Is your feature request related to a problem? Please describe.
Yes. The final bootstrap compiler binary currently remains on the build host or in CI artifacts after the build completes. While not a practical remote exploit vector, keeping a prebuilt compiler increases supply-chain risk and potential exposure — especially if someone rebuilds the SRPM locally.
Describe the solution you'd like
Remove the final bootstrap compiler binary immediately after the ./make.bash --no-clean step and before packaging, ensuring it isn’t persisted in CI caches or build artifacts.
Describe alternatives you've considered
- Restricting access to the bootstrap on the build host.
- Adding signing/attestation for the bootstrap binary.
Both are heavier approaches; simple removal is the most effective and low-impact.
Additional context
This is a proactive security and supply-chain hardening measure, not a response to an active exploit. The current behavior (bootstrap left on disk/artifacts) is observed for these Azure Linux package variants / branches:
- 3.0 golang-1.23
- 3.0 golang-1.24
- 3.0 golang
- 2.0 golang-1.18
- 2.0 golang
- 2.0 msft-golang
Removing the final bootstrapper from these build flows (and any CI caches) will reduce residual attack surface for downstream rebuilds or exposed CI artifacts.
Is your feature request related to a problem? Please describe.
Yes. The final bootstrap compiler binary currently remains on the build host or in CI artifacts after the build completes. While not a practical remote exploit vector, keeping a prebuilt compiler increases supply-chain risk and potential exposure — especially if someone rebuilds the SRPM locally.
Describe the solution you'd like
Remove the final bootstrap compiler binary immediately after the ./make.bash --no-clean step and before packaging, ensuring it isn’t persisted in CI caches or build artifacts.
Describe alternatives you've considered
Both are heavier approaches; simple removal is the most effective and low-impact.
Additional context
This is a proactive security and supply-chain hardening measure, not a response to an active exploit. The current behavior (bootstrap left on disk/artifacts) is observed for these Azure Linux package variants / branches:
Removing the final bootstrapper from these build flows (and any CI caches) will reduce residual attack surface for downstream rebuilds or exposed CI artifacts.