Web lists-archives.com

Re: allowed uses of non-baseline CPU extensions

On 10/05/2017 05:01 AM, Paul Wise wrote:
> A better place to put isa-support might be in an apt plugin that
> detects packages being installed that declare for example CPU-Flags:
> SSE4.1 and prevents installing them unless in a chroot (for d-i or
> debootstraps) and has an option to disable that blockage. Zero idea if
> apt has a hook that could be used for this.

I think that's a very important observation. I don't think you can
necessarily conclude that the system where the package is initially
installed is the system were the code is executed.

In many kinds of image-based environments the machines the image is
shipped to have very likely a different instruction capability than the
machine where the image is built on.

You argued in #873733[1] that you'd rather see the package installation
fail. I see the appeal of that, especially to alert the admin. But there
needs to be some kind of switch to flip to ignore these. Right now it
seems that switch is IGNORE_ISA in the environment. But given the
attempts to get a cleaner environment for dpkg, I'm not sure that's the
best file. I.e. it'd be better to also have a flag file.

As a side note I'm also amazed that there's literally a uuencoded blob
in the preinst that contains binary code that is unpacked and executed,
just like any malware would do. :)

Kind regards
Philipp Kern

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873733

Attachment: signature.asc
Description: OpenPGP digital signature