Re: Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

2018-02-23 Thread Michael Fothergill 
On 23 February 2018 at 14:08, Reco  wrote:

> Hi.
>
> On Fri, Feb 23, 2018 at 01:47:25PM +, Michael Fothergill wrote:
> > On 23 February 2018 at 13:42, Reco  wrote:
> >
> > > Hi.
> > >
> > > On Fri, Feb 23, 2018 at 01:14:16PM +, Michael Fothergill wrote:
> > > > On 23 February 2018 at 12:43, Reco  wrote:
> > > >
> > > > > Hi.
> > > > >
> > > > > On Wed, Feb 21, 2018 at 06:46:05PM +0100, Julien Aubin wrote:
> > > > > > Hi,
> > > > > >
> > > > > > Do you have any clue on when the gcc fix for stretch is to be
> > > released ?
> > > > > >
> > > > > > Actually the retpoline-compliant kernel is ready, and gcc fixes
> for
> > > > > stretch
> > > > > > seem to have already been implemented. So I dunno what is still
> > > blocking
> > > > > > the release. :'(
> > > > >
> > > > > https://www.debian.org/security/2018/dsa-4120
> > > >
> > > >
> > > > ​Can it be true?  A version of gcc that runs on stretch that will
> compile
> > > > the latest fancy spectre fixes etc?
> > > >
> > > > ​Cheers
> > >
> > > So it seems. New kernel came today with the usual 'apt update && apt
> > > upgrade' routine:
> > >
> > > $ uname -r
> > > 4.9.0-6-amd64
> > >
> > > $ grep bug /proc/cpuinfo
> > > bugs: cpu_meltdown spectre_v1 spectre_v2
> > >
> >
> > ​Could you install this kernel in stretch at present or only in buster?
>
> I *only* use Debian stable, so yes, it's definitely possible to install
> this kernel in stretch. This particular package is provided by
> security.debian.org, so entire world is installing it on Debian stable
> as I'm writing this.
>

​Excellent news. Stellar stuff.

Cheers

MF​


>
> Theoretically, of course, it should be possible to install this kernel
> in testing (buster) and even get a bootable system.
>
> Reco
>
>

Re: Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

2018-02-23 Thread Reco 
Hi.

On Fri, Feb 23, 2018 at 01:47:25PM +, Michael Fothergill wrote:
> On 23 February 2018 at 13:42, Reco  wrote:
> 
> > Hi.
> >
> > On Fri, Feb 23, 2018 at 01:14:16PM +, Michael Fothergill wrote:
> > > On 23 February 2018 at 12:43, Reco  wrote:
> > >
> > > > Hi.
> > > >
> > > > On Wed, Feb 21, 2018 at 06:46:05PM +0100, Julien Aubin wrote:
> > > > > Hi,
> > > > >
> > > > > Do you have any clue on when the gcc fix for stretch is to be
> > released ?
> > > > >
> > > > > Actually the retpoline-compliant kernel is ready, and gcc fixes for
> > > > stretch
> > > > > seem to have already been implemented. So I dunno what is still
> > blocking
> > > > > the release. :'(
> > > >
> > > > https://www.debian.org/security/2018/dsa-4120
> > >
> > >
> > > ​Can it be true?  A version of gcc that runs on stretch that will compile
> > > the latest fancy spectre fixes etc?
> > >
> > > ​Cheers
> >
> > So it seems. New kernel came today with the usual 'apt update && apt
> > upgrade' routine:
> >
> > $ uname -r
> > 4.9.0-6-amd64
> >
> > $ grep bug /proc/cpuinfo
> > bugs: cpu_meltdown spectre_v1 spectre_v2
> >
> 
> ​Could you install this kernel in stretch at present or only in buster?

I *only* use Debian stable, so yes, it's definitely possible to install
this kernel in stretch. This particular package is provided by
security.debian.org, so entire world is installing it on Debian stable
as I'm writing this.

Theoretically, of course, it should be possible to install this kernel
in testing (buster) and even get a bootable system.

Reco

Re: Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

2018-02-23 Thread Michael Fothergill 
On 23 February 2018 at 13:42, Reco  wrote:

> Hi.
>
> On Fri, Feb 23, 2018 at 01:14:16PM +, Michael Fothergill wrote:
> > On 23 February 2018 at 12:43, Reco  wrote:
> >
> > > Hi.
> > >
> > > On Wed, Feb 21, 2018 at 06:46:05PM +0100, Julien Aubin wrote:
> > > > Hi,
> > > >
> > > > Do you have any clue on when the gcc fix for stretch is to be
> released ?
> > > >
> > > > Actually the retpoline-compliant kernel is ready, and gcc fixes for
> > > stretch
> > > > seem to have already been implemented. So I dunno what is still
> blocking
> > > > the release. :'(
> > >
> > > https://www.debian.org/security/2018/dsa-4120
> >
> >
> > ​Can it be true?  A version of gcc that runs on stretch that will compile
> > the latest fancy spectre fixes etc?
> >
> > ​Cheers
>
> So it seems. New kernel came today with the usual 'apt update && apt
> upgrade' routine:
>
> $ uname -r
> 4.9.0-6-amd64
>
> $ grep bug /proc/cpuinfo
> bugs: cpu_meltdown spectre_v1 spectre_v2
>

​Could you install this kernel in stretch at present or only in buster?

Regards

MF
​


> ...
>
> Reco
>
>

apt vs apt-get (was: Re: Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?)

2018-02-23 Thread Reco 
Hi.

On Fri, Feb 23, 2018 at 08:54:31AM -0500, Greg Wooledge wrote:
> On Fri, Feb 23, 2018 at 04:42:01PM +0300, Reco wrote:
> > So it seems. New kernel came today with the usual 'apt update && apt
> > upgrade' routine:
> > 
> > $ uname -r
> > 4.9.0-6-amd64
> 
> You mean "apt (or apt-get) dist-upgrade", right?

What works too.


> /me tries it on a different computer that hasn't dist-upgraded yet...
> Wait, wait, wait... what?  WHAT?!
> "apt upgrade" and "apt-get upgrade" DON'T DO THE SAME THING ?!?

apt(8) has this to say on this:

   upgrade (apt-get(8))
   upgrade is used to install available upgrades of all packages
currently installed on the system from the sources configured via
sources.list(5). New packages will be installed if required to satisfy
dependencies, but existing packages will never be removed.

So yes, "apt-get upgrade" and "apt upgrade" are different, that's
intended, and once again Debian project choose sane default behavior.

In this particular case, "linux-image-4.9.0-6-amd64" was pulled as a
dependency of "linux-image-amd64", and old "linux-image-4.9.0-5-amd64"
was not removed. Neat, isn't it?

Reco

Re: Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

2018-02-23 Thread Greg Wooledge 
On Fri, Feb 23, 2018 at 04:42:01PM +0300, Reco wrote:
> So it seems. New kernel came today with the usual 'apt update && apt
> upgrade' routine:
> 
> $ uname -r
> 4.9.0-6-amd64

You mean "apt (or apt-get) dist-upgrade", right?

/me tries it on a different computer that hasn't dist-upgraded yet...

Wait, wait, wait... what?  WHAT?!

"apt upgrade" and "apt-get upgrade" DON'T DO THE SAME THING ?!?

What the hell, Debian?

Re: Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

2018-02-23 Thread Reco 
Hi.

On Fri, Feb 23, 2018 at 01:14:16PM +, Michael Fothergill wrote:
> On 23 February 2018 at 12:43, Reco  wrote:
> 
> > Hi.
> >
> > On Wed, Feb 21, 2018 at 06:46:05PM +0100, Julien Aubin wrote:
> > > Hi,
> > >
> > > Do you have any clue on when the gcc fix for stretch is to be released ?
> > >
> > > Actually the retpoline-compliant kernel is ready, and gcc fixes for
> > stretch
> > > seem to have already been implemented. So I dunno what is still blocking
> > > the release. :'(
> >
> > https://www.debian.org/security/2018/dsa-4120
> 
> 
> ​Can it be true?  A version of gcc that runs on stretch that will compile
> the latest fancy spectre fixes etc?
> 
> ​Cheers

So it seems. New kernel came today with the usual 'apt update && apt
upgrade' routine:

$ uname -r
4.9.0-6-amd64

$ grep bug /proc/cpuinfo
bugs: cpu_meltdown spectre_v1 spectre_v2
...

Reco

Re: Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

2018-02-23 Thread Michael Fothergill 
On 23 February 2018 at 12:43, Reco  wrote:

> Hi.
>
> On Wed, Feb 21, 2018 at 06:46:05PM +0100, Julien Aubin wrote:
> > Hi,
> >
> > Do you have any clue on when the gcc fix for stretch is to be released ?
> >
> > Actually the retpoline-compliant kernel is ready, and gcc fixes for
> stretch
> > seem to have already been implemented. So I dunno what is still blocking
> > the release. :'(
>
> https://www.debian.org/security/2018/dsa-4120


​Can it be true?  A version of gcc that runs on stretch that will compile
the latest fancy spectre fixes etc?

​Cheers

MF



>
>
> Reco
>
>

Re: Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

2018-02-23 Thread Reco 
Hi.

On Wed, Feb 21, 2018 at 06:46:05PM +0100, Julien Aubin wrote:
> Hi,
> 
> Do you have any clue on when the gcc fix for stretch is to be released ?
> 
> Actually the retpoline-compliant kernel is ready, and gcc fixes for stretch
> seem to have already been implemented. So I dunno what is still blocking
> the release. :'(

https://www.debian.org/security/2018/dsa-4120

Reco

Re: Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

2018-02-21 Thread Michael Fothergill 
On 21 February 2018 at 17:46, Julien Aubin  wrote:

> Hi,
>
> Do you have any clue on when the gcc fix for stretch is to be released ?
>
> Actually the retpoline-compliant kernel is ready, and gcc fixes for
> stretch seem to have already been implemented. So I dunno what is still
> blocking the release. :'(
>

​Ooooh! Tantalazing stuff

The solution is to collectively burst into song; singing e.g. the Climb
Every Mountain song from the sound of music
and "To Dream the Impossible Dream" etc. and then suggest we are going to
post it on the site here in some way.

Then we relent and say we are happy to forget all about that idea if the
fixes are released soon etc

That would persuade me.

Cheers

MF

​



>
> Thanks a lot.
>

Re: Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

2018-02-21 Thread Julien Aubin 
Hi,

Do you have any clue on when the gcc fix for stretch is to be released ?

Actually the retpoline-compliant kernel is ready, and gcc fixes for stretch
seem to have already been implemented. So I dunno what is still blocking
the release. :'(

Thanks a lot.