Re: Enabling branch protection on amd64 and arm64
On 2022-10-26 20:20:48 +0200, Moritz Mühlenhoff wrote:
> Wookey wrote:
> > So the immediate issue now is whether or not to enable this by default
> > in bookworm?
>
> The majority of packages will not be rebuilt until the release, so
> if we add this now it means that packages pick up the change when
> they are rebuilt in stable via a security update or point release.
> That's not very appealing, independent of the supposed low risk
> factor.
>
> I think this should rather be applied early after the Bookworm
> release (and ideally we can also finish off the necessary testing
> and add -fstack-clash-protection at least for amd64 and other archs
> which are ready for it (#918914)).
I agree that it's too late for bookworm.
If we'd enable it now, we'd want to rebuild the archive before releasing
bookworm to avoid surprises with any security or stable updates in the
future. Rebuilding the world, however, seems unrealistic at this stage.
Some of the architectures already have a hard time keeping up with the
normal load.
Enabling these flags as soon as the trixie release cycle starts, sounds
like a better idea. Adoption of these flags will then naturally progress
and before the trixie release we can rebuild whatever remains.
Cheers
--
Sebastian Ramacher
Reply to: