Control: tags -1 - moreinfo Hi Marcos and Marc,
Your request is received. Thanks for providing extensive detail and adding more where questions have been asked. Can we all slow down a bit to avoid getting repetitive? I am removing the moreinfo tag for now as we need a bit of time to digest what's there. Marc, in https://lore.kernel.org/all/[email protected]/ you say that you require a TC maintainer override to implement the change whereas in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1113774#15 you suggest that TC advice would be sufficient to you. Can you clarify which procedural level you require here? >From a technical point of view, I note that -fcf-protection is not enabled for i386 at the toolchain level for any Debian release. It was added to the default flags for amd64 in trixie. This wasn't fully evident from the discussion to me. It really is sudo that is adding this flag. https://sources.debian.org/src/sudo/1.9.13p3-1%2Bdeb12u1/m4/hardening.m4#L108 There seem to be two major arguments involved both of which I have not yet verified in depth. 1. The -fcf-protection flag bears no benefit in 32bit user applications. 2. The ENDBR32 instruction inserted by -fcf-protection is not supported in some CPUs that were considered supported by bookworm's baseline. In principle, this is a baseline violation and would usually be considered a release-critical bug. An argument against this change is that bookworm has been released more than two years ago and that indicates that the number of systems affected by this problem cannot be huge. Christoph, Paul, Stefano, you've all been replying quickly. Would any of you have capacity to take the moderation role? I prefer not to at this time. Helmut
