XPost: linux.debian.bugs.dist, linux.debian.devel 
 From: marcos@orca.pet 
  
 El 03/09/2025 a las 17:47, Guillem Jover escribi€€: 
 > Hi! 
 > 
 > On Wed, 2025-09-03 at 16:24:50 +0200, Marcos Del Sol Vives wrote: 
 >> Package: dpkg-dev 
 >> Version: 1.22.21 
 >> Priority: wishlist 
 >> X-Debbugs-Cc: debian-devel@lists.debian.org 
 > 
 >> Currently, on amd64 and i386 as of Trixie, packages are being built by 
 >> default with -fcf-protection=full. This results in shadow stacks and IBT 
 >> (branch tracking) being enabled on binaries. 
 > 
 > dpkg-buildflags only emits €€-fcf-protection€€ on amd64. 
  
 My bad! I am not familiar with dpkg-dev's source code nor autoconf scripts, 
 and since the first result of -fcf-protection did not indicate any kind 
 of filtering (https://salsa.debian.org/dpkg-team/dpkg/-/blob/mai 
 /m4/dpkg-compiler.m4), 
 I thought it was actually being applied to everything! 
  
 I found now the real code that enables it at 
 https://salsa.debian.org/dpkg-team/dpkg/-/blob/main/scripts/Dpkg 
 Vendor/Debian.pm#L637-650 
 and yes, you're absolutely right, it's amd64-only! 
  
 > So, disabling the full CET would regress the current support and make 
 > enabling it fully in the future harder. 
 > 
 > But it's not clear to me what's the status of submission for userland 
 > IBT in Linux. 
  
 Seems based on a random GitHub Gist that enabling (at least for testing) 
 IBT in user-land is fairly straightforward on a Linux kernel: 
 https://gist.github.com/sroettger/fe66f7eb0cb10a8ebd1454875a7131ea 
  
 So I assume considering the little effort required to enable it, that it'll 
 eventually also land in user-space. I would try enabling it on my machine 
 out of curiosity with Trixie or Sid, but unfortunately my AMD 8745H does 
 only support shadow stacks. 
  
 > So given the above, I'm inclined to mark this wontfix and close, and 
 > then "someone" needs to driver the transition to its conclusion. 
  
 That's an option, yes. 
  
 I opened this issue because I was asked to, and because I would personally 
 wait until there are IBT-enabled kernels to enable one such flag to perform 
 proper testing so binaries don't become larger prematurely. 
  
 However I see your point enabling it now so all packages don't need to be 
 recompiled further down with CET could be benefitial for a quicker rollout. 
  
 Greetings, 
 Marcos 
  
 --- SoupGate-Win32 v1.05 
  * Origin: you cannot sedate... all the things you hate (1:229/2)