build: do we have a way to build golang package with more security option

Question

build: do we have a way to build golang package with more security option

jing-rui opened this issue 4 years ago · 2 comments

We build golang use following commands reference from
https://src.fedoraproject.org/rpms/golang/blob/rawhide/f/golang.spec

./make.bash --no-clean -v
GOROOT=$(pwd) PATH=$(pwd)/bin:$PATH go install -buildmode=shared -v -x std
GOROOT=$(pwd) PATH=$(pwd)/bin:$PATH go install -race -v -x std

The golang binary and libs in package is not include security option, such as: pie, bind_now, relro, sp(stack protection) etc.
Is there a way to enable these options?

We can add these option for normal go programs use command like below:

CGO_ENABLED=1 \
CGO_CFLAGS="-fstack-protector-strong -fPIE" \
CGO_CPPFLAGS="-fstack-protector-strong -fPIE" \
CGO_LDFLAGS_ALLOW='-Wl,-z,relro,-z,now' \
CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
go build -buildmode=pie -ldflags '-extldflags=-static' -ldflags '-w -buildid=none -linkmode=external -extldflags=-Wl,-z,relro,-z,now ' -o xxx .

Answer 1 · 2021-02-23T15:49:37.000Z

Unlike many projects, the Go project does not use GitHub Issues for general discussion or asking questions. GitHub Issues are used for tracking bugs and proposals only.

For questions please refer to https://github.com/golang/go/wiki/Questions

Answer 2 · 2021-07-06T18:28:22.000Z

i may face the same question,here is the disscution gopher slack link