Web lists-archives.com

Re: How to safely hold kernel packages ?




At first thanks you all for you good advices.

I will follow them, update kernels and apply the appropriate options (thanks for the link). I did not find what exactly is the nokaiser option and I will use nopti.

I agree dpkg-jiu-jitsu is an uncomfortable sport and understand i've hold the wrong (meta) packages.

All the best from here...

Stef

-----------------------------

Finally, just for fun, my reasoning (for what it's worth), about avoiding these patches

Theses incompletes and CPU consuming patchs are *mandatory* if using (for example):

- A VM in a public cloud (wild neighborhood ;)
- A VM in a dedicated server which host others VM of different security level (datas, users and admins of different security levels) - A multi-user system with users handling information at different levels of security

In my use case:

- Servers are real dedicated ones (no public or private cloud)
- Hypervisors and VMs are under control of people of same level security
- All VM are equal in a security point of view (datas & people involved)

Keep in mind theses flaws are (perhaps) useable if, and only if a VM is already infected (theses flaws needs a local running process !)

My reasoning is that if I have a wild running process in a VM, then this VM is compromised and I must simply destroy it !

I'm really concerned about security, performance and reliability. I talk about this with a lot of others OVH sysadmins customers (we share an ML called bar@xxxxxxxxxx (in french). But I do not pretend to be right, and also open to different points of view.

In any case :
- These hardware bugs are simply catastrophic.
- The patches applied are partial, with bads side-effects
- Some of the bugs can't be correcting (whithout changing the CPU)

--
Stéphane Rivière
Ile d'Oléron - France