On 30 January 2018 at 13:22, Greg Wooledge <wool...@eeg.ccf.org> wrote:

> On Tue, Jan 30, 2018 at 12:13:47PM +0100, Michael Lange wrote:
> > Michael Fothergill <michael.fotherg...@gmail.com> wrote:
> > > The response from Greg was the following:
> > >
> > > On Thu, Jan 25, 2018 at 12:36:46PM +0000, Michael Fothergill wrote:
> > > > ​If I become sid and install the kernel correctly, could I go back to
> > > being
> > > > just buster (sounds like an energy drink) and carry on using the new
> > > kernel?
> > >
> > > No.
> > >
> > > *******************
> > >
> > > At that point I really did seem that:
> > >
> > > 1. I had no choice but to become sid/unstable here.
> >
> > I can only guess of course, I think probably they figured you would
> > upgrade your system to Sid, then compile a kernel and then *downgrade*
> > the system again to buster. The answer to that would clearly be "no".
> > But running a kernel compiled on a *different* Sid system on buster or
> > stretch is an entirely different thing of course.
> Yes, that's correct.  If you actually "become sid" (upgrade your whole
> system to sid), there is no going back.
> But you can set up a *separate* system (either an entirely new box,
> or a chroot into which you debootstrap sid, or a virtual machine, or a
> container, or whatever other fancy thing the kids are using these days),
> build a kernel .deb package there, *copy* that package to your buster
> system, and install it.
> Or you can do what most of us are doing: wait for the Debian security
> team (and, really, for the entire *world*) to figure out how best to
> approach, mitigate, and/or solve the issues.

​But surely it would be more efficient for anyone in the entire world who
is new to linux
to mitigate it most effectively at present by installing and running a
distro that does the following things:

1. On installation of the OS you either automatically get the latest kernel
with both spectre and meltdown patches included ab initio.

2.  If you don't get that kernel by default you can install it easily and
promptly without difficulty as a new user and run with it.

3.  You can do this running that OS as the stable version, not needing to
be testing or unstable at all as part of the kernel installation prcess.

4. The OS installation process would be simple (ie not gentoo); candidates
here could be Sabayon, calculate linux and possibly Fedora.

Thus for anyone in the entire world who is new to linux,the most efficient
route at present could well be
to install Fedora and be stable and spectre protected out of the box rather
than taking on the indefatigable odyssey of installing Debian
and waiting for Debian security team to find solutions at whatever pace is
possible given the way
the distro is currenty set up.




> Meanwhile, I would recommend not letting random people get shell access
> to your critical systems.  Near as I can tell, exploiting a Spectre-type
> CPU vulnerability requires the ability to install and execute a program
> of the attacker's creation on the target system.  If you don't have
> users logging in and running commands, then you probably don't have to
> worry so much about this.  Unless I'm completely missing something.
> (If you have users issuing commands on your system through some other
> vector, like a PHP web-app exploit, then that's a bigger issue you
> should address directly.)

Reply via email to