[Docker-maint] Bug#823014: golang: Package compiled stdlib for PIE build mode
Peter Colberg
peter at colberg.org
Sat Apr 30 00:18:14 UTC 2016
Package: golang
Version: 2:1.6.1-2
Severity: normal
Tags: patch
Dear Maintainer,
Please consider adding the following patch, which builds an optional
package containing the compiled standard library for PIE build mode.
This is a prerequisite for building position-independent executables
for the purpose of hardening Go binaries against memory corruption
vulnerabilities [1].
[1] https://bugs.debian.org/821454
A package maintainer who wishes to ship hardened binaries shall add
a Build-Depends: golang-std-pie, and a debian/rules stanza such as
override_dh_auto_build:
dh_auto_build -O--buildsystem=golang -- -buildmode=pie -ldflags -extldflags=-Wl,-z,now,-z,relro
In the future dh-golang could be extended to pass the above flags.
Regards,
Peter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Package-compiled-stdlib-for-PIE-build-mode.patch
Type: text/x-diff
Size: 2434 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/docker-maint/attachments/20160429/d0afa04a/attachment.patch>
More information about the Docker-maint
mailing list