[Bug 2040518] Re: dpkg 1.22.0ubuntu1 breaking changes

Julian Andres Klode 2040518 at bugs.launchpad.net
Wed Oct 25 17:12:44 UTC 2023 

** Tags added: rls-nn-incoming

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dpkg in Ubuntu.
https://bugs.launchpad.net/bugs/2040518

Title:
  dpkg 1.22.0ubuntu1 breaking changes

Status in dpkg package in Ubuntu:
  New

Bug description:
  dpkg added new compiler flags in 1.22.0ubuntu1 [0][1] which have
  caused misbuilt packages.

  Two known cases are qemu and dovecot.

  qemu was fixed in 1:8.04+dfsg-1ubuntu2 [2] by correcting architecture
  dependencies (-fcf-protection is only meant for certain x86 archs).

  Please note that -fcf-protection is incompatible with -mindirect-
  branch. Most packages which use -mindirect-branch were likely
  addressed when -fcf-protection was introduced in 19.10 [3]. Debian is
  likely more affected in this regard.

  For dovecot (LP#2036268) [4], the source of the issue is the
  dependency libunwind is misbuilt when `-mbranch-protection=standard`
  is used. libunwind builds, but fails tests when built with this flag
  on arm64 [5].

  Looking at codesearch [6] there are likely many packages affected by
  libunwind, which may not FTBFS but are misbuilt. There are likely
  other dependencies, besides libunwind, that also misbuild.

  Identifying these regressions in each package is laborious and adds
  long tail labor. If we can identify batches of misbuilds (like
  libunwind dependencies) we can avoid excess work and fix packages
  promptly. Some misbuilds will FTBFS and others will fail tests
  silently.

  dpkg's new compiler flags offer security protections to the Ubuntu
  Archive and should not be reverted. I suggest that we identify
  regressions caused by recent dpkg sooner than later. I do not know the
  scale of affected packages, but this may warrant expensive archive
  rebuilds which are ran with and without recent dpkg changes.

  [0] https://launchpad.net/ubuntu/+source/dpkg/1.22.0ubuntu1
  [1] https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=8f5aca71c1435c9913d5562b8cae68b751dff663
  [2] https://launchpad.net/ubuntu/+source/qemu/1:8.0.4+dfsg-1ubuntu2
  [3] https://wiki.ubuntu.com/ToolChain/CompilerFlags#A-fcf-protection
  [4] https://bugs.launchpad.net/ubuntu/+source/dovecot/+bug/2036268
  [5] https://github.com/libunwind/libunwind/issues/647
  [6] https://codesearch.debian.net/search?q=libunwind&literal=1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/2040518/+subscriptions

More information about the foundations-bugs mailing list