Control: tags -1 + wontfix Hi Ben,
On Mon, Aug 22, 2016 at 12:41:24AM +0100, Ben Hutchings wrote: > On Fri, 19 Aug 2016 07:21:57 +0200 Salvatore Bonaccorso <car...@debian.org> > wrote: > > Source: linux > > Version: 3.16.7-ckt7-1 > > Severity: wishlist > > > > On Wed, Aug 17, 2016 at 11:51:14PM +0200, Moritz Mühlenhoff wrote: > > > Aurelien Jarno <aurel...@aurel32.net> schrieb: > > > > On 2016-08-14 16:00, Salvatore Bonaccorso wrote: > > > >> Package: release.debian.org > > > >> Severity: normal > > > >> Tags: jessie > > > >> User: release.debian....@packages.debian.org > > > >> Usertags: pu > > > >> > > > >> Dear SRM > > > >> > > > >> I would like to propose the following hardening to src:gnupg2 which was > > > >> found during the analysis of a vulnerability report to the security > > > >> team > > > >> and related to > > > >> https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_razavi.pdf > > > >> and developed by NIIBE Yutaka. The underlying problem in hardware > > > >> cannot > > > >> be solved in software (and thus we don't want to issue a DSA for it, > > > >> and > > > >> give possibly this false impression), and as pointed out by Florian > > > > > > > > I wonder if it would be a good idea to release an announcement without > > > > any software change recommending people to not enable KSM on their > > > > hosts? > > > > > > I think a NEWS file for the kernel would be best? > > > > Okay. Let's open a Bug for src:linux for this. > > I disagree with this proposal. > > - The issue is unrelated to any change in this package (or any package), > so it doesn't belong in NEWS > - This is not a Debian-specific issue so it also doesn't belong in > README.Debian (and no-one is likely to notice changes there anyway) > - Since KSM is not enabled by default, any notice about it during > upgrades would be a nuisance to the majority of users that do not use > it > > Also, the issue is in practice mitigated by ECC DRAM (not eliminated, > but note that the results in the paper are based on a system without > ECC). > > I think that a DSA is a more effective way to let system administrators > know about this issue. We already issue DSAs for other reasons than > software updates, for example when withdrawing security support for > some package. > > Also, if there is VM management software in Debian that can enable KSM, > that software should not do so by default and should warn that this > carries a risk. That's make sense and is fine with me. Cc'ing explicitly Moritz who brought up the idea about the README/NEWS. Tagging now as wontfix, but we might close it after that, and consider to mention it via a DSA instead. Salvatore