cmd/dist: build cmd with CGO_ENABLED=0, so cmd/go uses pure Go net resolver #57007
Comments
rsc
changed the title
|
Would this cause (But it also might provide a reasonable workaround for folks who want a |
bcmills
added
the
NeedsInvestigation
Yes, and agreed. |
|
With a little more work this lets us build completely reproducible distributions, where it doesn't matter which OS the distribution was built on at all. In particular they could all be built on a single trusted system. CL 454836 does this. |
|
Change https://go.dev/cl/454836 mentions this issue: |
I don't think that
Some users might have problem because of Recently the |
|
In what circumstances would nsswitch.conf be needed to resolve public internet names like github.com or proxy.golang.org? |
Glibc uses nsswitch.conf to resolve all names. Recently linux distros (desktop) started adopting Edit: but on non-glibc systems (without nsswitch.conf support in libc) the go resolver will be fine, so for alpine and other musl based distros. |
|
I guess we will find out - there are enough upsides to this change, including cross-compiled reproducible builds, that I think we owe it to ourselves to try it in Go 1.21 and find out whether there are any show-stoppers. |
|
#57328 is an interesting data point here too. There, a user is reporting that building a cgo-enabled dynamically-linked binary on an Ubuntu with a newer glibc causes that binary to fail to run on a system with an older glibc. That seems to imply that if we build a cgo-enabled Building the release with |
|
failures due to glibc versions were also seen a long time ago in #5203 |
|
Change https://go.dev/cl/461689 mentions this issue: |
…side Tests must not write to GOROOT: it might not writable (for example, if it is owned by root and the user is non-root), and in general we can't assume that the configuration in which the test is run matches the configuration with which the installed tools were built. In this specific case, CL 454836 (for #57007) installs 'cmd' with CGO_ENABLED=0, but most builders still run the tests with CGO_ENABLED unset. Updates #57007. Change-Id: I2795fcd3ff61c164dc730b62f697f307ab3a167b Reviewed-on: https://go-review.googlesource.com/c/go/+/461689 Reviewed-by: Cherry Mui <cherryyz@google.com> Run-TryBot: Bryan Mills <bcmills@google.com> Auto-Submit: Bryan Mills <bcmills@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
|
Change https://go.dev/cl/463739 mentions this issue: |
Certain ios and android configurations do not yet support internal linking. On ios, attempting to build without cgo causes tests to fail on essentially every run (#57961). On android, it produces a lot of warning spam from the linker, obscuring real problems. Since external linking makes the result of `go install` depend on the installed C toolchain either way, the reproducibility benefit of disabling cgo seems minimal on these platforms anyway. Fixes #57961. For #24904. Updates #57007. Change-Id: Ied2454804e958dd670467db3d5e9ab50a40bb899 Reviewed-on: https://go-review.googlesource.com/c/go/+/463739 Reviewed-by: Russ Cox <rsc@golang.org> Run-TryBot: Bryan Mills <bcmills@google.com> Auto-Submit: Bryan Mills <bcmills@google.com> Reviewed-by: Cherry Mui <cherryyz@google.com> TryBot-Bypass: Bryan Mills <bcmills@google.com>
Certain ios and android configurations do not yet support internal linking. On ios, attempting to build without cgo causes tests to fail on essentially every run (golang#57961). On android, it produces a lot of warning spam from the linker, obscuring real problems. Since external linking makes the result of `go install` depend on the installed C toolchain either way, the reproducibility benefit of disabling cgo seems minimal on these platforms anyway. Fixes golang#57961. For golang#24904. Updates golang#57007. Change-Id: Ied2454804e958dd670467db3d5e9ab50a40bb899 Reviewed-on: https://go-review.googlesource.com/c/go/+/463739 Reviewed-by: Russ Cox <rsc@golang.org> Run-TryBot: Bryan Mills <bcmills@google.com> Auto-Submit: Bryan Mills <bcmills@google.com> Reviewed-by: Cherry Mui <cherryyz@google.com> TryBot-Bypass: Bryan Mills <bcmills@google.com>
dmitshur
added
NeedsFix
We had to switch to a Go toolchain from nixpkgs, since prebuilt Go toolchain versions were not usable on NixOS. Since Go 1.21, the prebuilt Go toolchain is statically linked and works out of the box. Reference: golang/go#57007
We had to switch to a Go toolchain from nixpkgs, since prebuilt Go toolchain versions were not usable on NixOS. Since Go 1.21, the prebuilt Go toolchain is statically linked and works out of the box. Reference: golang/go#57007
Now that we've removed the .a files from the distribution, the only possible leakage of the host build environment into Go Linux releases is the dynamic libc.so.6 path embedded in the command binaries that use the network (only bin/go and pkg/tool/goos_goarch/pprof, I believe).
I wonder whether we should build cmd with CGO_ENABLED=0 so that we end up with purely static cmd/go and cmd/pprof binaries. This would apply to all systems, but since we are planning to cross-compile non-Linux distributions and Mac and Windows don't use cgo anyway for net, the only effect would be on Linux.
We default to the cgo-based net so that people with strange /etc/resolv.conf can still resolve the names they need to resolve. But perhaps that is more for local names like mDNS and such rather than the standard internet names that cmd/go needs.
Does anyone see anything that would break if we made the go command always use the pure Go net resolver?
The text was updated successfully, but these errors were encountered: