How to safely hold kernel packages ?
- Date: Tue, 6 Feb 2018 18:00:16 +0100
- From: Stéphane Rivière <stef@xxxxxxxxxxx>
- Subject: How to safely hold kernel packages ?
I wanted to avoid kernel updates after the Spectre/Meltdown 'bug', also
known as KPTI or kaiser CPU flaw. In my specific context, these patches
are useless or even harmful.
Before applying an aptitude update/upgrade to all the servers and VMs
I'm in charge, I've done a little test on a Debian 9 stable workstation,
with the kernel linux-image-4.9.0-4-amd64 release 4.9.51-1
So, after an aptitude search ~i~linux- I hold theses meta-packages :
aptitude hold linux-image-amd64
aptitude hold linux-headers-amd64
Then I check the applied holds :
aptitude search ~ahold
then... aptitude update/upgrade
After that... I discover a kernel change :
linux-image-4.9.0-4-amd64 release 4.9.65-3 (instead of previously 4.9.51-1)
I discovered I've perfectly applied the patch I wished to avoid.
linux (4.9.65-3+deb9u2) stretch-security; urgency=high
* [amd64] Implement Kernel Page Table Isolation (KPTI, aka KAISER)
Hopefully, there is a new "nokaiser" boot option !
So it seems I just learn that 'hold' aptitude command is for packet
version (i.e 4.9.0-4), not for package security fixes versions (4.9.65-3)...
But is there a way to really *freeze* a packet (block all updates) ?
Is it the 'keep' aptitude option ? (can't really see the difference with
Or may be it's better to apply security patches and use the new
"nokaiser" boot option...
Thanks a lot in advance for your advices ;)
All the best from France...
Ile d'Oléron - France