On 3 February 2018 at 17:12, David Wright <deb...@lionunicorn.co.uk> wrote:

> On Sat 03 Feb 2018 at 07:47:43 (+0000), Michael Fothergill wrote:
> > On 2 February 2018 at 04:35, Andy Smith <a...@strugglers.net> wrote:
> >
> > > Hello,
> > >
> > > On Thu, Feb 01, 2018 at 11:53:36AM +0000, Michael Fothergill wrote:
> > > > Thus for anyone in the entire world who is new to linux,the most
> > > > efficient route at present could well be to install Fedora and be
> > > > stable and spectre protected out of the box rather than taking on
> > > > the indefatigable odyssey of installing Debian and waiting for
> > > > Debian security team to find solutions at whatever pace is
> > > > possible given the way the distro is currenty set up.
> > >
> > > "The way the distro is [currently] set up" is that the upstream
> > > Linux kernel project will provide backports to long term supported
> > > kernel versions and these will get folded into Debian stable as a
> > > security update. What you call an "indefatigable odyssey" will for
> > > the average Debian user be an unremarkable kernel upgrade.
> >
> >
> > ​I think it could be a remarkable or noticeable thing  ​to a new debian
> or
> > linux user who
> > was interested to apply the latest available solution for e.g. spectre
> > together
> > with meltdown promptly to relatively standard installation.
> That is an unrealistic expectation, which can be seen by comparison
> with other walks in life. Regular airline pilots have to train and
> graduate to become test pilots.
> > If that is possible now in e.g. Fedora it is not unreasonable to want it
> to
> > exist
> > in Debian from my point of view.
> Fedora should not be compared with Debian stable:
> "We recognize that there is also a place for long-term stability in the
> Linux ecosystem, and that there are a variety of community-oriented
> and business-oriented Linux distributions available to serve that
> need. However, the Fedora Project’s goal of advancing free software
> dictates that the Fedora Project itself pursue a strategy that
> preserves the forward momentum of our technical, collateral, and
> community-building progress. Fedora always aims to provide the future,
> first."
> > Perhaps the average debian user may not be that bothered about the
> problem,
> > but a new debian user really did take the trouble to email on the site
> here
> > and ask us about this very thing.
> >
> > And so, as peculiar as it seem to some people, I am
> > trying to consider what would work practically for such individuals.
> Last month, you posted around 75 contributions to this thread and its
> colleagues, so it's difficult to be sure of exactly who you mean
> without a reference, but I'm going to hazard a guess: the person
> technically at the top of this thread, Dextin Jerafmel.

> If that is the case, then the "very thing" they asked was how to
> recognise and install the latest version of the kernel in Debian
> stable (9.3) because they weren't yet familiar with the difference
> between kernel version numbers (including the ABI version) and
> Debian versions.
> ​The title of the post "​
Kernel for Spectre and Meltdown
​" was created by the OP
He also wrote: ​"But in Your site You've mentioned Kernel for Debian
Stretch is 4.9.65 and You updated it for Spectre and Meltdown bugs"

It does not seem unreasonable that he would be interested in installing
kernels that address this problem and others could be as well.

If you want to address the spectre vulnerability, which he has referred to
in his post, you need a recent kernel.

> > And there
> > > will hopefully be minimal breakage because a lot of people will have
> > > tested it first.
> > >
> >
> > ​If it took e.g. 2 years of testing it before it would be released I am
> > sure it would be fine in terms of stability etc.
> > But would that be efficient here?​
> So 2 years is your Aunt Sally.

​No, I am aware that the problems could be addressed more quickly than that
as was pointed out to me and I acknowledged in earlier posts.
I am trying to suggest one would want to move faster than the approximate
cycle time of new stable releases here.

> > > You appear to have a level of paranoia that requires you to build
> > > the latest kernel release with the latest GCC, and that has
> > > motivated you to learn how to do that on Debian, but I feel sure
> > > that that is not where the average Debian user is coming from.
> > >
> >
> > Paranoia was not the motivation on my part at all here.  I could see that
> > kernel installations
> > was easy in gentoo, and this prompted me to see how easy it would be in
> > Debian.​
> >
> >
> > >
> > > As you've seen, the method is there for you to do what you have
> > > decided you need to do. Or for the curious who want a learning
> > > experience.
> >
> >
> > ​I think the method is not really fit for purpose at present.​
> >From the sorts of difficulties you've reported having here, I'm
> wouldn't be likely to use your experiences as a basis for judgment.

​That is a perfectly fair comment.  But I am not concerned for myself here.
I am concerned about new users and what they would have to to install the
kernels (ie use a separate live sid distribution (correctly and helpfully
referred to by Andy) to compile the new kernel
and then transfer it to the stable install).

That does not seem to me to be ideal for a new user.  Hence my comment
about it not being fit for purpose
at present.  It has been suggested to me others on the site that eventually
the GCC 7.3 compiler might be
introduced into Debian Buster whereupon it could be used to compile the
latest kernels.

At that point I would say that it would not be right to that the method was
not fit purpose etc.  it might
not be ideal but it be so bad then.


> > > But with Meltdown dealt with by KPTI (already in the
> > > stable release) and the obvious javascript issues worked around by
> > > the browsers, you have to weigh up the risk of pushing hasty fixes
> > > into a stable kernel (and GCC) release.
> > >
> >
> > ​For me that is too much "odyssey" for the maximal efficiency for new
> > users.​
> Which new users are going on what odyssey? I can see that you've been
> on one, that's true.

​Again my odyssey is unimportant here.  I don't known if there are
any new users going on an odyssey (e,g, compiling and installing the latest
kernel from a live sid DVD etc).

The odyssey is debian itself as I see it.​



> > > I don't think the sky has fallen just yet but if you do want to see
> > > the sky fall, push out a buggy Debian stable kernel package.
> >
> >
> > ​I don't see why it would need to be that buggy really.​
> "Need to be that buggy"? What do you mean? The Debian stable kernel
> package should be as bug-free as possible. That requires hard work
> and patience. Falling over oneself in the rush to apply a fix would
> be counterproductive and could ruin reputation.
> Cheers,
> David.

Reply via email to