Is manually specifying ‘-buildmode=pie’ in d/rules still the right and only way to build PIE hardened binaries?
More specifically, what I'm doing is: export DEB_BUILD_MAINT_OPTIONS = hardening=+all export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed GO_LINK_FLAGS += -extldflags "$(LDFLAGS)" GO_FLAGS += --ldflags '$(GO_LINK_FLAGS)' And then: dh_auto_build -O--buildsystem=golang -- -buildmode=pie $(GO_FLAGS) (Actual d/rules file: http://deb.li/igtuN). This builds fine on my amd64 system, but I'm not sure about other architectures, and the package hasn't been uploaded yet. Thank you, Paride