On Sat, Jan 14, 2023 at 9:48 PM Peymaneh <peyma...@posteo.net> wrote: > > Hi, > > I have a question regarding the static linking of Go programs: > > I added -buildmode=pie to the compiler flags for Caddy[1] for additional > hardening. lintian now complains: > > > caddy: shared-library-lacks-prerequisites [usr/bin/caddy] > > The listed shared library doesn't include information about the other > > libraries against which it was linked. > > > > More specifically, "ldd foo.so" should report such other libraries. In your > > case, it reports "statically linked". > > > > The fix is to specify the libraries. One way to do so is to add something > > like "-lc" to the command-line options for "ld". > > I am not sure what to think of this: > > First, Caddy is not a shared library even and, as any other Go > executables, is usually statically linked. > > For amd64 the Go compiler uses internal linking and > > % objdump -p $caddy-binary-armhf | grep NEEDED > % > > is empty, but this is just as is should be. > > For some other platforms -buildmode=pie requires building with an > external linker, and the Caddy binary built for those correctly includes > this information: > > % objdump -p $caddy-binary-armhf | grep NEEDED > NEEDED libc.so.6 > > it seems to me this lintian warning is incorrect. Would it be sensible > to overwrite it?
I am inclined to lintian this time. The binary is rather odd. It's statically linked, but the interpreter is set as well. The result comes from CGO_ENABLED=0 and -buildmode=pie. I'm not sure if these options are sensible to use together. But why do you want CGO_ENABLED=0? We should avoid this in Debian packaging. Shared binary is much preferred for distribution packages. Generally speaking, I prefer not hacking build flags in individual packages. This is the job of dh-golang. -- Shengjing Zhu