On 3 February 2018 at 21:43, Michael Fothergill < michael.fotherg...@gmail.com> wrote:
> > > On 3 February 2018 at 17:12, David Wright <deb...@lionunicorn.co.uk> > wrote: > >> On Sat 03 Feb 2018 at 07:47:43 (+0000), Michael Fothergill wrote: >> > On 2 February 2018 at 04:35, Andy Smith <a...@strugglers.net> wrote: >> > >> > > Hello, >> > > >> > > On Thu, Feb 01, 2018 at 11:53:36AM +0000, Michael Fothergill wrote: >> > > > Thus for anyone in the entire world who is new to linux,the most >> > > > efficient route at present could well be to install Fedora and be >> > > > stable and spectre protected out of the box rather than taking on >> > > > the indefatigable odyssey of installing Debian and waiting for >> > > > Debian security team to find solutions at whatever pace is >> > > > possible given the way the distro is currenty set up. >> > > >> > > "The way the distro is [currently] set up" is that the upstream >> > > Linux kernel project will provide backports to long term supported >> > > kernel versions and these will get folded into Debian stable as a >> > > security update. What you call an "indefatigable odyssey" will for >> > > the average Debian user be an unremarkable kernel upgrade. >> > >> > >> > I think it could be a remarkable or noticeable thing to a new debian >> or >> > linux user who >> > was interested to apply the latest available solution for e.g. spectre >> > together >> > with meltdown promptly to relatively standard installation. >> >> That is an unrealistic expectation, which can be seen by comparison >> with other walks in life. Regular airline pilots have to train and >> graduate to become test pilots. >> >> > If that is possible now in e.g. Fedora it is not unreasonable to want >> it to >> > exist >> > in Debian from my point of view. >> >> Fedora should not be compared with Debian stable: >> >> "We recognize that there is also a place for long-term stability in the >> Linux ecosystem, and that there are a variety of community-oriented >> and business-oriented Linux distributions available to serve that >> need. However, the Fedora Project’s goal of advancing free software >> dictates that the Fedora Project itself pursue a strategy that >> preserves the forward momentum of our technical, collateral, and >> community-building progress. Fedora always aims to provide the future, >> first." >> >> > Perhaps the average debian user may not be that bothered about the >> problem, >> > but a new debian user really did take the trouble to email on the site >> here >> > and ask us about this very thing. >> > >> > And so, as peculiar as it seem to some people, I am >> > trying to consider what would work practically for such individuals. >> >> Last month, you posted around 75 contributions to this thread and its >> colleagues, so it's difficult to be sure of exactly who you mean >> without a reference, but I'm going to hazard a guess: the person >> technically at the top of this thread, Dextin Jerafmel. >> > > > >> >> If that is the case, then the "very thing" they asked was how to >> recognise and install the latest version of the kernel in Debian >> stable (9.3) because they weren't yet familiar with the difference >> between kernel version numbers (including the ABI version) and >> Debian versions. >> >> The title of the post " > Kernel for Spectre and Meltdown > " was created by the OP > He also wrote: "But in Your site You've mentioned Kernel for Debian > Stretch is 4.9.65 and You updated it for Spectre and Meltdown bugs" > > It does not seem unreasonable that he would be interested in installing > kernels that address this problem and others could be as well. > > If you want to address the spectre vulnerability, which he has referred to > in his post, you need a recent kernel. > > > >> > And there >> > > will hopefully be minimal breakage because a lot of people will have >> > > tested it first. >> > > >> > >> > If it took e.g. 2 years of testing it before it would be released I am >> > sure it would be fine in terms of stability etc. >> > But would that be efficient here? >> >> So 2 years is your Aunt Sally. >> > > No, I am aware that the problems could be addressed more quickly than > that as was pointed out to me and I acknowledged in earlier posts. > I am trying to suggest one would want to move faster than the approximate > cycle time of new stable releases here. > > > >> >> > > You appear to have a level of paranoia that requires you to build >> > > the latest kernel release with the latest GCC, and that has >> > > motivated you to learn how to do that on Debian, but I feel sure >> > > that that is not where the average Debian user is coming from. >> > > >> > >> > Paranoia was not the motivation on my part at all here. I could see >> that >> > kernel installations >> > was easy in gentoo, and this prompted me to see how easy it would be in >> > Debian. >> > >> > >> > > >> > > As you've seen, the method is there for you to do what you have >> > > decided you need to do. Or for the curious who want a learning >> > > experience. >> > >> > >> > I think the method is not really fit for purpose at present. >> >> >From the sorts of difficulties you've reported having here, I'm >> wouldn't be likely to use your experiences as a basis for judgment. >> > > That is a perfectly fair comment. But I am not concerned for myself here. > I am concerned about new users and what they would have to to install the > current > (should say "what they would have to do" above) > kernels (ie use a separate live sid distribution (correctly and helpfully > referred to by Andy) to compile the new kernel > and then transfer it to the stable install). > > That does not seem to me to be ideal for a new user. Hence my comment > about it not being fit for purpose > at present. It has been suggested to me others on the site that > eventually the GCC 7.3 compiler might be > introduced into Debian Buster whereupon it could be used to compile the > latest kernels. > > At that point I would say that it would not be right to that the method > was not fit purpose etc. it might > not be ideal but it be so bad then. > I meant to write that "it might not be ideal but it would not be so bad then". Cheers MF > > > > >> >> > > But with Meltdown dealt with by KPTI (already in the >> > > stable release) and the obvious javascript issues worked around by >> > > the browsers, you have to weigh up the risk of pushing hasty fixes >> > > into a stable kernel (and GCC) release. >> > > >> > >> > For me that is too much "odyssey" for the maximal efficiency for new >> > users. >> >> Which new users are going on what odyssey? I can see that you've been >> on one, that's true. >> > > Again my odyssey is unimportant here. I don't known if there are > any new users going on an odyssey (e,g, compiling and installing the > latest kernel from a live sid DVD etc). > > The odyssey is debian itself as I see it. > > Cheers > > MF > > > >> >> > > I don't think the sky has fallen just yet but if you do want to see >> > > the sky fall, push out a buggy Debian stable kernel package. >> > >> > >> > I don't see why it would need to be that buggy really. >> >> "Need to be that buggy"? What do you mean? The Debian stable kernel >> package should be as bug-free as possible. That requires hard work >> and patience. Falling over oneself in the rush to apply a fix would >> be counterproductive and could ruin reputation. >> >> Cheers, >> David. >> >> >
