-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Fri, Feb 23, 2018 at 03:27:38PM -0700, Reg Tiangha wrote: > I've noticed that Xen has updated the XSA-254 advisory with Spectre v2 > mitigations for Xen 4.6-4.10. I know we'd have to figure out how to > backport Retpoline compatible compilers to these various build > environments in order to get the full protection (Debian has backported > that support to the gcc versions in jessie and stretch so that implies > that at least the backported gcc patches are now available), but is > there any chance that these Xen patches will be incorporated into the > Qubes versions soon? > > https://xenbits.xen.org/xsa/advisory-254.html
Simon, can you take a look at it? We'll probably need to put patched gcc to linux-dom0-updates repository (if newer Fedora has patched gcc and it's possible to build that src.rpm on older Fedora), or add separate repository with patched gcc - then probably indeed based on patches from Debian. > And a side question about qubes-builder: Does it build in a chroot? Yes. > I'd > like to attempt to backport a build environment that has a > retpoline-enabled version of gcc, and I'm wondering if I could just > bypass qubes-builder entirely and run make rpms-dom0 in a build > environment where I've manually upgraded the gcc version to be > Retpoline-compatible in an FC23 or FC25 template like I do when I > compile my own kernels. In theory - yes. In practice, no one have tried that for a long time. > Also: Are there any dangers in compiling the Xen rpms in an FC25 > template and then installing them in R3.2 dom0's FC23 environment? For xen-hypervisor package it should be ok. And this is the only one you should care about here. For other packages, especially xen-libs and xen-runtime, resulting binaries most likely will not work in older environment (linked libraries versions etc). - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlqQnwgACgkQ24/THMrX 1yw9DAgAmhydEgfCb/A0xzVAHVXzjMi18kWMmgU54IVOjjuBfE3oIFyXKna1jSb2 Y7OdrA91yc2F87bsiBrXlDaqJlM1HHs3vvjsnq4KZ1+LI8DhEWaEkki2govzmkSi w21+QZ4IC5BIwUFO7HF3beTlxnI3p+/3vfVg+956bsmvQDYSjLVi3t5TiMBrtsmI Hfizzl2sjH5Y5LYlbM5vUTYGQ0BdIk2ZF7EQeSZ4PjoBAzKy5DAUlWa429eZzT9R 7GzAR1E/t+eAJhZT1tCo0CPvehboMsTVj0xgRZi9BfEVDdYwcbI6t09nAy0SauWc 0RR1n1pHJFgwaExyMo5HNEQteuDMoQ== =O1Qg -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To post to this group, send email to email@example.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20180223230831.GL2023%40mail-itl. For more options, visit https://groups.google.com/d/optout.