The debian-devel thread continued but most responses were not copied to the bug (I've just realised). Possibly this means that you (guillem) didn't see most of the conversation.
The bottom line is the security team were very unenthusiastic about enabling this by default because it might produce unexpected changes on security uploads, which is fair enough. Another suggestion was that it should be turned on for x32 too. I was expecting (after that discussion) the 'branch' functionality to be included in the next dpkg upload, just not enabled by default, but it was not included in 1.21.12 Do you disagree or did this just get forgotten? ----- Forwarded message from Moritz Mühlenhoff <j...@inutil.org> ----- Date: Wed, 26 Oct 2022 20:20:48 +0200 From: Moritz Mühlenhoff <j...@inutil.org> To: debian-de...@lists.debian.org Subject: Re: Enabling branch protection on amd64 and arm64 List-Id: <debian-devel.lists.debian.org> Wookey wrote: > So the immediate issue now is whether or not to enable this by default > in bookworm? The majority of packages will not be rebuilt until the release, so if we add this now it means that packages pick up the change when they are rebuilt in stable via a security update or point release. That's not very appealing, independent of the supposed low risk factor. I think this should rather be applied early after the Bookworm release (and ideally we can also finish off the necessary testing and add -fstack-clash-protection at least for amd64 and other archs which are ready for it (#918914)). Cheers, Moritz ----- End forwarded message ----- Wookey -- Principal hats: Debian, Wookware, ARM http://wookware.org/
signature.asc
Description: PGP signature