1. Forum
  2. Usenet
  3. LINUX.DEBIAN.DEVEL

  • Re: Enabling branch protection on amd64 and arm64

    From Moritz =?UTF-8?Q?M=C3=BChlenhoff?=@21:1/5 to Wookey on Wed Oct 26 21:10:01 2022
    Wookey wrote:
    So the immediate issue now is whether or not to enable this by default
    in bookworm?

    The majority of packages will not be rebuilt until the release, so
    if we add this now it means that packages pick up the change when
    they are rebuilt in stable via a security update or point release.
    That's not very appealing, independent of the supposed low risk
    factor.

    I think this should rather be applied early after the Bookworm
    release (and ideally we can also finish off the necessary testing
    and add -fstack-clash-protection at least for amd64 and other archs
    which are ready for it (#918914)).

    Cheers,
    Moritz

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Richard Laager@21:1/5 to All on Wed Oct 26 21:30:01 2022
    This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------GU96QIf3V16deAWjKHyICuEL
    Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64

    T24gMTAvMjYvMjIgMTM6MjAsIE1vcml0eiBNw7xobGVuaG9mZiB3cm90ZToNCj4gV29va2V5 IHdyb3RlOg0KPj4gU28gdGhlIGltbWVkaWF0ZSBpc3N1ZSBub3cgaXMgd2hldGhlciBvciBu b3QgdG8gZW5hYmxlIHRoaXMgYnkgZGVmYXVsdA0KPj4gaW4gYm9va3dvcm0/DQo+IA0KPiBU aGUgbWFqb3JpdHkgb2YgcGFja2FnZXMgd2lsbCBub3QgYmUgcmVidWlsdCB1bnRpbCB0aGUg cmVsZWFzZQ0KDQpIb3cgaGFyZCB3b3VsZCBpdCBiZSB0byByZWJ1aWxkIGV2ZXJ5dGhpbmc/ DQoNCkkgZG9uJ3QgYWN0dWFsbHkga25vdyB3aGF0IGZhY2lsaXRpZXMgRGViaWFuIGhhcyBm b3IgdGhhdC4gV291bGQgaXQgYmUgYSANCmJpbk5NVSBvZiBldmVyeXRoaW5nPw0KDQotLSAN ClJpY2hhcmQNCg0K

    --------------GU96QIf3V16deAWjKHyICuEL--

    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEE1Ot9lOeOTujs4H+U+HlhmcBFhs4FAmNZiR8ACgkQ+HlhmcBF hs5sxRAAqg2QBchOSu8fkK7tcVwHQ8lsAcGwjwCbj5gVlZby/qQ1Cojf93vE7Ypm Bv0Wn+IY3LZpZpQzbSPfH+ufNN7olxVOAdkkYajn+XIVs8yS7BAvw4SSGMIWMNb9 f/p3kY7/Gty+bVjwHUfm9oO7Afvq2/nFUeGJmIleN9tReH37hXHZvJZDMYpR78dQ RwecZK2o+trAEzrLkN/kePf1KCXUZKOcu8nymrQHvngWuhwesQoeWHg1Ujkj6av6 d5B3W+ey5k0nzKJM8ylmwCg7DhLBtgl/K9I4Jue7F5B5JGTsinVAApCRVVhAwVU7 n5F6NnUd9BHJFvDam6cTCgaccu+JiIZKF0itNcedZZFOcsKAKrBLkMH6WJRprd/e umtZ5JM37mKU8lPPV2hdvVbW8e1q1RFVNelSovWMbs62TaRPnYxSFERll8E09klM Ior/5/9HVol+xKuRNmVIM6IsaD80ITApApHDVjnzHgbkLELnw6jSY27yzykyuvS/ mFBopPITm2vFh7qofvh2NR/enAyXIxoXNEgbMqcie1sXaXjDHUezM7qeZfCxf2aA 7sILjaNVCW2yzCswWJbckCdwZa77WPVwtbc8u1ySjsknSnNof5OKXBErKswymxeK 9ENjoBDsJHAwXdq+EA+WKLCY70SAKqd/VeUy8+io7PNuEzsCIsc=
    =uJRN
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Wookey@21:1/5 to Richard Laager on Thu Oct 27 00:10:01 2022
    On 2022-10-26 14:23 -0500, Richard Laager wrote:

    How hard would it be to rebuild everything?

    I don't actually know what facilities Debian has for that. Would it be a binNMU of everything?

    It would. We don't do that.

    In the past it would have wildly overloaded our buildds. Such a thing
    may be more tractable these days in terms of available build resources
    on most arches, but it's still a very big deal, and this change
    certainly doesn't warrant it.

    Wookey
    --
    Principal hats: Debian, Wookware, ARM
    http://wookware.org/

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEER4nvI8Pe/wVWh5yq+4YyUahvnkcFAmNZr6YACgkQ+4YyUahv nkeXgw//ZLX0WC2fuXcGv8uJZ2nTvFLm60c1VGUamzLUqtbkgeF720qht6gfqE7J pwmgOVspL+PcG9rtm5afflvLse5KuJamc9nbxA96G4zQqTZgmovuwtXqdRWcFLBM 0HlSopDZwlxX3fJjLbiD+yXyLf+EYvqNAs7+qNBoruUXfDvPP8VBwK2TYrj5xkq5 01Jybv06WkzwZ1oKSD3sLT5lc6u8RAf4ZBUuMvp8q8882eKL1QiSvA+bmuvcWMUz Hng5eBSX/lTB5j3iRCZeNjjwLhARR+ZxozBVxDPGHc/VhUhltKy9Bh9iPR46eaq3 /jcFbhrYx2lsaZZqZfPdTEgTpIwG6FCZAQIOuO4D1pSh6IKODt6VbTdwjQf4/Yrj Bjuna7lC0dH/XmkhDxGSLelVr9Wse7FpTSMPCiuSmyW3ch3sDHPVXWMqq6u3Xlhm 3flZRDxjt8yW8w/qMz43WiJXdLGLi5TvFpNsArL/pLD7xOrmwQIYf+hXYEhwL7+k cNr5Zr49AwcRMqCinEcGLe2GCSYE8Kp1oZu43zGzPLsQ/VIYihzCn/kjlSQf0NA/ In0w/0v5v0voV1FXVijCItxLTUIPQx0ni0LV5HiirxJdpgGUPXkVWa9q8P77Rg5i N5cxkNQ3PO3sTTKzXNnwWFjgGJsAx+eABWzKZK51TL0+wMjywqw=
    =Qn/s
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Sebastian Ramacher@21:1/5 to All on Thu Oct 27 00:30:02 2022
    On 2022-10-26 20:20:48 +0200, Moritz Mühlenhoff wrote:
    Wookey wrote:
    So the immediate issue now is whether or not to enable this by default
    in bookworm?

    The majority of packages will not be rebuilt until the release, so
    if we add this now it means that packages pick up the change when
    they are rebuilt in stable via a security update or point release.
    That's not very appealing, independent of the supposed low risk
    factor.

    I think this should rather be applied early after the Bookworm
    release (and ideally we can also finish off the necessary testing
    and add -fstack-clash-protection at least for amd64 and other archs
    which are ready for it (#918914)).

    I agree that it's too late for bookworm.

    If we'd enable it now, we'd want to rebuild the archive before releasing bookworm to avoid surprises with any security or stable updates in the
    future. Rebuilding the world, however, seems unrealistic at this stage.
    Some of the architectures already have a hard time keeping up with the
    normal load.

    Enabling these flags as soon as the trixie release cycle starts, sounds
    like a better idea. Adoption of these flags will then naturally progress
    and before the trixie release we can rebuild whatever remains.

    Cheers
    --
    Sebastian Ramacher

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Holger Levsen@21:1/5 to Sebastian Ramacher on Tue Nov 1 00:30:01 2022
    On Thu, Oct 27, 2022 at 12:27:12AM +0200, Sebastian Ramacher wrote:
    Some of the architectures already have a hard time keeping up with the
    normal load.

    this change is only targeted at two archs, which I'd hope could cope with it.

    Enabling these flags as soon as the trixie release cycle starts, sounds
    like a better idea. Adoption of these flags will then naturally progress
    and before the trixie release we can rebuild whatever remains.

    even^walso if this is done only for the trixie cycle I think it would be
    good to binNMU all affected packages, which I would guess to be around 25-33% of the archive. because else we cannot really say whether we have enabled this feature archive wide and whether it works/builds ;)

    summary: I think the next step should be calculating how many packages are affected. because the above 25-33% is my guestimate only.


    --
    cheers,
    Holger

    ⢀⣴⠾⠻⢶⣦⠀
    ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
    ⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
    ⠈⠳⣄

    https://showyourstripes.info

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAmNgWhUACgkQCRq4Vgaa qhw26RAAojA2Utzmh7g/QIputiZexYDsaX/5NL3V4CneS5AfQToZGBTmipRVKqd1 b4qGC8o2TYgvZwab+jRHsKMf1TWwYGLaxSPWdcpugES/32gikWl3hunt0sx6SMva XIygQE5amQjSjShONGqBYOttSpySfzxb94OfQcPy7+pNp9kNMbfhNG4LCTFi9q2p QFPAibvOly08/A8OTNl6dw1oMFMqrnRFMgWhQwifeaOZ9eIOqvi/QMvaYmnw0Plz Zd9BcfboYcFnh7Ngsa5eFg/U1qYAWLsDoTDwHAcKHTe2hGHy4x2Yxby0SOByPAZq 3tghIpUy5jobsNe08Ozri2dqVh13OoivjXwx51GHcOE3uhUNGvMpf5IUBbzg4JZn 6zcdkaDgwVQFsmKn48CEAiBf0bJ3bxFCcVLTr/XG+ivqaA0u9CQaJMcQrOyxh0zT MLxAaYRVQoT1+8peQRweIkE6Fa9Ry2Rbv+7jd9Lg9V40p44DtSO7LrCtrUEyUeKS eOlFmx4EfPS4Cb1X+PdY4G5Aw2z+HBwbqnIUKgTz1KddENsR+aelIp1QLAYSbuoG z5jagSj6Ft33PmJpAaJvcDbjYLLcBqa5LDRHrUin3leY/0FJnwpeUCtdNP4iEejS 7uK9vpp8W8JPIbSfpE
  • From Holger Levsen@21:1/5 to Sebastian Ramacher on Tue Nov 1 01:20:01 2022
    On Tue, Nov 01, 2022 at 01:09:39AM +0100, Sebastian Ramacher wrote:
    this change is only targeted at two archs, which I'd hope could cope with it.
    If we ignore/break MA: same co-installability, sure.

    point taken, thanks!


    --
    cheers,
    Holger

    ⢀⣴⠾⠻⢶⣦⠀
    ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
    ⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
    ⠈⠳⣄

    Punk ist nicht tot.
    Punk trägt Maske, ist solidarisch und schützt sich und andere.
    (@Kreuzpirat)

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAmNgZTkACgkQCRq4Vgaa qhyB8w/+N6McUc1x/ArZGip8ujeD6xAsVd8ZIO/j4vwTverOajEStCX8JI+1nmtG SU829jL8HA1LRAyYXW35b73SoYLa8Y2a+XLt91PtOoK+QPEKHHxCoSvsli+yEPAY GxrAM6E2Pdlx5ruxsGKFT16BdNaBDsItTP+1sqVoQ5ikNeZeJsLXkANXWrFBTvCz XjW38k2zSSKRmbwiLgWFU5eb9pekLiGw7T0Jxnzs6gIaNpizfoIg5g600u81wMek S5BkPxAz8kcKTOXYn2pE/qCIcmpvdIGfSVPkHVTSdCeE/WZ1QXkNRftDHbhhe2Tg ib1ch/bFuTeJe0JtYq6p7t3AZTm5rankhRtba8M35NLVBMwCmMTj1r4pOfCoYSEm W4nfv+wkRx0kkEeuygnpVNoIgmBpR2Ta1bEL7DGjM2TUt82DEAgame8Bij7Hyozp r2l9v19NbxRFTCffdVXtU5FqGvIVYoO/nPbqZ+Gja2OjkOzTGnWLGHDsqLW1ibbN Y0et44Ey25VEKFdmEfZSWq1fuVRn++CE+faw/D4aitCGJINPUzi8vaNVCscyHLs5
    9hAdOyjPh1He
  • From Marco d'Itri@21:1/5 to Sebastian Ramacher on Wed Nov 2 14:20:01 2022
    On Nov 01, Sebastian Ramacher <sramacher@debian.org> wrote:

    this change is only targeted at two archs, which I'd hope could cope with it.
    If we ignore/break MA: same co-installability, sure.
    Sure, but this means that a much smaller subset of packages will need to
    be rebuilt on all architectures.

    --
    ciao,
    Marco

    -----BEGIN PGP SIGNATURE-----

    iHUEABYIAB0WIQQnKUXNg20437dCfobLPsM64d7XgQUCY2JtxAAKCRDLPsM64d7X gd6BAQD8oCs1SNM2POYNTkuxGZvjT1yh58TyoK/IUbampS7/qgD+KLQETH9Xpw0i l/hUquvca6Yp6wIZ6/DH8ywJyz+2ng8=
    =JXFm
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)