Re: retpoline-enabled GCC build for jessie
Moin, Holger Levsen schrieb: > I have a stupid/uninformed question: is this gcc only useful for > rebuilding the kernel or would it "in theory" (and practice) be better > to rebuild everything with it? (of course the latter is probably not really > practical for Debian, but others could do it more easily.) The immediate specific need for the GCC update in oldstable and stable is the Linux kernel, there are no plans to rebuild other packages in released distributions at this point. We might add this to the dpkg-buildflags default flags for buster as a generic hardening measure, but that requires additional work/consideration/discussion. Fortunately the buster freeze is still quite some time away, so we're in the comfortable position to evaluate without time pressure. Cheers, Moritz
Re: retpoline-enabled GCC build for jessie
On 18/02/2018 10:44, who.are.you wrote: On Sat, Feb 17, 2018 at 07:03:00PM +, Holger Levsen wrote: is this gcc only useful for rebuilding the kernel or would it "in theory" (and practice) be better to rebuild everything with it? (of course the latter is probably not really practical for Debian, but others could do it more easily.) Does this mean re-installing Debain is the best way to mitigate Spectre? If yes, would re-installing Debian from now (and onwards) be a good time to avoid Spectre vulnerabilities? If a Debian package is recompiled then this package is a new version of the previous package and you get it as a Debian update. So if it is better to rebuild all with retpoline-enabled I think that someone in Debian will recompile all the packages and you get they as Debian update... and so you don't have to re-install Debian (or if you reinstall Debian you get the same system you have already... without retpoline-enabled, because I don't have see any package recompiled with that, for now). Ciao Davide PS: I am I
Re: retpoline-enabled GCC build for jessie
Does this mean re-installing Debain is the best way to mitigate Spectre? If yes, would re-installing Debian from now (and onwards) be a good time to avoid Spectre vulnerabilities? On Sat, Feb 17, 2018 at 07:03:00PM +, Holger Levsen wrote: > On Sat, Feb 17, 2018 at 02:35:22PM +0100, Moritz Mühlenhoff wrote: > > The update for gcc-4.9 has just been released. > > Test packages for gcc-6/stretch are now available at > > https://people.debian.org/~jmm/gcc6/ > > Thanks for your work on this, Moritz. > > I have a stupid/uninformed question: is this gcc only useful for > rebuilding the kernel or would it "in theory" (and practice) be better > to rebuild everything with it? (of course the latter is probably not really > practical for Debian, but others could do it more easily.) > > > -- > cheers, > Holger
Re: retpoline-enabled GCC build for jessie
On Sat, Feb 17, 2018 at 02:35:22PM +0100, Moritz Mühlenhoff wrote: > The update for gcc-4.9 has just been released. > Test packages for gcc-6/stretch are now available at > https://people.debian.org/~jmm/gcc6/ Thanks for your work on this, Moritz. I have a stupid/uninformed question: is this gcc only useful for rebuilding the kernel or would it "in theory" (and practice) be better to rebuild everything with it? (of course the latter is probably not really practical for Debian, but others could do it more easily.) -- cheers, Holger signature.asc Description: PGP signature
Re: retpoline-enabled GCC build for jessie
Fabian Grünbichler wrote: > > > (and is the Stretch / gcc-6 update planned in the same > > > time frame as well?) > > > > Yes, an update for GCC 6 is also in the works, but will probably a few days > > after the jessie update. > > any special reason for that? (out of curiosity, since we had also > already prepared a gcc-6 package based on Stretch 6.3.0-18 using the > same approach which seems to work fine so far..) The update for gcc-4.9 has just been released. Test packages for gcc-6/stretch are now available at https://people.debian.org/~jmm/gcc6/ Additional test feedback also very welcome. Cheers, Moritz
Re: retpoline-enabled GCC build for jessie
On Thu, Feb 15, 2018 at 02:55:02PM +0100, Fabian Grünbichler wrote: > > > (and is the Stretch / gcc-6 update planned in the same > > > time frame as well?) > > > > Yes, an update for GCC 6 is also in the works, but will probably a few days > > after the jessie update. > > any special reason for that? (out of curiosity, since we had also > already prepared a gcc-6 package based on Stretch 6.3.0-18 using the > same approach which seems to work fine so far..) Just a lack of time, I've prepared a build, but want to run more tests before I'll make it public for further testing (probably during the weekend). > > > anyway, will report back with some test results (with a custom 4.4-based > > > kernel) tomorrow. > > no issues cropped up during intial internal testing, so we'll probably > publish a public test kernel tomorrow and wait for more feedback. OK, thanks. Cheers, Moritz
Re: retpoline-enabled GCC build for jessie
On Wed, Feb 14, 2018 at 10:55:27PM +0100, Moritz Mühlenhoff wrote: > On Wed, Feb 14, 2018 at 03:26:31PM +0100, Fabian Grünbichler wrote: > > is there a debdiff / source available as well? > > Above URL includes the source, but no debdiff (you can simply debdiff against > the latest jessie package). seems I overlooked that on the first glance. functionally identical to our parallel work, which is probably a good sign. > > > or is it "just" Jessie's current state plus the 9 patches from hjl's 4.9 > > backport branch? > > hjl's patches and some modifications dropping the texinfo which are stripped > for DFSGish reasons. and also don't apply as-is anyway ;) > > > (and is the Stretch / gcc-6 update planned in the same > > time frame as well?) > > Yes, an update for GCC 6 is also in the works, but will probably a few days > after the jessie update. any special reason for that? (out of curiosity, since we had also already prepared a gcc-6 package based on Stretch 6.3.0-18 using the same approach which seems to work fine so far..) > > > anyway, will report back with some test results (with a custom 4.4-based > > kernel) tomorrow. no issues cropped up during intial internal testing, so we'll probably publish a public test kernel tomorrow and wait for more feedback.
Re: retpoline-enabled GCC build for jessie
On Wed, Feb 14, 2018 at 03:26:31PM +0100, Fabian Grünbichler wrote: > is there a debdiff / source available as well? Above URL includes the source, but no debdiff (you can simply debdiff against the latest jessie package). > or is it "just" Jessie's current state plus the 9 patches from hjl's 4.9 > backport branch? hjl's patches and some modifications dropping the texinfo which are stripped for DFSGish reasons. > (and is the Stretch / gcc-6 update planned in the same > time frame as well?) Yes, an update for GCC 6 is also in the works, but will probably a few days after the jessie update. > anyway, will report back with some test results (with a custom 4.4-based > kernel) tomorrow. Thanks. Cheers, Moritz
Re: retpoline-enabled GCC build for jessie
> Hi, > I've created a GCC 4.9 package for jessie with backported support for > -mindirect-branch (as needed to build kernels with retpoline support). > packages are available at https://people.debian.org/~jmm/gcc/. I've run some > tests, but would appreciate additional testing feedback; the update is planned > to be released end of week/weekend. > > Cheers, >Moritz is there a debdiff / source available as well? or is it "just" Jessie's current state plus the 9 patches from hjl's 4.9 backport branch? (and is the Stretch / gcc-6 update planned in the same time frame as well?) anyway, will report back with some test results (with a custom 4.4-based kernel) tomorrow.
retpoline-enabled GCC build for jessie
Hi, I've created a GCC 4.9 package for jessie with backported support for -mindirect-branch (as needed to build kernels with retpoline support). packages are available at https://people.debian.org/~jmm/gcc/. I've run some tests, but would appreciate additional testing feedback; the update is planned to be released end of week/weekend. Cheers, Moritz