Skip to content

Correctly determine if package has been built with golang

Golang packages may be built statically-linked (for instance, if the package does not use any system libraries) and currently the statically-linked-binary check generates lots of false-positives due to not detecting statically-linked golang packages correctly.

Currently the statically-linked-binary check has two checks:

  1. The binary package name begins with "golang-", which is not enough for packages which ship a golang binary (e.g. debos & fakemachine).
  2. Check the Build-Depends-All field for a golang compiler, which isn't available in binary packages.

Add some additional sanity checks to really tell if binary packages are built with a golang compiler:

  1. Check the package Section field for golang.
  2. Check the binary package was built with a golang compiler by checking the Built-Using and Static-Built-Using fields.
  3. Check the source package name (i.e. the name of the source package which the binary was built from) starts with "golang-".
Edited by Christopher Obbard

Merge request reports

Loading