Hi Macros, On Wed, Sep 03, 2025 at 12:38:28PM +0200, Marcos Del Sol Vives wrote: > I am surprised that bare "-fcf-protection" was enabled by default on Trixie, > as that enables both shadow stacks (supported in user mode, actually > protecting users with zero size overhead) and IBT (not supported in > user-mode, doing nothing but increasing thus the size of all binaries)
It also is enabled in forky/sid. While we somewhat disagree on the importance of old i386 hardware on this matter, would you mind additionally questioning the usefulness of -fcf-protection (=full) as opposed to -fcf-protection=return to the project? I suggest that you report a wishlist bug against dpkg-dev (which contains our default build flags) and X-Debbugs-Cc: [email protected] to try to change this for unstable. Let me also note that Ubuntu sets -fcf-protection=none on amd64. The original bug adding -fcf-protection is #1021292. According to Wookey, RedHat enterprise sets -fcf-protection since 2018. > Enabling "-fcf-protection=return" for Trixie which compiles with only > shadow stacks would have resulted in smaller binaries with the same level > of protection (and also would fix the issue with "sudo" for these i686). This feels like a rather convincing case for changing our distribution default from -fcf-protection (with implied value "full") to -fcf-protection=return. One of Marc's complaints is that removing the flag could lower security. Now you indicate that removing "half" of the flag would be sufficient for your cause and that the other half could still have a positive effect. Beware that we will also take the affected user base and timeline into account. Even if the TC ends up agreeing with the technical presentation given, we may still favour not changing sudo in bookworm given an expectation of this affecting too few relevant machines and users. Helmut
