30da50
From 89129bd096c8bfac4ff84fc19726898cc901c1fc Mon Sep 17 00:00:00 2001
e405ae
From: Debarshi Ray <rishi@fedoraproject.org>
e405ae
Date: Mon, 29 Jun 2020 17:57:47 +0200
e405ae
Subject: [PATCH] build: Make the build flags match RHEL's %{gobuild}
e405ae
e405ae
The Go toolchain doesn't play well with passing compiler and linker
e405ae
flags via environment variables. The linker flags require a second
e405ae
level of quoting, which leaves the build system without a quote level
e405ae
to assign the flags to an environment variable like GOFLAGS.
e405ae
e405ae
This is one reason why RHEL doesn't have a RPM macro with only the
e405ae
flags. The %{gobuild} RPM macro includes the entire 'go build ...'
e405ae
invocation.
e405ae
e405ae
The Go toolchain also doesn't like the LDFLAGS environment variable as
e405ae
exported by RHEL's %{meson} RPM macro, and RHEL's RPM toolchain doesn't
e405ae
like the compressed DWARF data generated by the Go toolchain.
e405ae
e405ae
Note that these flags are meant for every CPU architecture other than
e405ae
PPC64, and should be kept updated to match RHEL's Go guidelines. Use
e405ae
'rpm --eval "%{gobuild}"' to expand the %{gobuild} macro.
e405ae
---
30da50
 src/go-build-wrapper | 14 ++++++++++----
30da50
 1 file changed, 10 insertions(+), 4 deletions(-)
e405ae
e405ae
diff --git a/src/go-build-wrapper b/src/go-build-wrapper
30da50
index ef4aafc8b024..e82e42ca8151 100755
e405ae
--- a/src/go-build-wrapper
e405ae
+++ b/src/go-build-wrapper
30da50
@@ -32,9 +32,9 @@ if ! cd "$1"; then
e405ae
     exit 1
e405ae
 fi
e405ae
 
30da50
-tags=""
30da50
+tags="-tags rpm_crashtraceback,${BUILDTAGS:-}"
30da50
 if $6; then
30da50
-    tags="-tags migration_path_for_coreos_toolbox"
30da50
+    tags="$tags,migration_path_for_coreos_toolbox"
30da50
 fi
30da50
 
30da50
 if ! libc_dir=$("$4" --print-file-name=libc.so); then
30da50
@@ -69,11 +69,17 @@ fi
30da50
 
30da50
 dynamic_linker="/run/host$dynamic_linker_canonical_dirname/$dynamic_linker_basename"
30da50
 
e405ae
+unset LDFLAGS
30da50
+
30da50
 # shellcheck disable=SC2086
30da50
 go build \
30da50
+        -buildmode pie \
30da50
+        -compiler gc \
30da50
         $tags \
30da50
-        -trimpath \
30da50
-        -ldflags "-extldflags '-Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" \
30da50
+        -ldflags "${LDFLAGS:-} -compressdwarf=false -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -extldflags '-Wl,-z,relro -Wl,--as-needed  -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" \
30da50
+        -a \
30da50
+        -v \
30da50
+        -x \
30da50
         -o "$2/toolbox"
30da50
 
e405ae
 exit "$?"
e405ae
-- 
e405ae
2.31.1
e405ae