Web lists-archives.com

Re: Kernel for Spectre and Meltdown






On 30 January 2018 at 13:22, Greg Wooledge <wooledg@xxxxxxxxxxx> wrote:
On Tue, Jan 30, 2018 at 12:13:47PM +0100, Michael Lange wrote:
> Michael Fothergill <michael.fothergill@xxxxxxxxx> wrote:
> > The response from Greg was the following:
> >
> > On Thu, Jan 25, 2018 at 12:36:46PM +0000, Michael Fothergill wrote:
> > > ​If I become sid and install the kernel correctly, could I go back to
> > being
> > > just buster (sounds like an energy drink) and carry on using the new
> > kernel?
> >
> > No.
> >
> > *******************
> >
> > At that point I really did seem that:
> >
> > 1. I had no choice but to become sid/unstable here.
>
> I can only guess of course, I think probably they figured you would
> upgrade your system to Sid, then compile a kernel and then *downgrade*
> the system again to buster. The answer to that would clearly be "no".
> But running a kernel compiled on a *different* Sid system on buster or
> stretch is an entirely different thing of course.

Yes, that's correct.  If you actually "become sid" (upgrade your whole
system to sid), there is no going back.

But you can set up a *separate* system (either an entirely new box,
or a chroot into which you debootstrap sid, or a virtual machine, or a
container, or whatever other fancy thing the kids are using these days),
build a kernel .deb package there, *copy* that package to your buster
system, and install it.

Or you can do what most of us are doing: wait for the Debian security
team (and, really, for the entire *world*) to figure out how best to
approach, mitigate, and/or solve the issues.

​But surely it would be more efficient for anyone in the entire world who is new to linux
to mitigate it most effectively at present by installing and running a distro that does the following things:

1. On installation of the OS you either automatically get the latest kernel with both spectre and meltdown patches included ab initio.

2.  If you don't get that kernel by default you can install it easily and promptly without difficulty as a new user and run with it.

3.  You can do this running that OS as the stable version, not needing to be testing or unstable at all as part of the kernel installation prcess.

4. The OS installation process would be simple (ie not gentoo); candidates here could be Sabayon, calculate linux and possibly Fedora.

Thus for anyone in the entire world who is new to linux,the most efficient route at present could well be
to install Fedora and be stable and spectre protected out of the box rather than taking on the indefatigable odyssey of installing Debian
and waiting for Debian security team to find solutions at whatever pace is possible given the way
the distro is currenty set up.

Cheers

MF




 

Meanwhile, I would recommend not letting random people get shell access
to your critical systems.  Near as I can tell, exploiting a Spectre-type
CPU vulnerability requires the ability to install and execute a program
of the attacker's creation on the target system.  If you don't have
users logging in and running commands, then you probably don't have to
worry so much about this.  Unless I'm completely missing something.

(If you have users issuing commands on your system through some other
vector, like a PHP web-app exploit, then that's a bigger issue you
should address directly.)