Re: Arch qualification for bookworm: call for DSA, Security, toolchain concerns
Am Wed, Jun 22, 2022 at 10:05:37AM +0200 schrieb Graham Inggs:
> Hi,
>
> As part of the interim architecture qualification for bookworm, we
> request that DSA, the security team, Wanna build, and the toolchain
> maintainers review and update their list of known concerns for bookworm
> release architectures.
> In particular, we would like to hear any new concerns for riscv64
> (see below).
There are no concerns für riscv64, but the quickly vaninishing
upstream support for i386 and the lack of active porters make i386
problematic from the Security Team's point of view.
For packages where new upstream releases are being introduced
this makes it extra brittle: Firefox/buster fails to compile due
to toolchain issues (triggers an ICE in GCC) for almost a year
now (since the update to ESR91) and for Chromium there have
also been random build failures (e.g. #1011096) and for Chromium
current releases no longer officially i386, quoting from the
chromium 102.0.5005.115-1 changelog entry:
| - debianization/support-i386.patch - re-enable support for i386 builds.
| Upstream no longer officially supports i386 builds on linux, so we
| are on our own here.
Essentially that means that noone can expect to have consistent security
updates when running i386 for the two main browsers.
These two specific issues could very well be addressed by dropping
i386 from the archs for Firefox/Thunderbird/Chromium, but Chromium
also spreads into the Qt web packages.
But there are also issues in software not following new upstream
releases in stable, e.g. #1006935 or 1009855 which broke Samba
in stable.
In addition there's also the issues with late or missing upstream
support for the quartely speculation attacks Ben has already mentioned.
Cheers,
Moritz
Reply to: