Bug#1104703: libwebkitgtk-6.0-4: JTI broken on arm64 with BTI enabled
Alberto Garcia
berto at igalia.com
Mon May 5 11:01:09 BST 2025
Control: tags -1 pending
On Sun, May 04, 2025 at 11:31:12PM +0200, NoisyCoil wrote:
> The user who reported this, Adam Reviczky (in c.c.), suggests to use [5]
> ```
> DEB_BUILD_MAINT_OPTIONS = hardening=+all,-branch
> CXXFLAGS += -mbranch-protection=pac-ret
> ```
Hi, and thanks for the report.
Overriding DEB_BUILD_MAINT_OPTIONS at this point does nothing since
this variable is used by /usr/share/dpkg/buildflags.mk, included
earlier at the beginning of the file.
Anyway, since what we have to do is:
1) Remove -mbranch-protection=standard (with hardening=+all,-branch)
2) Add -mbranch-protection=pac-ret
I propose this approach:
CFLAGS := $(patsubst -mbranch-protection=%,-mbranch-protection=pac-ret,$(CFLAGS))
CXXFLAGS := $(patsubst -mbranch-protection=%,-mbranch-protection=pac-ret,$(CXXFLAGS))
I'll prepare the upload.
Berto
More information about the Pkg-webkit-maintainers
mailing list