Bug#1113774: Disabling -fcf-protection in sudo for bookworm

To: Helmut Grohne <helmut@subdivi.de>, Christoph Berg <myon@debian.org>, Marcos Del Sol Vives <marcos@orca.pet>, 1113774@bugs.debian.org
Subject: Bug#1113774: Disabling -fcf-protection in sudo for bookworm
From: Marc Haber <mh+debian-packages@zugschlus.de>
Date: Fri, 26 Sep 2025 14:23:01 +0200
Message-id: <[🔎] aNaFpbA4P1DeTEVG@torres.zugschlus.de>
Reply-to: Marc Haber <mh+debian-packages@zugschlus.de>, 1113774@bugs.debian.org
In-reply-to: <[🔎] 20250926091108.GA4148893@subdivi.de>
References: <[🔎] 0ef6f9b2-e5ed-4f4d-b08f-b2d4a5fd6255@orca.pet> <[🔎] 20250902162812.GA342841@subdivi.de> <[🔎] be775cf1-2b1f-4772-bfb5-0c8234cb14bf@orca.pet> <[🔎] 20250903114252.GA3814119@subdivi.de> <[🔎] 0ef6f9b2-e5ed-4f4d-b08f-b2d4a5fd6255@orca.pet> <[🔎] e42710b5-8907-4f23-b0c8-a021069eff90@orca.pet> <[🔎] aNQoKbFGnuZwSdwU@msg.df7cb.de> <[🔎] aNUt5YtLBX4bXA1a@torres.zugschlus.de> <[🔎] 20250926091108.GA4148893@subdivi.de> <[🔎] 0ef6f9b2-e5ed-4f4d-b08f-b2d4a5fd6255@orca.pet>

On Fri, Sep 26, 2025 at 11:11:08AM +0200, Helmut Grohne wrote:

On Thu, Sep 25, 2025 at 01:56:21PM +0200, Marc Haber wrote:

I reaffirm that. Should the TC decline to give formal advice (which I would
be fine with), I would go ahead to disable -fcf-protection for i386 builds
(and verify that the amd64 and arm64 binary stay identical) and build
packages for trixie and bookworm, submit both of them for the next point
release.


Please bear in mind that these flags are architecture-specific. The
arm64 compiler does not understand -fcf-protection at all (and this is a
recurring problem for cross builds when people mix build/host compiler
flags with host/build compilers). For arm64 you should be seeing
-mbranch-protection=standard since trixie. Likewise, an amd64 compiler
will fail on encountering -mbranch-protection=standard.

I would consider a failed built a non-identical result. Am I being naivehere?


Anyway, thanks for the hint, appreciated.

Greetings
Marc

--
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany    |  lose things."    Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421

Reply to:

Follow-Ups:
- Bug#1113774: Disabling -fcf-protection in sudo for bookworm
  - From: Helmut Grohne <helmut@subdivi.de>

References:
- Bug#1113774: Disabling -fcf-protection in sudo for bookworm
  - From: Marcos Del Sol Vives <marcos@orca.pet>
- Bug#1113774: Disabling -fcf-protection in sudo for bookworm
  - From: Helmut Grohne <helmut@subdivi.de>
- Bug#1113774: Disabling -fcf-protection in sudo for bookworm
  - From: Marcos Del Sol Vives <marcos@orca.pet>
- Bug#1113774: Disabling -fcf-protection in sudo for bookworm
  - From: Helmut Grohne <helmut@subdivi.de>
- Bug#1113774: Disabling -fcf-protection in sudo for bookworm
  - From: Marcos Del Sol Vives <marcos@orca.pet>
- Bug#1113774: Disabling -fcf-protection in sudo for bookworm
  - From: Christoph Berg <myon@debian.org>
- Bug#1113774: Disabling -fcf-protection in sudo for bookworm
  - From: Marc Haber <mh+debian-packages@zugschlus.de>
- Bug#1113774: Disabling -fcf-protection in sudo for bookworm
  - From: Helmut Grohne <helmut@subdivi.de>

Prev by Date: Bug#1113774: Disabling -fcf-protection in sudo for bookworm
Next by Date: Bug#1113774: Disabling -fcf-protection in sudo for bookworm
Previous by thread: Bug#1113774: Disabling -fcf-protection in sudo for bookworm
Next by thread: Bug#1113774: Disabling -fcf-protection in sudo for bookworm
Index(es):
- Date
- Thread