[Bug 2040518] [NEW] dpkg 1.22.0ubuntu1 breaking changes

Mark Esler 2040518 at bugs.launchpad.net
Wed Oct 25 15:17:15 UTC 2023 

Public bug reported:

dpkg added new compiler flags in 1.22.0ubuntu1 [0][1] which have caused
misbuilt packages.

Two known cases are qemu and dovecot.

qemu was fixed in 1:8.04+dfsg-1ubuntu2 [2] by correcting architecture
dependencies (-fcf-protection is only meant for certain x86 archs).

Please note that -fcf-protection is incompatible with -mindirect-branch.
Most packages which use -mindirect-branch were likely addressed when
-fcf-protection was introduced in 19.10 [3]. Debian is likely more
affected in this regard.

For dovecot (LP#2036268) [4], the source of the issue is the dependency
libunwind is misbuilt when `-mbranch-protection=standard` is used.
libunwind builds, but fails tests when built with this flag on arm64
[5].

Looking at codesearch [6] there are likely many packages affected by
libunwind, which may not FTBFS but are misbuilt. There are likely other
dependencies, besides libunwind, that also misbuild.

Identifying these regressions in each package is laborious and adds long
tail labor. If we can identify batches of misbuilds (like libunwind
dependencies) we can avoid excess work and fix packages promptly. Some
misbuilds will FTBFS and others will fail tests silently.

dpkg's new compiler flags offer security protections to the Ubuntu
Archive and should not be reverted. I suggest that we identify
regressions caused by recent dpkg sooner than later. I do not know the
scale of affected packages, but this may warrant expensive archive
rebuilds which are ran with and without recent dpkg changes.

[0] https://launchpad.net/ubuntu/+source/dpkg/1.22.0ubuntu1
[1] https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=8f5aca71c1435c9913d5562b8cae68b751dff663
[2] https://launchpad.net/ubuntu/+source/qemu/1:8.0.4+dfsg-1ubuntu2
[3] https://wiki.ubuntu.com/ToolChain/CompilerFlags#A-fcf-protection
[4] https://bugs.launchpad.net/ubuntu/+source/dovecot/+bug/2036268
[5] https://github.com/libunwind/libunwind/issues/647
[6] https://codesearch.debian.net/search?q=libunwind&literal=1

** Affects: dpkg (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dpkg in Ubuntu.
https://bugs.launchpad.net/bugs/2040518

Title:
  dpkg 1.22.0ubuntu1 breaking changes

Status in dpkg package in Ubuntu:
  New

Bug description:
  dpkg added new compiler flags in 1.22.0ubuntu1 [0][1] which have
  caused misbuilt packages.

  Two known cases are qemu and dovecot.

  qemu was fixed in 1:8.04+dfsg-1ubuntu2 [2] by correcting architecture
  dependencies (-fcf-protection is only meant for certain x86 archs).

  Please note that -fcf-protection is incompatible with -mindirect-
  branch. Most packages which use -mindirect-branch were likely
  addressed when -fcf-protection was introduced in 19.10 [3]. Debian is
  likely more affected in this regard.

  For dovecot (LP#2036268) [4], the source of the issue is the
  dependency libunwind is misbuilt when `-mbranch-protection=standard`
  is used. libunwind builds, but fails tests when built with this flag
  on arm64 [5].

  Looking at codesearch [6] there are likely many packages affected by
  libunwind, which may not FTBFS but are misbuilt. There are likely
  other dependencies, besides libunwind, that also misbuild.

  Identifying these regressions in each package is laborious and adds
  long tail labor. If we can identify batches of misbuilds (like
  libunwind dependencies) we can avoid excess work and fix packages
  promptly. Some misbuilds will FTBFS and others will fail tests
  silently.

  dpkg's new compiler flags offer security protections to the Ubuntu
  Archive and should not be reverted. I suggest that we identify
  regressions caused by recent dpkg sooner than later. I do not know the
  scale of affected packages, but this may warrant expensive archive
  rebuilds which are ran with and without recent dpkg changes.

  [0] https://launchpad.net/ubuntu/+source/dpkg/1.22.0ubuntu1
  [1] https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=8f5aca71c1435c9913d5562b8cae68b751dff663
  [2] https://launchpad.net/ubuntu/+source/qemu/1:8.0.4+dfsg-1ubuntu2
  [3] https://wiki.ubuntu.com/ToolChain/CompilerFlags#A-fcf-protection
  [4] https://bugs.launchpad.net/ubuntu/+source/dovecot/+bug/2036268
  [5] https://github.com/libunwind/libunwind/issues/647
  [6] https://codesearch.debian.net/search?q=libunwind&literal=1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/2040518/+subscriptions

More information about the foundations-bugs mailing list