Web lists-archives.com

Re: How to safely hold kernel packages ?

At first thanks you all for you good advices.

I will follow them, update kernels and apply the appropriate options (thanks for the link). I did not find what exactly is the nokaiser option and I will use nopti.

I agree dpkg-jiu-jitsu is an uncomfortable sport and understand i've hold the wrong (meta) packages.

All the best from here...



Finally, just for fun, my reasoning (for what it's worth), about avoiding these patches

Theses incompletes and CPU consuming patchs are *mandatory* if using (for example):

- A VM in a public cloud (wild neighborhood ;)
- A VM in a dedicated server which host others VM of different security level (datas, users and admins of different security levels) - A multi-user system with users handling information at different levels of security

In my use case:

- Servers are real dedicated ones (no public or private cloud)
- Hypervisors and VMs are under control of people of same level security
- All VM are equal in a security point of view (datas & people involved)

Keep in mind theses flaws are (perhaps) useable if, and only if a VM is already infected (theses flaws needs a local running process !)

My reasoning is that if I have a wild running process in a VM, then this VM is compromised and I must simply destroy it !

I'm really concerned about security, performance and reliability. I talk about this with a lot of others OVH sysadmins customers (we share an ML called bar@xxxxxxxxxx (in french). But I do not pretend to be right, and also open to different points of view.

In any case :
- These hardware bugs are simply catastrophic.
- The patches applied are partial, with bads side-effects
- Some of the bugs can't be correcting (whithout changing the CPU)

Stéphane Rivière
Ile d'Oléron - France