Bug#1113774: Disabling -fcf-protection in sudo for bookworm

To: Marc Haber <mh+debian-packages@zugschlus.de>
Cc: Christoph Berg <myon@debian.org>, Marcos Del Sol Vives <marcos@orca.pet>, 1113774@bugs.debian.org
Subject: Bug#1113774: Disabling -fcf-protection in sudo for bookworm
From: Helmut Grohne <helmut@subdivi.de>
Date: Fri, 26 Sep 2025 11:11:08 +0200
Message-id: <[🔎] 20250926091108.GA4148893@subdivi.de>
Reply-to: Helmut Grohne <helmut@subdivi.de>, 1113774@bugs.debian.org
In-reply-to: <[🔎] aNUt5YtLBX4bXA1a@torres.zugschlus.de>
References: <[🔎] 0ef6f9b2-e5ed-4f4d-b08f-b2d4a5fd6255@orca.pet> <[🔎] 20250902162812.GA342841@subdivi.de> <[🔎] be775cf1-2b1f-4772-bfb5-0c8234cb14bf@orca.pet> <[🔎] 20250903114252.GA3814119@subdivi.de> <[🔎] 0ef6f9b2-e5ed-4f4d-b08f-b2d4a5fd6255@orca.pet> <[🔎] e42710b5-8907-4f23-b0c8-a021069eff90@orca.pet> <[🔎] aNQoKbFGnuZwSdwU@msg.df7cb.de> <[🔎] aNUt5YtLBX4bXA1a@torres.zugschlus.de> <[🔎] 0ef6f9b2-e5ed-4f4d-b08f-b2d4a5fd6255@orca.pet>

Hi Marc,

On Thu, Sep 25, 2025 at 01:56:21PM +0200, Marc Haber wrote:
> I reaffirm that. Should the TC decline to give formal advice (which I would
> be fine with), I would go ahead to disable -fcf-protection for i386 builds
> (and verify that the amd64 and arm64 binary stay identical) and build
> packages for trixie and bookworm, submit both of them for the next point
> release.

Please bear in mind that these flags are architecture-specific. The
arm64 compiler does not understand -fcf-protection at all (and this is a
recurring problem for cross builds when people mix build/host compiler
flags with host/build compilers). For arm64 you should be seeing
-mbranch-protection=standard since trixie. Likewise, an amd64 compiler
will fail on encountering -mbranch-protection=standard.

Helmut

Reply to:

Follow-Ups:
- Bug#1113774: Disabling -fcf-protection in sudo for bookworm
  - From: Marc Haber <mh+debian-packages@zugschlus.de>

References:
- Bug#1113774: Disabling -fcf-protection in sudo for bookworm
  - From: Marcos Del Sol Vives <marcos@orca.pet>
- Bug#1113774: Disabling -fcf-protection in sudo for bookworm
  - From: Helmut Grohne <helmut@subdivi.de>
- Bug#1113774: Disabling -fcf-protection in sudo for bookworm
  - From: Marcos Del Sol Vives <marcos@orca.pet>
- Bug#1113774: Disabling -fcf-protection in sudo for bookworm
  - From: Helmut Grohne <helmut@subdivi.de>
- Bug#1113774: Disabling -fcf-protection in sudo for bookworm
  - From: Marcos Del Sol Vives <marcos@orca.pet>
- Bug#1113774: Disabling -fcf-protection in sudo for bookworm
  - From: Christoph Berg <myon@debian.org>
- Bug#1113774: Disabling -fcf-protection in sudo for bookworm
  - From: Marc Haber <mh+debian-packages@zugschlus.de>

Prev by Date: Bug#1115317: advice for using /var/lock (which is a link to /run/lock) (#1110981)
Next by Date: Bug#1113774: Disabling -fcf-protection in sudo for bookworm
Previous by thread: Bug#1113774: Disabling -fcf-protection in sudo for bookworm
Next by thread: Bug#1113774: Disabling -fcf-protection in sudo for bookworm
Index(es):
- Date
- Thread