Am Wed, Jun 22, 2022 at 10:05:37AM +0200 schrieb Graham Inggs: > Hi, > > As part of the interim architecture qualification for bookworm, we > request that DSA, the security team, Wanna build, and the toolchain > maintainers review and update their list of known concerns for bookworm > release architectures.
> In particular, we would like to hear any new concerns for riscv64 > (see below). There are no concerns für riscv64, but the quickly vaninishing upstream support for i386 and the lack of active porters make i386 problematic from the Security Team's point of view. For packages where new upstream releases are being introduced this makes it extra brittle: Firefox/buster fails to compile due to toolchain issues (triggers an ICE in GCC) for almost a year now (since the update to ESR91) and for Chromium there have also been random build failures (e.g. #1011096) and for Chromium current releases no longer officially i386, quoting from the chromium 102.0.5005.115-1 changelog entry: | - debianization/support-i386.patch - re-enable support for i386 builds. | Upstream no longer officially supports i386 builds on linux, so we | are on our own here. Essentially that means that noone can expect to have consistent security updates when running i386 for the two main browsers. These two specific issues could very well be addressed by dropping i386 from the archs for Firefox/Thunderbird/Chromium, but Chromium also spreads into the Qt web packages. But there are also issues in software not following new upstream releases in stable, e.g. #1006935 or 1009855 which broke Samba in stable. In addition there's also the issues with late or missing upstream support for the quartely speculation attacks Ben has already mentioned. Cheers, Moritz