kr / hk

Fast Heroku client
https://hk.heroku.com/
77 stars 6 forks source link

Compiling for darwin w/ CGO_ENABLED=0 on OS X doesn't produce the same result as compiling on Linux #86

Open bgentry opened 11 years ago

bgentry commented 11 years ago

I was helping @ddollar test his gobuild app yesterday. It does cross-compiled builds from a Heroku dyno for any platform.

So I fetched the hk binary from it and tried it out:

$ wget -O hk-gobuild http://gobuild-dev.herokuapp.com/kr/hk/master/darwin/amd64 && chmod +x hk-gobuild

...

$ ./hk-gobuild apps
Get https://api.heroku.com/apps: x509: failed to load system roots and no roots provided

This is a known issue for binaries cross-compiled to darwin.

All of the other builds so far have been done from my OS X machine, so they are fine. But I don't really understand why. I thought that running the builds with CGO_ENABLED=0 would give us the same result on any system we built from. Clearly that's not true, either because we're using it wrong, or because it doesn't do what I thought it did.

kr commented 11 years ago

That known issue is unlikely to be fixed, ever.

For your local Darwin builds, did you also build package crypto/x509 (so, the entire stdlib) with cgo disabled?

$ CGO_ENABLED=0 ./make.bash
bgentry commented 11 years ago

Yeah, I understand that it's not something that can really be fixed. And no, I used golang-crosscompile, which doesn't explicitly disable cgo if it's supported. So that's why it's working for me.

How do you think we should deal with this? @ddollar did a hack to embed his CA's cert in dist, but that feels ugly & brittle to me.

We could say that for the foreseeable future, all builds will be happening from OSX. That would probably get us by for a bit, and let us push the problem off until we really need to deal with it.

ddollar commented 11 years ago

I think you should use the same method that dist is using, but instead include the full compliment of trusted root certs that something like Firefox or Chrome uses. A hardcoded system root certificate store isn't brittle, it's the norm.

ddollar commented 11 years ago

If you compile everything on OSX will you have the same problem on the Windows and Linux cross compiled builds?

bgentry commented 11 years ago

If you compile everything on OSX will you have the same problem on the Windows and Linux cross compiled builds?

@ddollar golang-crosscompile builds a cross compiling environment for all platforms, but it only disables cgo during those builds for non-native platforms. So since I built my cross-compilation environment using that script on OSX, my OSX target builds actually do include cgo dependencies.

I guess one thing to fix here is that setting CGO_ENABLED=0 doesn't actually have a purpose when building from the environment I have.

ddollar commented 11 years ago

What I mean is will your builds for Linux compiled on OSX also be missing their root certificates?

kr commented 11 years ago

If you compile everything on OSX will you have the same problem on the Windows and Linux cross compiled builds?

I think that Windows and Linux don't use cgo for looking up root certs.

https://code.google.com/p/go/source/browse/src/pkg/crypto/x509/root_unix.go https://code.google.com/p/go/source/browse/src/pkg/crypto/x509/root_windows.go

But there may be other packages, unrelated to x509 certs, that do require cgo on those platforms.