Bug#1113774: Disabling -fcf-protection in sudo for bookworm

[Marcos Del Sol Vives <marcos@orca.pet>]

El 02/09/2025 a las 15:48, Marc Haber escribió:
> The Geode is an i586 machine that doesn't support the full i686 instruction set. As far as I know, we stopped supporting i586 iterally decades ago.

Via Nehalem C3 and Vortex86DX3 are i686. Otherwise the kernel would be
completely unbootable. And I know because that is the case for other i586
machines (eg Vortex86MX)

If you are targetting a i686, a Pentium Pro, that makes even less
reasonable that you are enabling a security feature that was introduced
in 2020 and that breaks on i686-era processors.

> The OP is suggesting to disable a security feature for i386 so that sudo (and other software that uses -fcf-protection) can run on their CPU that was never officially supported in bookworm. They're claiming that this option is a no-op on i386 anyway, but why is it enabled in our toolchain then? Should this issue not be addressed in the toolchain?

It is enabled in the toolchain for the same reason you can use AVX2 with
unsupported processors - it is your duty as a programmer to use compatible
flags.

The sudo maintainer used the flag because the thought it was supposed to
enable all protection on processors that supported it, such as AArch64,
which is not the case and why he agreed to enable explicitely on
AMD64 only.