diff options
| author | Nick Thomas <nick@gitlab.com> | 2019-08-16 19:29:19 +0300 |
|---|---|---|
| committer | Nick Thomas <nick@gitlab.com> | 2019-08-19 14:01:08 +0300 |
| commit | 66945defb9352ef4569f11710b4c4d663e3d9712 (patch) | |
| tree | f09686975c145a57d6677cc2fdac2edfaf0bb917 /Makefile.build.mk | |
| parent | eaea17e9004b9b27234b65d5f6854f1e009b7723 (diff) | |
Explicitly use -buildmode=exe in the Makefile
Pages has a built-in chroot mechanism which relies on the Pages binary
being a proper statically-compiled binary with no need for a linker to
run.
For most go packages, this is the default when `CGO_ENABLED=0` is
chosen. However, Arch Linux has a `go-pie` distribution of Go that
changes the default build mode so they produce position-independent
executables by default.
These are still statically compiled, but operate by compiling the Go
application code into a relocatable library, and statically compiling
that library with a stub executable that jumps into the relocated code.
On Linux, this produces a "type DYN" ELF instead of a "type EXEC" ELF,
and requires a linker to be invoked.
This is incompatible with the chroot mode, and - since Go is a managed
language, and since we disable cgo in Pages - doesn't increase security
as far as I can tell.
Fixing Pages to work with `-buildmode=pie` seems too difficult as long
as we include chroot support, so explicitly specify `-buildmode=exe` to
produce a working binary when compiling under go-pie instead.
Diffstat (limited to 'Makefile.build.mk')
| -rw-r--r-- | Makefile.build.mk | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/Makefile.build.mk b/Makefile.build.mk index f04e343c..b58e2139 100644 --- a/Makefile.build.mk +++ b/Makefile.build.mk @@ -9,7 +9,7 @@ setup: clean .GOPATH/.ok go get github.com/fzipp/gocyclo build: .GOPATH/.ok - $Q go install $(if $V,-v) $(VERSION_FLAGS) $(IMPORT_PATH) + $Q go install $(if $V,-v) $(VERSION_FLAGS) -buildmode exe $(IMPORT_PATH) clean: $Q rm -rf bin .GOPATH gitlab-pages |