Go: cmd/cgo: go 1.9.4 cgo issue: invalid flag in #cgo LDFLAGS

Is this a public repository? Can you give more details of the cgo usage? What does the cgo directive actually say?

I have the same issue with Go 1.9.4 in my test
go build github.com/andlabs/ui: invalid flag in #cgo LDFLAGS: /home2/igorm/.mvnGoLang/.go_path/src/github.com/andlabs/ui/libui_linux_amd64.a

@raydac andlabs/ui must be updated to cope with the new Go release. I've opened a bug (andlabs/ui#268).

@susugagalala we need to see the #cgo LDFLAGS line that is rejected by the compiler.

same happened to me while trying to build miekg/pkcs11
go build github.com/miekg/pkcs11: invalid flag in #cgo LDFLAGS: -Wl,--no-as-needed

It was working fine yesterday. Reverting to go 1.9.3 solved it

@ruiadrmartins - https://github.com/miekg/pkcs11/issues/63

workaround for github.com/miekg/pkcs11 on Linux - CGO_LDFLAGS_ALLOW='-Wl,--no-as-needed' go install (same for go test)

I have the same issue with CFLAGS in Go version 1.9.4. It was working fine in version 1.9.3.

~ go get github.com/pebbe/tokenize
go build github.com/pebbe/tokenize: invalid flag in #cgo CFLAGS: -finput-charset=UTF-8

 ~ go version
go version go1.9.4 linux/amd64

~ go env
GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/peter/go"
GORACE=""
GOROOT="/my/opt/go"
GOTOOLDIR="/my/opt/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
CC="gcc"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build312239203=/tmp/go-build -gno-record-gcc-switches"
CXX="g++"
CGO_ENABLED="1"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"

The problem has to do with this: https://github.com/golang/go/issues/23672
It affects Go versions 1.8.7, 1.9.4 and 1.10rc2
Reverting to the previous version is what I'm doing now. Waiting for a better solution.

Is allowing linking to files in ${SRCDIR} out of the question? Package ui needs to link to a .res file on Windows as well (because resources + static libraries are weird; I should probably just remove the resources entirely, but that'll be a big change).

Is the pkcs11 flag (-Wl,--no-as-needed) also out of the question?

Honestly, I'd argue that packages that break with the security fix should first see if their flag can safely be whitelisted before taking action, because gcc and clang have so many disparate linker flags that package authors must assume that all of them affect compilation in a significant way. (This is a problem I have with many C build tools that try to hide those details from the programmer; I want to know exactly what my build is doing and what edge cases I would otherwise miss because of them.)

@dgryski @rasky That was just an example. It's not an actual repository. I have too many cgo calls in my projects, all resulting in the same error messages, so I did not provide the actual code... just a sample example...
Apparently, from go 1.9.4, one cannot pass arbitrary "flags" to the linker via LDFLAGS, etc. I'm surprised, however, arbitrary "flags" can still be passed to the compiler via CFLAGS, etc.
After reading through https://golang.org/cmd/cgo/, I realised from 1.9.4, only a limited set of flags are allowed and proper regular expressions must be used. I've modified all my projects and they all now build successfully.

Why is this issue closed? It's not solved.

There is a patch for Go proposed - https://github.com/golang/go/issues/23743

@susugagalala again, I suggest asking if the flags that caused your projects issues could be whitelisted. Can you tell us what they are?

(I'm genuinely concerned that people are treating these breakages as issues with Go itself, or even with the packages themselves, rather than seeing the security issue that caused it. I'm even more concerned that the solution is to just discard compiler flags with reckless abandon; compiler flags are always there for a reason, and we should exhaust all avenues before making a change to them.)

I've created an issue to collect all options that should be added to the whitelists: #23749. Please add comments there as needed; I believe that all the options mentioned in this issue are already there.

same problem happened when I try to build go-sciter, it works fine on Go1.9.3.

@StevenZack please go to #23749 to report that issue then; that's where all these are being collected.