Build better Go release binaries

Day 1 | 13:00 | 00:30 | UD2.120 (Chavanne) | Dimitri John Ledkov


Note: I'm reworking this at the moment, some things won't work.

The stream isn't available yet! Check back at 13:00.

go build . is a very common way to build and release binaries for go projects. But there are many settings one can pass to go to build better release binaries. This talk will give overview of compile time optimizations, give guidance on re-releasing, apply CGO hardening as recommended by OpenSSF, upgrading dependencies, ensuring binaries can be scanned for vulnerabilities, ensure codebase is compatible with popular go forks for FIPS compliance, and are easier to reproduce.

Relevant projects: - https://pkg.go.dev/cmd/go#hdr-Compile_packages_and_dependencies - https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html - https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck - https://github.com/chainguard-dev/gobump - https://github.com/chainguard-dev/melange/blob/main/pkg/build/pipelines/go/build.yaml - https://github.com/wolfi-dev/os