That is specious reasoning at best.  The jit option requires that you allow 
mixed instructions/data in memory, which leaves you open to a lot more than 
spectre.  The problem is you've (Red Hat) sold people a bill of goods with java 
jit, the solution is for people to write proper code and corporations to not 
tolerate bad code that ignores everything that's been learned about security.

Besides, there's no reason to think, particularly given it's sloppy, sloppy 
coding that the jit option has fewer security holes in general.

This is the same type of CRAP that has led to systemD (for Dumb Ass) and other 
bloat wear like gnome3.  If i wanted bad security, unreliability, bloatware and 
the destruction of the illusion of "high speed data processing" i'd use 

seriously, can we try to keep these corporate schills the hell off the list?

Yes, i hate red hat, google, chrome, and now firefox.  

It's not so much that we've produced a generation of bad coders who don't know 
better, the problem is no one cares about anything other than $$$ in america 
any more.  I'm ashamed of my fellow "citizens".

If you are going to blatently lie and obfuscate please do it on fox news! (a good madscientist)
God bless the rich, the greedy and the corrupt politicians they have put into 
office.   God bless them for helping me do the right thing by giving the rich 
my little pile of cash.  After all, the rich know what to do with money.

13. Feb 2018 02:48 by

> On Tuesday, 13 February 2018 02:18:33 GMT Nikos Chantziaras wrote:
>> On 13/02/18 03:31, Ian Zimmerman wrote:
>> > On 2018-02-13 03:13, Nikos Chantziaras wrote:
>> >> Apparently, and contrary to what people (me included) wrote here in
>> >> the past, BPF JIT is the secure option, and the interpreter is the
>> >> insecure one.
>> > 
>> > Do you have a reference for this?  It sounds strange indeed.
>> d=290af86629b25ffd1ed6232c4e9107da031705cb
>> "The BPF interpreter has been used as part of the spectre 2 attack
>> CVE-2017-5715.
>> [...]
>> To make attacker job harder introduce BPF_JIT_ALWAYS_ON config
>> option that removes interpreter from the kernel in favor of JIT-only mode."
> Thanks for sharing this Nikos.
> Perhaps I'm reading the referenced post wrong.  If the BPF interpreter has 
> been used for spectre2, then disabling CONFIG_BPF_SYSCALL does away with it 
> altogether, rather than turning it on and then setting BPF_JIT_ALWAYS_ON to 
> guard against its inherent vulnerability by using JIT-only mode?  Is there 
> some overriding benefit of having BPF enabled at all in the first place?
> PS. I don't remotely assume I properly understand the BPF mechanism, I just 
> want to test my understanding above.
> -- 
> Regards,
> Mick

Reply via email to