Web lists-archives.com

Re: Kernel for Spectre and Meltdown






On 2 February 2018 at 04:35, Andy Smith <andy@xxxxxxxxxxxxxx> wrote:
Hello,

On Thu, Feb 01, 2018 at 11:53:36AM +0000, Michael Fothergill wrote:
> Thus for anyone in the entire world who is new to linux,the most
> efficient route at present could well be to install Fedora and be
> stable and spectre protected out of the box rather than taking on
> the indefatigable odyssey of installing Debian and waiting for
> Debian security team to find solutions at whatever pace is
> possible given the way the distro is currenty set up.

"The way the distro is [currently] set up" is that the upstream
Linux kernel project will provide backports to long term supported
kernel versions and these will get folded into Debian stable as a
security update. What you call an "indefatigable odyssey" will for
the average Debian user be an unremarkable kernel upgrade.

​I think it could be a remarkable or noticeable thing  ​to a new debian or linux user who
was interested to apply the latest available solution for e.g. spectre together
with meltdown promptly to relatively standard installation.

If that is possible now in e.g. Fedora it is not unreasonable to want it to exist
in Debian from my point of view.

Perhaps the average debian user may not be that bothered about the problem,
but a new debian user really did take the trouble to email on the site here
and ask us about this very thing.

And so, as peculiar as it seem to some people, I am
trying to consider what would work practically for such individuals.

And there
will hopefully be minimal breakage because a lot of people will have
tested it first.

​If it took e.g. 2 years of testing it before it would be released I am sure it would be fine in terms of stability etc.
But would that be efficient here?​
 

You appear to have a level of paranoia that requires you to build
the latest kernel release with the latest GCC, and that has
motivated you to learn how to do that on Debian, but I feel sure
that that is not where the average Debian user is coming from.

Paranoia was not the motivation on my part at all here.  I could see that kernel installations
was easy in gentoo, and this prompted me to see how easy it would be in Debian.​
 

As you've seen, the method is there for you to do what you have
decided you need to do. Or for the curious who want a learning
experience.

​I think the method is not really fit for purpose at present.​

 
But with Meltdown dealt with by KPTI (already in the
stable release) and the obvious _javascript_ issues worked around by
the browsers, you have to weigh up the risk of pushing hasty fixes
into a stable kernel (and GCC) release.

​For me that is too much "odyssey" for the maximal efficiency for new users.​
 

I don't think the sky has fallen just yet but if you do want to see
the sky fall, push out a buggy Debian stable kernel package.

​I don't see why it would need to be that buggy really.​

 
Debian
already has a place to test the latest and greatest (and most
broken) versions of packages and it is not the stable release that
new users are directed at.

​Do you mean that new users on average want to install testing etc rather than stable?​
 

Cheers,
Andy

​In general I think some psychotherapy is required to reduce the indefatigability factor here ,
and odyssey minimisation would be a good idea.​
 ​

​Cheers

MF​

 
--
https://bitfolk.com/ -- No-nonsense VPS hosting