Following the procedure to modify default dpkg-buildflags I propose to enable -fstack-clash-protection on amd64. The bug for dpkg tracking this is #918914.
| -fstack-clash-protection | Generate code to prevent stack clash style attacks. When this option | is enabled, the compiler will only allocate one page of stack space | at a time and each page is accessed immediately after allocation. | Thus, it prevents allocations from jumping over any stack guard page | provided by the operating system. This has been enabled on other distros for many years already (e.g. Fedora since 27, RHEL since 8, OpenSUSE since 15.1, Ubuntu since 19.10). I worked with Lucas a while back and he made an archive rebuild on amd64, only a minimal list of packages will need to be adapted: http://qa-logs.debian.net/2023/05/24/ The open question is whether to also enable this for arm64, mips64el, ppc64el, riscv and s390x. I'm adding the respective porter lists, if there's consensus among porters of a given arch other than amd64 to also add the flag, please post a followup to #918914. Cheers, Moritz
