From fb5dedbb02d0059aee485222fbf1712befeab483 Mon Sep 17 00:00:00 2001
From: Caleb Maclennan <caleb@alerque.com>
Date: Wed, 7 Aug 2019 13:24:23 +0000
Subject: [PATCH 1/2] Export env variable needed to ensure statically-linked
 compilation in go-pie, fixes #239

---
 Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Makefile b/Makefile
index 4c44be0ab..94e6f754f 100644
--- a/Makefile
+++ b/Makefile
@@ -6,6 +6,7 @@ IGNORED_PACKAGES := /vendor/ /internal/httputil/
 
 # GitLab Pages is statically compiled without CGO to help it in chroot mode
 export CGO_ENABLED := 0
+export GO_EXTLINK_ENABLED := 0
 
 include Makefile.build.mk
 include Makefile.util.mk
-- 
GitLab


From 21ba82a88cc69ab0db2ad6460a0aa104f3642d9f Mon Sep 17 00:00:00 2001
From: Nick Thomas <nick@gitlab.com>
Date: Fri, 16 Aug 2019 17:29:19 +0100
Subject: [PATCH 2/2] Explicitly use --buildmode=exe in the Makefile

Pages has a built-in chroot mechanism which relies on the Pages binary
being a proper statically-compiled binary with no need for a linker to
run.

For most go packages, this is the default when `CGO_ENABLED=0` is
chosen. However, Arch Linux has a `go-pie` distribution of Go that
changes the default build mode so they produce position-independent
executables by default.

These are still statically compiled, but operate by compiling the Go
application code into a relocatable library, and statically compiling
that library with a stub executable that jumps into the relocated code.
On Linux, this produces a "type DYN" ELF instead of a "type EXEC" ELF,
and requires a linker to be invoked.

This is incompatible with the chroot mode, and - since Go is a managed
language, and since we disable cgo in Pages - doesn't increase security
as far as I can tell.

Fixing Pages to work with `-buildmode=pie` seems too difficult as long
as we include chroot support, so explicitly specify `-buildmode=exe` to
produce a working binary when compiling under go-pie instead.
---
 Makefile          | 1 -
 Makefile.build.mk | 2 +-
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/Makefile b/Makefile
index 94e6f754f..4c44be0ab 100644
--- a/Makefile
+++ b/Makefile
@@ -6,7 +6,6 @@ IGNORED_PACKAGES := /vendor/ /internal/httputil/
 
 # GitLab Pages is statically compiled without CGO to help it in chroot mode
 export CGO_ENABLED := 0
-export GO_EXTLINK_ENABLED := 0
 
 include Makefile.build.mk
 include Makefile.util.mk
diff --git a/Makefile.build.mk b/Makefile.build.mk
index f04e343c9..644dfbbb4 100644
--- a/Makefile.build.mk
+++ b/Makefile.build.mk
@@ -9,7 +9,7 @@ setup: clean .GOPATH/.ok
 	go get github.com/fzipp/gocyclo
 
 build: .GOPATH/.ok
-	$Q go install $(if $V,-v) $(VERSION_FLAGS) $(IMPORT_PATH)
+	$Q go install $(if $V,-v) $(VERSION_FLAGS) --buildmode exe $(IMPORT_PATH)
 
 clean:
 	$Q rm -rf bin .GOPATH gitlab-pages
-- 
GitLab