dpkg-source: info: building acmetool in acmetool_0.0.49-1.dsc
>>    debian/rules build
>>   dh build --buildsystem=golang --with=golang
>>      dh_testdir -O--buildsystem=golang
>>      dh_update_autotools_config -O--buildsystem=golang
>>      dh_auto_configure -O--buildsystem=golang
>>      debian/rules override_dh_auto_build
>>   make[1]: Entering directory '/<<PKGBUILDDIR>>'
>>   dh_auto_build -O--buildsystem=golang -- -buildmode=pie -ldflags "-X github.com/hlandau/acme/hooks.DefaultPath=/etc/ac
>> +me
>>           go install -v -buildmode=pie -ldflags "-X github.com/hlandau/acme/hooks.DefaultPath=/etc/acme/hooks -X github
>> +.ci github.com/hlandau/acme/acmeapi/acmeendpoints github.com/hlandau/acme/acmeapi/acmeutils
>> +github.com/hlandau/acme/cmd/a/acme/redirector github.com/hlandau/acme/responder github.com/hlandau/acme/solver
>> +github.com/hlandau/acme/storage githu
>>   runtime/internal/sys
>>   go install runtime/internal/sys: mkdir /usr/lib/go/pkg/linux_amd64_shared: permission denied
>>   dh_auto_build: go install -v -buildmode=pie -ldflags -X github.com/hlandau/acme/hooks.DefaultPath=/etc/acme/hooks -X
>> +gicmeapi github.com/hlandau/acme/acmeapi/acmeendpoints github.com/hlandau/acme/acmeapi/acmeutils
>> +github.com/hlandau/acme/andau/acme/redirector github.com/hlandau/acme/responder github.com/hlandau/acme/solver
>> +github.com/hlandau/acme/storage
>>   debian/rules:14: recipe for target 'override_dh_auto_build' failed
>>   make[1]: *** [override_dh_auto_build] Error 1
>>   make[1]: Leaving directory '/<<PKGBUILDDIR>>'
>>   debian/rules:11: recipe for target 'build' failed
>>   make: *** [build] Error 2
>>   dpkg-buildpackage: error: debian/rules build gave error exit status 2
>>
>> Any ideas what is going wrong?
>>
>> It works fine if I compile from upstream:
>>
>>   git clone https://github.com/hlandau/acme github.com/hlandau/acme
>>   cd github.com/hlandau/acme/cmd/acmetool
>>   export GOPATH=$PWD
>>   go get -v
>>   go build -v -buildmode=pie
>>
>> Regards,
>> Peter
>>
>> _______________________________________________
>> Pkg-go-maintainers mailing list
>> Pkg-go-maintainers at lists.alioth.debian.org
>> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-go-maintainers

More information about the pkg-golang-devel mailing list