Bug#1113774: Disabling -fcf-protection in sudo for bookworm

[Marc Haber <mh+debian-packages@zugschlus.de>]

Hi

sudo maintainer here.

On Tue, Sep 02, 2025 at 02:48:14PM +0200, Christoph Berg wrote:
> did you discuss this with the sudo maintainer?

They did. I said no.

The Geode is an i586 machine that doesn't support the full i686 
instruction set. As far as I know, we stopped supporting i586 iterally 
decades ago.

The OP is suggesting to disable a security feature for i386 so that sudo 
(and other software that uses -fcf-protection) can run on their CPU that 
was never officially supported in bookworm. They're claiming that this 
option is a no-op on i386 anyway, but why is it enabled in our toolchain 
then? Should this issue not be addressed in the toolchain?

When I asked for clarification I got screenfuls of technobabble. I am 
neither a toolchain person nor a kernel person. I am just responsible 
for a security relevant package.

That's why I said - repeatedly - no to the request.

I am open to advice from the TC since I know that I can trust you.

Greetings
Marc


--
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany    |  lose things."    Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421