gador/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
a6ec4bf80852ba8a8d7094de80741b1c8281c8ec
nixpkgs/pkgs/development/compilers/go/tests.nix
T
Luna Nova 4d1d61c75c go: set buildmode=exe when CGO_ENABLED=0 
To avoid breaking previous documented[^1] behavior of CGO_ENABLED=0
producing fully static binaries we set buildmode=exe. Sadly go
does not support static-pie binaries so this means these packages
lose ASLR.

This is likely to be revisited after branch-off, as
go packages in the main package set with CGO_ENABLED=0 not having
ASLR is not good security posture in the long term and makes
go packages inconsistent with other languages.

[1]: See #var-go-CGO_ENABLED

Fixes: #456953
Fixes: 08aadbf8d4
2025-11-06 08:00:41 -08:00

62 lines
2.0 KiB
Nix
Raw Blame History

{
lib,
stdenv,
go,
buildGoModule,
# A package that relies on CGO
skopeo,
testers,
runCommand,
bintools,
# A package with CGO_ENABLED=0
athens,
}:
let
skopeo' = skopeo.override { buildGoModule = buildGoModule; };
athens' = athens.override { buildGoModule = buildGoModule; };
expectedCgoEnabledType = "DYN";
expectedCgoDisabledType = "EXE";
in
{
skopeo = testers.testVersion { package = skopeo'; };
version = testers.testVersion {
package = go;
command = "go version";
version = "go${go.version}";
};
athens = testers.testVersion { package = athens'; };
}
# bin type tests assume ELF file + linux-specific exe types
// lib.optionalAttrs stdenv.hostPlatform.isLinux {
skopeo-bin-type = runCommand "skopeo-bin-type" { meta.broken = stdenv.hostPlatform.isStatic; } ''
bin="${lib.getExe' skopeo' ".skopeo-wrapped"}"
if ! ${lib.getExe' bintools "readelf"} -p .comment $bin | grep -Fq "GCC: (GNU)"; then
echo "${lib.getExe skopeo} should have been externally linked, but no GNU .comment section found"
exit 1
fi
if ${lib.getExe' bintools "readelf"} -h $bin | grep -q "Type:.*${expectedCgoEnabledType}"; then
touch $out
else
echo "ERROR: $bin is NOT ${expectedCgoEnabledType}"
exit 1
fi
'';
athens-bin-type = runCommand "athens-bin-type" { meta.broken = stdenv.hostPlatform.isStatic; } ''
bin="${lib.getExe athens'}"
${lib.optionalString (stdenv.buildPlatform == stdenv.targetPlatform) ''
# For CGO_ENABLED=0 the internal linker should be used, except
# for cross where we rely on external linking by default
if ${lib.getExe' bintools "readelf"} -p .comment ${lib.getExe athens'} | grep -Fq "GCC: (GNU)"; then
echo "${lib.getExe athens'} has a GCC .comment, but it should have used the internal go linker"
exit 1
fi
''}
if ${lib.getExe' bintools "readelf"} -h "$bin" | grep -q "Type:.*${expectedCgoDisabledType}"; then
touch $out
else
echo "ERROR: $bin is NOT ${expectedCgoDisabledType}"
exit 1
fi
'';
}
Reference in New Issue View Git Blame Copy Permalink