Re: How to safely hold kernel packages ?
- Date: Tue, 6 Feb 2018 19:28:01 +0100
- From: Stéphane Rivière <stef@xxxxxxxxxxx>
- Subject: Re: How to safely hold kernel packages ?
At first thanks you all for you good advices.
I will follow them, update kernels and apply the appropriate options
(thanks for the link). I did not find what exactly is the nokaiser
option and I will use nopti.
I agree dpkg-jiu-jitsu is an uncomfortable sport and understand i've
hold the wrong (meta) packages.
All the best from here...
Finally, just for fun, my reasoning (for what it's worth), about
avoiding these patches
Theses incompletes and CPU consuming patchs are *mandatory* if using
- A VM in a public cloud (wild neighborhood ;)
- A VM in a dedicated server which host others VM of different security
level (datas, users and admins of different security levels)
- A multi-user system with users handling information at different
levels of security
In my use case:
- Servers are real dedicated ones (no public or private cloud)
- Hypervisors and VMs are under control of people of same level security
- All VM are equal in a security point of view (datas & people involved)
Keep in mind theses flaws are (perhaps) useable if, and only if a VM is
already infected (theses flaws needs a local running process !)
My reasoning is that if I have a wild running process in a VM, then this
VM is compromised and I must simply destroy it !
I'm really concerned about security, performance and reliability. I talk
about this with a lot of others OVH sysadmins customers (we share an ML
called bar@xxxxxxxxxx (in french). But I do not pretend to be right, and
also open to different points of view.
In any case :
- These hardware bugs are simply catastrophic.
- The patches applied are partial, with bads side-effects
- Some of the bugs can't be correcting (whithout changing the CPU)
Ile d'Oléron - France