go: position independent executables by default

Followup to setting --enable-default-pie for our gcc,
we teach go to build PIE by default when supported.

pkgs/build-support/go/module.nix

@@ -269,13 +269,6 @@ lib.extendMkDerivation {
             }
           ''
           + ''
-
-            # currently pie is only enabled by default in pkgsMusl
-            # this will respect the `hardening{Disable,Enable}` flags if set
-            if [[ $NIX_HARDENING_ENABLE =~ "pie" ]]; then
-              export GOFLAGS="-buildmode=pie $GOFLAGS"
-            fi
-
             runHook postConfigure
           ''
         );

pkgs/development/compilers/go/1.24.nix

@@ -65,6 +65,7 @@ stdenv.mkDerivation (finalAttrs: {
     ./remove-tools-1.11.patch
     ./go_no_vendor_checks-1.23.patch
     ./go-env-go_ldso.patch
+    ./go-default-pie.patch
   ];
 
   inherit (stdenv.targetPlatform.go) GOOS GOARCH GOARM;

pkgs/development/compilers/go/1.25.nix

@@ -10,8 +10,12 @@
   buildPackages,
   pkgsBuildTarget,
   targetPackages,
+  # for testing
   testers,
+  runCommand,
+  bintools,
   skopeo,
+  clickhouse-backup,
   buildGo125Module,
 }:
 
@@ -19,6 +23,7 @@ let
   goBootstrap = buildPackages.callPackage ./bootstrap122.nix { };
 
   skopeoTest = skopeo.override { buildGoModule = buildGo125Module; };
+  clickhouse-backupTest = clickhouse-backup.override { buildGoModule = buildGo125Module; };
 
   # We need a target compiler which is still runnable at build time,
   # to handle the cross-building case where build != host == target
@@ -70,6 +75,7 @@ stdenv.mkDerivation (finalAttrs: {
     ./remove-tools-1.11.patch
     ./go_no_vendor_checks-1.23.patch
     ./go-env-go_ldso.patch
+    ./go-default-pie.patch
   ];
 
   inherit (stdenv.targetPlatform.go) GOOS GOARCH GOARM;
@@ -179,6 +185,23 @@ stdenv.mkDerivation (finalAttrs: {
         command = "go version";
         version = "go${finalAttrs.version}";
       };
+      # Picked clickhouse-backup as a package that sets CGO_ENABLED=0
+      # Running and outputting the right version proves a working ELF interpreter was picked
+      clickhouse-backup = testers.testVersion { package = clickhouse-backupTest; };
+      clickhouse-backup-is-pie = runCommand "has-pie" { meta.broken = stdenv.hostPlatform.isStatic; } ''
+        ${lib.optionalString (!isCross) ''
+          if ${lib.getExe' bintools "readelf"} -p .comment ${lib.getExe clickhouse-backup} | grep -Fq "GCC: (GNU)"; then
+            echo "${lib.getExe clickhouse-backup} has a GCC .comment, but it should have used the internal go linker"
+            exit 1
+          fi
+        ''}
+        if ${lib.getExe' bintools "readelf"} -h ${lib.getExe clickhouse-backup} | grep -q "Type:.*DYN"; then
+          touch $out
+        else
+          echo "ERROR: clickhouse-backup is NOT PIE"
+          exit 1
+        fi
+      '';
     };
   };
 

pkgs/development/compilers/go/go-default-pie.patch

@@ -0,0 +1,13 @@
+diff --git a/src/internal/platform/supported.go b/src/internal/platform/supported.go
+index f9706a6988..abac42d550 100644
+--- a/src/internal/platform/supported.go
++++ b/src/internal/platform/supported.go
+@@ -249,7 +253,7 @@ func DefaultPIE(goos, goarch string, isRace bool) bool {
+ 	case "darwin":
+ 		return true
+ 	}
+-	return false
++	return BuildModeSupported("gc", "pie", goos, goarch)
+ }
+ 
+ // ExecutableHasDWARF reports whether the linked executable includes DWARF