Re: Arch qualification for bookworm: call for DSA, Security, toolchain concerns

To: Moritz Mühlenhoff <jmm@inutil.org>
Cc: team@security.debian.org, debian-wb-team@lists.debian.org, debian-kernel@lists.debian.org, Debian release team <debian-release@lists.debian.org>
Subject: Re: Arch qualification for bookworm: call for DSA, Security, toolchain concerns
From: Adrian Bunk <bunk@debian.org>
Date: Mon, 18 Jul 2022 01:00:01 +0300
Message-id: <[🔎] YtSGYYklyi01fMxd@localhost>
In-reply-to: <YtRcvzjE/6rjeeoQ@pisco.westfalen.local>
References: <CAM8zJQvmezOPQiKa5VfZjeh7P3B7kj05_eKs_frzfF27rkDVzQ@mail.gmail.com> <YtRcvzjE/6rjeeoQ@pisco.westfalen.local>

On Sun, Jul 17, 2022 at 09:02:23PM +0200, Moritz Mühlenhoff wrote:
>...
> but the quickly vaninishing
> upstream support for i386 and the lack of active porters make i386
> problematic from the Security Team's point of view.
>
> For packages where new upstream releases are being introduced
> this makes it extra brittle: Firefox/buster fails to compile due
> to toolchain issues (triggers an ICE in GCC) for almost a year
> now (since the update to ESR91)

If anyone ever told me about it I must have missed or forgotten it.
I often follow build failures at https://buildd.debian.org/ nearly in 
realtime, but AFAIK I cannot access logs from security.

I am counting 2 architectures with ESR 91 in buster and 8 architectures 
without ESR 91 inb buster, so presenting this as an i386 problem also 
sounds a bit strange.

>...
> But there are also issues in software not following new upstream
> releases in stable, e.g. #1006935 or 1009855 which broke Samba
> in stable.
>...

AFAIR this was a random failure based on the order of hashes that could 
have happened on any architecture.

> and for Chromium there have
> also been random build failures (e.g. #1011096) and for Chromium
> current releases no longer officially i386, quoting from the
> chromium 102.0.5005.115-1 changelog entry:
> 
> | - debianization/support-i386.patch - re-enable support for i386 builds.
> | Upstream no longer officially supports i386 builds on linux, so we
> | are on our own here.
> 
> Essentially that means that noone can expect to have consistent security
> updates when running i386 for the two main browsers.

i386 is the only 32bit architecture where the upcoming Firefox ESR 
will build on all buildds.

armhf might be mitigatable on the wanna-build side by restricting it
to some specific buildds:
  https://sources.debian.org/src/firefox/102.0.1-3/debian/rules/#L236

> These two specific issues could very well be addressed by dropping
> i386 from the archs for Firefox/Thunderbird/Chromium,

I doubt security supporting these on any 32bit architecture in bookworm 
is feasible.

> but Chromium also spreads into the Qt web packages.

I didn't know that you will provide security support for these in bookworm.
Whatever you suggest for i386 also has to be done for armhf,
reducing the architecture list of the QtWebEngine packages is
an option since they were never built on all architectures.

>...
> Cheers,
>         Moritz

cu
Adrian

Reply to:

References:
- Re: Arch qualification for bookworm: call for DSA, Security, toolchain concerns
  - From: Moritz Mühlenhoff <jmm@inutil.org>

Prev by Date: Re: Arch qualification for bookworm: call for DSA, Security, toolchain concerns
Next by Date: Fwd: nmu: srm-ifce 1.24.5-1
Previous by thread: Re: Arch qualification for bookworm: call for DSA, Security, toolchain concerns
Next by thread: Fwd: nmu: srm-ifce 1.24.5-1
Index(es):
- Date
- Thread