I finally asked on golang-dev and Russ Cox pointed out the -pkgdir argument to go install. This patch:
diff -Nru acmetool-0.0.49/debian/changelog acmetool-0.0.49/debian/changelog --- acmetool-0.0.49/debian/changelog 2016-04-26 22:15:04.000000000 +1200 +++ acmetool-0.0.49/debian/changelog 2016-04-26 22:18:51.000000000 +1200 @@ -1,3 +1,9 @@ +acmetool (0.0.49-2) UNRELEASED; urgency=medium + + * Everyone loves PIE + + -- Michael Hudson-Doyle <michael.hud...@ubuntu.com> Tue, 26 Apr 2016 22:18:34 +1200 + acmetool (0.0.49-1) unstable; urgency=medium * Initial release (Closes: #817091) diff -Nru acmetool-0.0.49/debian/rules acmetool-0.0.49/debian/rules --- acmetool-0.0.49/debian/rules 2016-04-26 22:15:04.000000000 +1200 +++ acmetool-0.0.49/debian/rules 2016-04-26 22:22:42.000000000 +1200 @@ -11,7 +11,7 @@ dh $@ --buildsystem=golang --with=golang override_dh_auto_build: - dh_auto_build -O--buildsystem=golang -- -ldflags "$(GO_LDFLAGS)" + dh_auto_build -O--buildsystem=golang -- -buildmode=pie -pkgdir=$$(mktemp -d -p $(CURDIR)) -ldflags "$(GO_LDFLAGS)" override_dh_auto_install: dh_auto_install -O--buildsystem=golang is obviously a bit of a hack but it seems to do approximately the right thing: (master *)mwhudson@aeglos:/opt/opensource/deb/acmetool$ mkdir x (master *)mwhudson@aeglos:/opt/opensource/deb/acmetool$ dpkg-deb -x ../acmetool_0.0.49-2_amd64.deb x (master *)mwhudson@aeglos:/opt/opensource/deb/acmetool$ hardening-check x/usr/bin/acmetool x/usr/bin/acmetool: Position Independent Executable: yes Stack protected: no, not found! Fortify Source functions: no, only unprotected functions found! Read-only relocations: no, not found! Immediate binding: no, not found! (we could probably make dh-golang do something like this by default...) Cheers, mwh On 19 April 2016 at 12:17, Michael Hudson-Doyle <michael.hud...@canonical.com> wrote: > This is like the cross-compilation / CGO_ENABLED=0 situations: > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818651#10 > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776401#27 > > I still don't really know of a good answer. I've been meaning to ask > upstream if they have any ideas about this, maybe I'll get around to > this today :-) > > Cheers, > mwh > > On 19 April 2016 at 07:06, Peter Colberg <pe...@colberg.org> wrote: >> Package: dh-golang >> Version: 1.15 >> Severity: normal >> >> Dear Debian Go team, >> >> In response to the lintian warning hardening-no-pie, I am trying to >> build acmetool (#817091) as a position-independent executable (PIE). >> >> The Go compiler supports a -buildmode=pie since version 1.5. >> >> Building the package with this flag produces the following errror: >> >> dpkg-buildpackage: source package acmetool >> dpkg-buildpackage: source version 0.0.49-1 >> dpkg-buildpackage: source distribution unstable >> dpkg-source --before-build acmetool-0.0.49 >> dpkg-buildpackage: host architecture amd64 >> fakeroot debian/rules clean >> dh clean --buildsystem=golang --with=golang >> dh_testdir -O--buildsystem=golang >> dh_auto_clean -O--buildsystem=golang >> dh_clean -O--buildsystem=golang >> dpkg-source -b acmetool-0.0.49 >> dpkg-source: info: using source format '3.0 (quilt)' >> dpkg-source: info: building acmetool using existing >> ./acmetool_0.0.49.orig.tar.gz >> dpkg-source: info: building acmetool in acmetool_0.0.49-1.debian.tar.xz >> dpkg-source: info: building acmetool in acmetool_0.0.49-1.dsc >> debian/rules build >> dh build --buildsystem=golang --with=golang >> dh_testdir -O--buildsystem=golang >> dh_update_autotools_config -O--buildsystem=golang >> dh_auto_configure -O--buildsystem=golang >> debian/rules override_dh_auto_build >> make[1]: Entering directory '/<<PKGBUILDDIR>>' >> dh_auto_build -O--buildsystem=golang -- -buildmode=pie -ldflags "-X >> github.com/hlandau/acme/hooks.DefaultPath=/etc/ac >> +me >> go install -v -buildmode=pie -ldflags "-X >> github.com/hlandau/acme/hooks.DefaultPath=/etc/acme/hooks -X github >> +.ci github.com/hlandau/acme/acmeapi/acmeendpoints >> github.com/hlandau/acme/acmeapi/acmeutils >> +github.com/hlandau/acme/cmd/a/acme/redirector >> github.com/hlandau/acme/responder github.com/hlandau/acme/solver >> +github.com/hlandau/acme/storage githu >> runtime/internal/sys >> go install runtime/internal/sys: mkdir /usr/lib/go/pkg/linux_amd64_shared: >> permission denied >> dh_auto_build: go install -v -buildmode=pie -ldflags -X >> github.com/hlandau/acme/hooks.DefaultPath=/etc/acme/hooks -X >> +gicmeapi github.com/hlandau/acme/acmeapi/acmeendpoints >> github.com/hlandau/acme/acmeapi/acmeutils >> +github.com/hlandau/acme/andau/acme/redirector >> github.com/hlandau/acme/responder github.com/hlandau/acme/solver >> +github.com/hlandau/acme/storage >> debian/rules:14: recipe for target 'override_dh_auto_build' failed >> make[1]: *** [override_dh_auto_build] Error 1 >> make[1]: Leaving directory '/<<PKGBUILDDIR>>' >> debian/rules:11: recipe for target 'build' failed >> make: *** [build] Error 2 >> dpkg-buildpackage: error: debian/rules build gave error exit status 2 >> >> Any ideas what is going wrong? >> >> It works fine if I compile from upstream: >> >> git clone https://github.com/hlandau/acme github.com/hlandau/acme >> cd github.com/hlandau/acme/cmd/acmetool >> export GOPATH=$PWD >> go get -v >> go build -v -buildmode=pie >> >> Regards, >> Peter >> >> _______________________________________________ >> Pkg-go-maintainers mailing list >> pkg-go-maintain...@lists.alioth.debian.org >> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-go-maintainers