Bug#1113774: Disabling -fcf-protection in sudo for bookworm

To: Andrea Pappacoda <tachi@debian.org>
Cc: Paul Tagliamonte <paultag@debian.org>, 1113774@bugs.debian.org, Christoph Berg <myon@debian.org>, Stefano Rivera <stefanor@debian.org>, Marcos Del Sol Vives <marcos@orca.pet>, Matthew Vernon <matthew@debian.org>
Subject: Bug#1113774: Disabling -fcf-protection in sudo for bookworm
From: Marc Haber <mh+debian-packages@zugschlus.de>
Date: Wed, 3 Sep 2025 13:06:12 +0200
Message-id: <[🔎] aLghJAdz23EvEPOz@torres.zugschlus.de>
Reply-to: Marc Haber <mh+debian-packages@zugschlus.de>, 1113774@bugs.debian.org
In-reply-to: <[🔎] DCIFJNGQUKOX.1BXKX1JQO9YUN@debian.org>
References: <[🔎] c74dd526-0478-43aa-9be7-d0baaf9b2430@debian.org> <[🔎] 0ef6f9b2-e5ed-4f4d-b08f-b2d4a5fd6255@orca.pet> <[🔎] a995c99e-0b4f-40e1-b33e-4e2adbf0a53b@orca.pet> <[🔎] 0ef6f9b2-e5ed-4f4d-b08f-b2d4a5fd6255@orca.pet> <[🔎] h63tyj6yp52c4hoglynhlajetnowjnsefkznicdp4jbfl5rsd4@aodm52fty2xx> <[🔎] 0ef6f9b2-e5ed-4f4d-b08f-b2d4a5fd6255@orca.pet> <[🔎] aLcJ0xMe-kROKuVy@msg.df7cb.de> <[🔎] 0ef6f9b2-e5ed-4f4d-b08f-b2d4a5fd6255@orca.pet> <[🔎] 20250902152822.GA221330@dc.cant.vote> <[🔎] DCIFJNGQUKOX.1BXKX1JQO9YUN@debian.org> <[🔎] 0ef6f9b2-e5ed-4f4d-b08f-b2d4a5fd6255@orca.pet>

On Tue, Sep 02, 2025 at 05:46:27PM +0200, Andrea Pappacoda wrote:

I personally find the argument of whether Marcos' CPU is supported notreally persuasive, since, if I got this correct, that compiler optionis doing nothing good and just causing issues to a subset of ourusers.

I think that this is what the entire thing boils down. I am unwilling todisable that compiler option if there is a feather of a possibility thatdoing so would decrease security for systems that do support the opcodein question.

If we (that means Debian, the TC or some other part that I have trustin) come to the consensus that it all our release architectures are wellserved with full security even if -fcf-protection is just set forx86_64, I am fine with doing that changes and providing an appropriatelypatched version for bookworm (and trixie).

I am not close enough to this level of systems programming to have myown informed knowledge about this matter, but I need that advice comingfrom a body that I trust.

We had the OpenSSL random generator desaster from 2008 originating fromnot well given upstream advice, and I don't want to repeat this.


Greetings
Marc

--
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany    |  lose things."    Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421

Reply to:

References:
- Bug#1113774: Disabling -fcf-protection in sudo for bookworm
  - From: Matthew Vernon <matthew@debian.org>
- Bug#1113774: Disabling -fcf-protection in sudo for bookworm
  - From: Marcos Del Sol Vives <marcos@orca.pet>
- Bug#1113774: Disabling -fcf-protection in sudo for bookworm
  - From: Marcos Del Sol Vives <marcos@orca.pet>
- Bug#1113774: Disabling -fcf-protection in sudo for bookworm
  - From: Stefano Rivera <stefanor@debian.org>
- Bug#1113774: Disabling -fcf-protection in sudo for bookworm
  - From: Christoph Berg <myon@debian.org>
- Bug#1113774: Disabling -fcf-protection in sudo for bookworm
  - From: Paul Tagliamonte <paultag@debian.org>
- Bug#1113774: Disabling -fcf-protection in sudo for bookworm
  - From: "Andrea Pappacoda" <tachi@debian.org>

Prev by Date: Bug#1113774: Disabling -fcf-protection in sudo for bookworm
Next by Date: Bug#1113774: Disabling -fcf-protection in sudo for bookworm
Previous by thread: Bug#1113774: Disabling -fcf-protection in sudo for bookworm
Next by thread: Bug#1113774: Disabling -fcf-protection in sudo for bookworm
Index(es):
- Date
- Thread