[chore] build compatible distributions as PIE #726
Conversation
jackgopack4
force-pushed
the
add-buildmode-pie
branch
from
c1fb390
to
9416237
Compare
There was a problem hiding this comment.
This PR has changes from #708. I'd prefer not to mix the concepts. I don't care which one merges first but if you want it do be this one then we need to remove the changes that allow updating the k8s and otlp distros with internal library
|
my bad, I think I branched this one off of that one; I will make sure to remove those changes from here |
|
ok I've completely separated the two. I don't mind which one merges first, whichever one I'll be able to rebase/merge the remaining branch |
* build ocb as position-independent executable * add -buildmode=pie flags for go binary builds * add generation for otlp and k8s goreleaser * remove faulty buildmode pie logic * remove buildmode==pie in favor of #726 * add constants for distro names --------- Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Tyler Helmuth <[email protected]>
|
marked as draft until I can resolve merge conflicts after #708 merge |
|
@jackgopack4 this is ready to pick up again since #708 is merged |
|
Thanks, yes I hadn't gotten a chance but I'll take another crack at it this week |
…ow testing" This reverts commit 3288ffe.
jackgopack4
force-pushed
the
add-buildmode-pie
branch
from
294cd9a
to
7621c77
Compare
…ow testing" This reverts commit 30f3152.
|
PR is ready for review, the release artifacts in my fork match exactly the release artifacts in the open-telemetry repo. |
Currently, the collector distributions and OCB are not built as position-independent executables.
According to the OTel Collector Security Audit, this could cause potential vulnerabilities: #618
This PR updates the goreleaser template and the corresponding YAML files to run two separate builds for each distribution that come together for one release each; if the platform and architecture support Internal Linking in Golang, they are built with flag
-buildmode=pie. If not, they are built the same way as before.You can see the sample releases in my forked repository:
https://github.com/jackgopack4/opentelemetry-collector-releases/releases/tag/v0.114.0
https://github.com/jackgopack4/opentelemetry-collector-releases/releases/tag/cmd%2Fbuilder%2Fv0.114.0
https://hub.docker.com/r/johnpeterson785/opentelemetry-collector/tags
https://hub.docker.com/r/johnpeterson785/opentelemetry-collector-contrib/tags
https://hub.docker.com/r/johnpeterson785/opentelemetry-collector-otlp/tags
https://hub.docker.com/r/johnpeterson785/opentelemetry-collector-k8s/tags
I took the approach of generating an "ignore" list for PIE vs not-PIE and otherwise leaving everything else the same.