[Bug 2040518] Re: dpkg 1.22.0ubuntu1 breaking changes

Steve Langasek 2040518 at bugs.launchpad.net
Thu Oct 26 15:25:14 UTC 2023 

Mark, you had suggested we would be able to detect misbuilds from build
logs.  Can you elaborate what that would look like, in the case of a
successful build that is misbuilt?

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dpkg in Ubuntu.
https://bugs.launchpad.net/bugs/2040518

Title:
  dpkg 1.22.0ubuntu1 breaking changes

Status in dpkg package in Ubuntu:
  Won't Fix

Bug description:
  dpkg added new compiler flags in 1.22.0ubuntu1 [0][1] which have
  caused misbuilt packages.

  Two known cases are qemu and dovecot.

  qemu was fixed in 1:8.04+dfsg-1ubuntu2 [2] by correcting architecture
  dependencies (-fcf-protection is only meant for certain x86 archs).

  Please note that -fcf-protection is incompatible with -mindirect-
  branch. Most packages which use -mindirect-branch were likely
  addressed when -fcf-protection was introduced in 19.10 [3]. Debian is
  likely more affected in this regard.

  For dovecot (LP#2036268) [4], the source of the issue is the
  dependency libunwind is misbuilt when `-mbranch-protection=standard`
  is used. libunwind builds, but fails tests when built with this flag
  on arm64 [5].

  Looking at codesearch [6] there are likely many packages affected by
  libunwind, which may not FTBFS but are misbuilt. There are likely
  other dependencies, besides libunwind, that also misbuild.

  Identifying these regressions in each package is laborious and adds
  long tail labor. If we can identify batches of misbuilds (like
  libunwind dependencies) we can avoid excess work and fix packages
  promptly. Some misbuilds will FTBFS and others will fail tests
  silently.

  dpkg's new compiler flags offer security protections to the Ubuntu
  Archive and should not be reverted. I suggest that we identify
  regressions caused by recent dpkg sooner than later. I do not know the
  scale of affected packages, but this may warrant expensive archive
  rebuilds which are ran with and without recent dpkg changes.

  [0] https://launchpad.net/ubuntu/+source/dpkg/1.22.0ubuntu1
  [1] https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=8f5aca71c1435c9913d5562b8cae68b751dff663
  [2] https://launchpad.net/ubuntu/+source/qemu/1:8.0.4+dfsg-1ubuntu2
  [3] https://wiki.ubuntu.com/ToolChain/CompilerFlags#A-fcf-protection
  [4] https://bugs.launchpad.net/ubuntu/+source/dovecot/+bug/2036268
  [5] https://github.com/libunwind/libunwind/issues/647
  [6] https://codesearch.debian.net/search?q=libunwind&literal=1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/2040518/+subscriptions

More information about the foundations-bugs mailing list