[pkg-golang-devel] Bug#821454: [pkg-go] Bug#821454: dh-golang: Position-independent executables (PIE)

Fri Apr 29 00:40:58 UTC 2016

Hi Michael,

On Wed, Apr 27, 2016 at 01:35:30PM +1200, Michael Hudson-Doyle wrote:
> I think only pie, bindnow and relro make sense for Go.

I figured out how to link with BINDNOW and RELRO using -extldflags:

# Pass hardening flags to linker
GO_LDFLAGS += -extldflags=-Wl,-z,now,-z,relro

# hardening-check acmetool
acmetool:
 Position Independent Executable: yes
 Stack protected: no, not found!
 Fortify Source functions: no, only unprotected functions found!
 Read-only relocations: yes
 Immediate binding: yes

> If you use -pkgdir, the standard library is rebuilt whatever you do.

I think -pkgdir is not needed at all for building with -buildmode=pie.

I suggest the following path going forward:

 * Ship the -buildmode=pie std library in a separate package
   golang-std-pie-dev as part of the golang source package.

 * Extend dh-golang to translate the dpkg hardening flags into
   -buildmode=pie and -extldflags=-Wl,-z,now,-z,relro as needed.

I am filing a separate bug to implement the first change.

The second change need not happen right away; since it only affects
packages that build executables, which are very few among the many
golang packages, this can also be implemented on a case-by-case
basis for now.

> The performance and binary size hit of PIE on i386 in particular is
> likely to be large. Do you care at all about that?

I noticed for amd64 that the size of the stripped acmetool executable
increases from 10 to 15 MB, which is significant but not dramatic
compared to the overall bloat of Go executables. The size of the
compressed Debian package increases from 2.2 to 2.7 MB. (That is
a compression ratio of 5:1 in both cases.)

Is this not a general issue that affects all Debian packages compiled
with hardening flags? Or do you potentially see Go-specific size and
performance issues?

Regards,
Peter