On 5/14/20 9:46 AM, Morten Linderud wrote: > On Thu, May 14, 2020 at 09:39:58AM +0200, Levente Polyak via arch-dev-public > wrote: >>> At the end of the month I'll make a todo with the remaining packages >>> depending >>> on `go-pie`. >>> >>> The complete future Go PKGBUILD is attached to this email below. >>> >> PS: shouldn't we look into Go getting those flags as well? The Go >> compiler itself doesn't have RELRO and fortified sources :) > > Because everything, sadly, breaks. I'd much rather try look into > reproducibility > before actually caring about binary hardening. > > If we PIE compile the test suite upstream fails quite badly. Evidently > upstream > doesn't test the go compiler with PIE/RELRO enabled. Unsure if they care at > all > even. If we also try define `CGO_CFLAGS` we end up with errors like: > > /usr/include/features.h:397:4: error: #warning _FORTIFY_SOURCE requires > compiling with optimization (-O) [-Werror=cpp] > > `-buildmode=pie` is also going to land you in trouble with the race detection > in > their test suite. > > So not quite there yet for the compiler itself. >
/o\ @ upstream not sure what else to say :P If you wanna take an adventure in the future, feel invited to ping me for the ultimate quest to explore the rabbit hole in detail and maybe at least get RELRO or something. cheers, Levente
signature.asc
Description: OpenPGP digital signature
