The debian-devel thread continued but most responses were not copied to the bug (I've just realised). Possibly this means that you (guillem) didn't see most of the conversation.
The bottom line is the security team were very unenthusiastic about
enabling this by default because it might produce unexpected changes
on security uploads, which is fair enough.
Another suggestion was that it should be turned on for x32 too.
I was expecting (after that discussion) the 'branch' functionality to be
included in the next dpkg upload, just not enabled by default, but it
was not included in 1.21.12
Do you disagree or did this just get forgotten?
----- Forwarded message from Moritz Mühlenhoff <j...@inutil.org> -----
Date: Wed, 26 Oct 2022 20:20:48 +0200
From: Moritz Mühlenhoff <j...@inutil.org>
To: debian-de...@lists.debian.org
Subject: Re: Enabling branch protection on amd64 and arm64
List-Id: <debian-devel.lists.debian.org>
Wookey wrote:
> So the immediate issue now is whether or not to enable this by default
> in bookworm?
The majority of packages will not be rebuilt until the release, so
if we add this now it means that packages pick up the change when
they are rebuilt in stable via a security update or point release.
That's not very appealing, independent of the supposed low risk
factor.
I think this should rather be applied early after the Bookworm
release (and ideally we can also finish off the necessary testing
and add -fstack-clash-protection at least for amd64 and other archs
which are ready for it (#918914)).
Cheers,
Moritz
----- End forwarded message -----
Wookey
--
Principal hats: Debian, Wookware, ARM
http://wookware.org/
signature.asc
Description: PGP signature
