Bug#1113774: Disabling -fcf-protection in sudo for bookworm

To: Paul Tagliamonte <paultag@debian.org>, Christoph Berg <myon@debian.org>, 1113774@bugs.debian.org
Cc: Stefano Rivera <stefanor@debian.org>, Matthew Vernon <matthew@debian.org>, Marc Haber <mh+debian-packages@zugschlus.de>
Subject: Bug#1113774: Disabling -fcf-protection in sudo for bookworm
From: Marcos Del Sol Vives <marcos@orca.pet>
Date: Tue, 2 Sep 2025 17:42:35 +0200
Message-id: <[🔎] ce09cf6e-02b7-4231-a20a-1c67afb19d7c@orca.pet>
Reply-to: Marcos Del Sol Vives <marcos@orca.pet>, 1113774@bugs.debian.org
In-reply-to: <[🔎] 20250902152822.GA221330@dc.cant.vote>
References: <[🔎] aLbnjpZ_3FIsp95z@msg.df7cb.de> <[🔎] 0ef6f9b2-e5ed-4f4d-b08f-b2d4a5fd6255@orca.pet> <[🔎] aLb1lFGkOeBifkQg@torres.zugschlus.de> <[🔎] c74dd526-0478-43aa-9be7-d0baaf9b2430@debian.org> <[🔎] 0ef6f9b2-e5ed-4f4d-b08f-b2d4a5fd6255@orca.pet> <[🔎] a995c99e-0b4f-40e1-b33e-4e2adbf0a53b@orca.pet> <[🔎] 0ef6f9b2-e5ed-4f4d-b08f-b2d4a5fd6255@orca.pet> <[🔎] h63tyj6yp52c4hoglynhlajetnowjnsefkznicdp4jbfl5rsd4@aodm52fty2xx> <[🔎] 0ef6f9b2-e5ed-4f4d-b08f-b2d4a5fd6255@orca.pet> <[🔎] aLcJ0xMe-kROKuVy@msg.df7cb.de> <[🔎] 20250902152822.GA221330@dc.cant.vote> <[🔎] 0ef6f9b2-e5ed-4f4d-b08f-b2d4a5fd6255@orca.pet>

El 02/09/2025 a las 17:28, Paul Tagliamonte escribió:
> The natural outcome here seems to be:
> 
>   a) do nothing as-is, some fraction of supported but non-intel CPUs will
>      get runtime failures, since we've altered the ISA baseline and
>      never realized it due to popularity
> 
>   b) remove this flag from sudo specifically, fixing sudo specifically
>      in bookworm (oldstable)
> 
>   c) change all i386 package flags for bookworm specifically (oldstable)
>      and binNMU the whole archive, FTBFS and all
> 
>   d) declare bookworm i386 retroactively always was a different ISA baseline
>      ("We have always been at war with Eastasia")

Hello Paul,

B would be in my opinion the solution. So far, I have not found any other
package that has these issues. Not even running a full-fledged desktop
environment (XFCE with X11) has been an issue.

This flag is present on sudo, because the "hardening.m4" file it contains
explicitelly enabled "-fcf-protection".

Considering all reports I've personally seen of illegal instruction on
these kind i686 processors have been limited to "sudo" in Debian, Gentoo
and other BSDs, I assume the amount of packages that I assumed have enabled
"-fcf-protection=full" or "-fcf-protection=branch" will be probably
minimal.

Greetings,
Marcos

Reply to:

References:
- Bug#1113774: Disabling -fcf-protection in sudo for bookworm
  - From: Christoph Berg <myon@debian.org>
- Bug#1113774: Disabling -fcf-protection in sudo for bookworm
  - From: Marcos Del Sol Vives <marcos@orca.pet>
- Bug#1113774: Disabling -fcf-protection in sudo for bookworm
  - From: Marc Haber <mh+debian-packages@zugschlus.de>
- Bug#1113774: Disabling -fcf-protection in sudo for bookworm
  - From: Matthew Vernon <matthew@debian.org>
- Bug#1113774: Disabling -fcf-protection in sudo for bookworm
  - From: Marcos Del Sol Vives <marcos@orca.pet>
- Bug#1113774: Disabling -fcf-protection in sudo for bookworm
  - From: Stefano Rivera <stefanor@debian.org>
- Bug#1113774: Disabling -fcf-protection in sudo for bookworm
  - From: Christoph Berg <myon@debian.org>
- Bug#1113774: Disabling -fcf-protection in sudo for bookworm
  - From: Paul Tagliamonte <paultag@debian.org>

Prev by Date: Bug#1113774: Disabling -fcf-protection in sudo for bookworm
Next by Date: Processed: Re: Bug#1113774: Disabling -fcf-protection in sudo for bookworm
Previous by thread: Bug#1113774: Disabling -fcf-protection in sudo for bookworm
Next by thread: Bug#1113774: Disabling -fcf-protection in sudo for bookworm
Index(es):
- Date
- Thread