``` Hardened: /usr/sbin/captree: skip: stack-prot test because GO is stack safe ```
However, it appears the new changes attempting to bring hardening to go builds has made the static analysis test check the binary and find issues.
```-%make_build prefix=%{_prefix} lib=%{_lib} SBINDIR=%{_sbindir} CGO_REQUIRED=1 GO_BUILD_FLAGS="-buildmode=pie -ldflags='-B gobuildid'" all +%make_build prefix=%{_prefix} lib=%{_lib} SBINDIR=%{_sbindir} CGO_REQUIRED=1 CGO_CFLAGS="${CFLAGS}" CGO_LDFLAGS="${LDFLAGS}" GO_BUILD_FLAGS="-buildmode=pie -a -v -x -ldflags='-compressdwarf=false -B gobuildid'" all
``` Regards, Carlos R.F. On 6/13/24 09:30, Carlos Rodriguez-Fernandez wrote:
Hi All,The build of libcap in Rawhide is failing the static analysis because of the stack protection not enabled [1].```Hardened: /usr/sbin/captree: FAIL: stack-prot test because stack protection not enabled (lto:threadentry) Hardened: /usr/sbin/captree: FAIL: stack-prot test because stack protection not enabled (lto:fatalf)``` captree is a go application included in the libcap package. It uses cgo.When you compile with cgo with the -x flag to show the commands being used, you see a lot of -fno-stack-protector, which is coming from the #cgo directive in the cgo files [2]. That's intentional, and has been there for some time. At least since 1.21.9, which is in Fedora 39, and where libcap didn't have those static analysis errors.Has there been recent hardening efforts in Rawhide that can explain why this is happening now?Thank you! 1. https://bodhi.fedoraproject.org/updates/FEDORA-2024-7da5d4e363 2. https://cs.opensource.google/go/go/+/master:src/runtime/cgo/cgo.go;l=26
OpenPGP_signature.asc
Description: OpenPGP digital signature
-- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
