From 89129bd096c8bfac4ff84fc19726898cc901c1fc Mon Sep 17 00:00:00 2001
From: Debarshi Ray <rishi@fedoraproject.org>
Date: Mon, 29 Jun 2020 17:57:47 +0200
Subject: [PATCH] build: Make the build flags match RHEL's %{gobuild}

The Go toolchain doesn't play well with passing compiler and linker
flags via environment variables. The linker flags require a second
level of quoting, which leaves the build system without a quote level
to assign the flags to an environment variable like GOFLAGS.

This is one reason why RHEL doesn't have a RPM macro with only the
flags. The %{gobuild} RPM macro includes the entire 'go build ...'
invocation.

The Go toolchain also doesn't like the LDFLAGS environment variable as
exported by RHEL's %{meson} RPM macro, and RHEL's RPM toolchain doesn't
like the compressed DWARF data generated by the Go toolchain.

Note that these flags are meant for every CPU architecture other than
PPC64, and should be kept updated to match RHEL's Go guidelines. Use
'rpm --eval "%{gobuild}"' to expand the %{gobuild} macro.
---
 src/go-build-wrapper | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/src/go-build-wrapper b/src/go-build-wrapper
index ef4aafc8b024..e82e42ca8151 100755
--- a/src/go-build-wrapper
+++ b/src/go-build-wrapper
@@ -32,9 +32,9 @@ if ! cd "$1"; then
     exit 1
 fi
 
-tags=""
+tags="-tags rpm_crashtraceback,${BUILDTAGS:-}"
 if $6; then
-    tags="-tags migration_path_for_coreos_toolbox"
+    tags="$tags,migration_path_for_coreos_toolbox"
 fi
 
 if ! libc_dir=$("$4" --print-file-name=libc.so); then
@@ -69,11 +69,17 @@ fi
 
 dynamic_linker="/run/host$dynamic_linker_canonical_dirname/$dynamic_linker_basename"
 
+unset LDFLAGS
+
 # shellcheck disable=SC2086
 go build \
+        -buildmode pie \
+        -compiler gc \
         $tags \
-        -trimpath \
-        -ldflags "-extldflags '-Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" \
+        -ldflags "${LDFLAGS:-} -compressdwarf=false -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -extldflags '-Wl,-z,relro -Wl,--as-needed  -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" \
+        -a \
+        -v \
+        -x \
         -o "$2/toolbox"
 
 exit "$?"
-- 
2.31.1