search

gocsaf / csaf

Tools to download or provide CSAF (Common Security Advisory Framework) documents.
https://csaf.io
40 stars 23 forks source link

Binaries do not run on elder GNU/Linux systems (GLIBC_2.32 required) #456

Closed bernhardreiter closed 1 year ago

bernhardreiter commented 1 year ago

On a Debian Bullseye system:

csaf_distribution-v2.2.0-gnulinux-amd64 ./bin-linux-amd64/csaf_downloader ./bin-linux-amd64/csaf_downloader: /lib/x86_64-linux-gnu/libc.so.6: version GLIBC_2.32' not found (required by ./bin-linux-amd64/csaf_downloader) ./bin-linux-amd64/csaf_downloader: /lib/x86_64-linux-gnu/libc.so.6: versionGLIBC_2.34' not found (required by ./bin-linux-amd64/csaf_downloader)

s-l-teichmann commented 1 year ago

The standard trick would be to compile the binaries with CGO_ENABLED=0. This will replace the stuff like DNS resolving with the Go-own version independent of the libc. I'm not sure if we really want this.

bernhardreiter commented 1 year ago

The standard trick would be to compile the binaries with CGO_ENABLED=0. This will replace the stuff like DNS resolving with the Go-own version independent of the libc.

The documentation for net say the Go DNS resolver is used already in a number of cases, even with CGO enabled.

I'm not sure if we really want this.

For net and DNS it would be suboptimal but acceptable. I found no easy to way to find out which other Go packages would change their behaviour. I've read about https://pkg.go.dev/os/user, but I'm not sure we are using it.

The alternatives would be to either:

I think I prefer to try a different build image first, so we can keep the usage of native functions on GNU/Linux. (For Windows, as we are cross-compiling I think that we are probably using the pure Go things, is a potential improvement as well.)

s-l-teichmann commented 1 year ago

I opt for the older build image.

bernhardreiter commented 1 year ago

On our 2.2.0 release, we had ubuntu-latest which was Ubuntu 22.04.2 LTS according to the log: https://github.com/csaf-poc/csaf_distribution/actions/runs/5552520622/job/15040428086

So our option is ubuntu-20.04 according to the supported runners. And this potentially goes away in Q2 2024.

bernhardreiter commented 1 year ago

An alternative solution to use an elder GNU/Linux distribution for building would be to use a docker command within the runner (at least this is how I understand the recommendation made in the answer here: https://github.com/actions/runner-images#user-content-faqs).