Hello, On Tue, Sep 02, 2025 at 06:28:12PM +0200, Helmut Grohne wrote:
Marc, in https://lore.kernel.org/all/[email protected]/ you say that you require a TC maintainer override to implement the change whereas in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1113774#15 you suggest that TC advice would be sufficient to you. Can you clarify which procedural level you require here?
I would be fine with everything. Advice would be good for the beginning. Maybe I end up convinced and then would not need to be overridden. I don't know enough about the issue to have a firm opinion yet. Your expertise is appreciated.
From a technical point of view, I note that -fcf-protection is not enabled for i386 at the toolchain level for any Debian release. It was added to the default flags for amd64 in trixie. This wasn't fully evident from the discussion to me. It really is sudo that is adding this flag. https://sources.debian.org/src/sudo/1.9.13p3-1%2Bdeb12u1/m4/hardening.m4#L108
sudo upstream did that back in 2021. The submitter of this TC bug report convinced Upstream to only enable this on x86_64 recently. I don't know whether this makes sense; upstream accepted the patch. Who am I to argue with upstream?
This however will never apply to oldstable with the submitter wants changed.
There seem to be two major arguments involved both of which I have not yet verified in depth. 1. The -fcf-protection flag bears no benefit in 32bit user applications. 2. The ENDBR32 instruction inserted by -fcf-protection is not supported in some CPUs that were considered supported by bookworm's baseline. In principle, this is a baseline violation and would usually be considered a release-critical bug.
In sudo? In the toolchain? in whatever provides -fcf-protection? Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
