FS#53087 - [go] Change default buildmode to pie
Attached to Project:
Arch Linux
Opened by Bartłomiej Piotrowski (Barthalion) - Sunday, 26 February 2017, 10:53 GMT
Last edited by Bartłomiej Piotrowski (Barthalion) - Tuesday, 14 March 2017, 17:55 GMT
Opened by Bartłomiej Piotrowski (Barthalion) - Sunday, 26 February 2017, 10:53 GMT
Last edited by Bartłomiej Piotrowski (Barthalion) - Tuesday, 14 March 2017, 17:55 GMT
|
Details
Go by default doesn't use PIE for amd64/i686 executables.
This can be specified explicitly with -buildmode or changed
globally with simple patch[1].
The advantages are obvious; the disadvantage is that debugging code might be harder, unless -buildmode=default is specified. We have many Go projects packaged though, so it would be beneficial to just have PIE by default. [1] http://git.alpinelinux.org/cgit/aports/tree/community/go/default-buildmode-pie.patch |
This task depends upon
Closed by Bartłomiej Piotrowski (Barthalion)
Tuesday, 14 March 2017, 17:55 GMT
Reason for closing: Deferred
Tuesday, 14 March 2017, 17:55 GMT
Reason for closing: Deferred
While I think it's a bit un-Arch-like to patch the executable instead of pestering upstream, I think it's a good idea, security-wise.
I will add the proposed patch to the package.
The Debian patch for this does not involve patching Go itself, but rather passing different arguments to the Go executable. I think this is the way to go (no pun intended).
As there is no way for us to do this in a uniform way (like CFLAGS) sane defaults are the better way to choose. The problem with the tests should be fixed and maybe upstream contacted, so IMO the way to go in our environment is to get those flags as defaults.
Until upstream makes it easier to generate position independent executables by default, it's fully possible for packages that depend on Go to supply the correct flags in the build process.
I don't understand why anything about the go package has to be so troublesome. We're not some YOLO GNU/Linux kind of distribution, let's take security seriously.
Barthalion, after making a lot of fuzz over a non-issue in the previous .install file for go and being unwilling to file a bug report for it, I think especially you should try to stay on topic here.
I think there might be better solutions for making go create position independent executables than taking the role of upstream and patching the Go sources. It's not the Arch way. This should be fixed by upstream.
While waiting for the upstream changes (if they ever happen), I think creating a wrapper script, or even modifying how go-related packages are built, are better temporary solutions.
That being said, would it make sense to do this with the hardening-wrapper?
https://groups.google.com/forum/#!msg/golang-nuts/Jd9tlNc6jUE/Z9ldF6vPEAAJ;context-place=forum/golang-nuts
It's a a rather long discussion... See the beginning and the end at least.
Seems to me like upstream is planning to solve this for Go 1.8.1, since the issue is added to the "Go1.8.1 milestone".
Will wait for upstream to release Go 1.8.1.
I will apply buildmode=pie patch once I rework PKGBUILD so the package builds reliably.