Hi Michael, On Wed, Apr 27, 2016 at 01:35:30PM +1200, Michael Hudson-Doyle wrote: > I think only pie, bindnow and relro make sense for Go.
I figured out how to link with BINDNOW and RELRO using -extldflags: # Pass hardening flags to linker GO_LDFLAGS += -extldflags=-Wl,-z,now,-z,relro # hardening-check acmetool acmetool: Position Independent Executable: yes Stack protected: no, not found! Fortify Source functions: no, only unprotected functions found! Read-only relocations: yes Immediate binding: yes > If you use -pkgdir, the standard library is rebuilt whatever you do. I think -pkgdir is not needed at all for building with -buildmode=pie. I suggest the following path going forward: * Ship the -buildmode=pie std library in a separate package golang-std-pie-dev as part of the golang source package. * Extend dh-golang to translate the dpkg hardening flags into -buildmode=pie and -extldflags=-Wl,-z,now,-z,relro as needed. I am filing a separate bug to implement the first change. The second change need not happen right away; since it only affects packages that build executables, which are very few among the many golang packages, this can also be implemented on a case-by-case basis for now. > The performance and binary size hit of PIE on i386 in particular is > likely to be large. Do you care at all about that? I noticed for amd64 that the size of the stripped acmetool executable increases from 10 to 15 MB, which is significant but not dramatic compared to the overall bloat of Go executables. The size of the compressed Debian package increases from 2.2 to 2.7 MB. (That is a compression ratio of 5:1 in both cases.) Is this not a general issue that affects all Debian packages compiled with hardening flags? Or do you potentially see Go-specific size and performance issues? Regards, Peter
