Unverified Commit ce37d840 authored by Luna Nova's avatar Luna Nova
Browse files

go: revert default PIE changes 

Reverts default PIE patch for go.
Does not reintroduce usages of removed "pie" hardening flag.

I've made a right mess 😿; we have to back go default PIE out late.

building with -race was just reported broken, there isn't time to investigate.
fixing is a mass rebuild.

People are using nixpkgs' go outside of nix derivations to produce
executables to copy into containers. buildGoModule currently sets
buildmode=exe when CGO_ENABLED=0 but this does nothing to maintain the
existing interface for external users.

We are fortunate that backing out the go PIE change in this manner
does not reintroduce breakage of pkgsMusl.rclone etc
that previously occurred when buildmode=pie *wasn't* set.
The gcc `--enable-default-pie` approach turns out to not cause problems
when mixed with a non-PIE go externally linked build. Historical issues
were due to our linker wrapper being less smart about enabling PIE.

Default PIE for go should be revisited post branch off.

Fixes: #456953
Fixes: #461539
parent 38ab204b

pkgs/build-support/go/module.nix

+0 −3
Original line number Diff line number Diff line
@@ -253,9 +253,6 @@ lib.extendMkDerivation { 
            if [ -f "$NIX_CC_FOR_TARGET/nix-support/dynamic-linker" ]; then

              export GO_LDSO=$(cat $NIX_CC_FOR_TARGET/nix-support/dynamic-linker)

            fi

            if [ "$CGO_ENABLED" = "0" ]; then

              export GOFLAGS="-buildmode=exe $GOFLAGS"

            fi

            cd "$modRoot"

          ''

          + lib.optionalString (finalAttrs.vendorHash != null) ''

pkgs/development/compilers/go/1.24.nix

+0 −29
Original line number Diff line number Diff line
@@ -21,30 +21,6 @@ let 
  targetCC = pkgsBuildTarget.targetPackages.stdenv.cc;



  isCross = stdenv.buildPlatform != stdenv.targetPlatform;



  # In order for buildmode=pie to work either Go's internal linker must know how

  # to produce position-independent executables or Go must be using an external linker.

  #

  # go-default-pie.patch tries to enable position-independent codegen (PIE) only when the platform

  # reports support (via BuildModeSupported(..., "pie", ...)).

  #

  # That probe is not fully reliable: for example, `pkgsi686Linux.go` can fail during bootstrap

  # with message 'default PIE binary requires external (cgo) linking, but cgo is not enabled'

  # despite CGO being enabled. (we set `CGO_ENABLED=1`).

  #

  # To avoid such breakage, limit this patch to a small set of explicitly tested platforms

  # rather than relying on the general BuildModeSupported("pie") check.

  supportsDefaultPie =

    let

      hasPie = {

        "amd64" = true;

        "arm64" = true;

        "ppc64le" = true;

        "riscv64" = true;

      };

    in

    hasPie.${stdenv.hostPlatform.go.GOARCH} or false

    && hasPie.${stdenv.targetPlatform.go.GOARCH} or false;

in

stdenv.mkDerivation (finalAttrs: {

  pname = "go";
@@ -86,11 +62,6 @@ stdenv.mkDerivation (finalAttrs: { 
    ./remove-tools-1.11.patch

    ./go_no_vendor_checks-1.23.patch

    ./go-env-go_ldso.patch

  ]

  ++ lib.optionals supportsDefaultPie [

    (replaceVars ./go-default-pie.patch {

      inherit (stdenv.targetPlatform.go) GOARCH;

    })

  ];



  inherit (stdenv.targetPlatform.go) GOOS GOARCH GOARM;

pkgs/development/compilers/go/1.25.nix

+0 −29
Original line number Diff line number Diff line
@@ -22,30 +22,6 @@ let 
  targetCC = pkgsBuildTarget.targetPackages.stdenv.cc;



  isCross = stdenv.buildPlatform != stdenv.targetPlatform;



  # go-default-pie.patch tries to enable position-independent codegen (PIE) only when the platform

  # reports support (via BuildModeSupported(..., "pie", ...)).

  #

  # In order for buildmode=pie to work either Go's internal linker must know how

  # to produce position-independent executables or Go must be using an external linker.

  #

  # That probe is not fully reliable: for example, `pkgsi686Linux.go` can fail during bootstrap

  # with message 'default PIE binary requires external (cgo) linking, but cgo is not enabled'

  # despite CGO being enabled. (we set `CGO_ENABLED=1`).

  #

  # To avoid such breakage, limit this patch to a small set of explicitly tested platforms

  # rather than relying on the general BuildModeSupported("pie") check.

  supportsDefaultPie =

    let

      hasPie = {

        "amd64" = true;

        "arm64" = true;

        "ppc64le" = true;

        "riscv64" = true;

      };

    in

    hasPie.${stdenv.hostPlatform.go.GOARCH} or false

    && hasPie.${stdenv.targetPlatform.go.GOARCH} or false;

in

stdenv.mkDerivation (finalAttrs: {

  pname = "go";
@@ -87,11 +63,6 @@ stdenv.mkDerivation (finalAttrs: { 
    ./remove-tools-1.11.patch

    ./go_no_vendor_checks-1.23.patch

    ./go-env-go_ldso.patch

  ]

  ++ lib.optionals supportsDefaultPie [

    (replaceVars ./go-default-pie.patch {

      inherit (stdenv.targetPlatform.go) GOARCH;

    })

  ];



  inherit (stdenv.targetPlatform.go) GOOS GOARCH GOARM;

pkgs/development/compilers/go/go-default-pie.patch

deleted100644 → 0
+0 −13
Original line number Diff line number Diff line 
diff --git a/src/internal/platform/supported.go b/src/internal/platform/supported.go

index f9706a6988..abac42d550 100644

--- a/src/internal/platform/supported.go

+++ b/src/internal/platform/supported.go

@@ -249,7 +253,7 @@ func DefaultPIE(goos, goarch string, isRace bool) bool {

 	case "darwin":

 		return true

 	}

-	return false

+	return goarch == "@GOARCH@" && BuildModeSupported("gc", "pie", goos, goarch)

 }

 

 // ExecutableHasDWARF reports whether the linked executable includes DWARF