| 1 |
Nikos Chantziaras <realnc@×××××.com> wrote: |
| 2 |
> Yeah, that's the kind of software that benefits from the Spectre |
| 3 |
> mitigation patches. Like browsers, virtualization or emulation software, |
| 4 |
> the kernel, etc. |
| 5 |
|
| 6 |
No. It's software like gnupg, encfs, openssl and all the library they |
| 7 |
use (glibc, glib, X etc) which need these patches. |
| 8 |
|
| 9 |
> Rebuilding the whole system with these flags on doesn't sound like a |
| 10 |
> good idea. Now, I don't know if it would hurt anything, but it's not |
| 11 |
> uncommon for build flags to break random stuff. |
| 12 |
|
| 13 |
Yep. On x86, gcc cannot compile itself if built with -fno-plt. |
| 14 |
|
| 15 |
> I haven't seen any word from anyone yet as to whether these flags are |
| 16 |
> actually recommended or not on a system-wide basis. |
| 17 |
|
| 18 |
Actually, it is not even clear in the moment which flags should be |
| 19 |
used in which settings. (There has been some discussion in the |
| 20 |
gentoo forums but to no completely satisfactory result yet.) |
| 21 |
|
| 22 |
> So my educated guess is: No. Don't do that. |
| 23 |
|
| 24 |
Yes and no: It is probably recommended, but the flags are so no and |
| 25 |
so poorly understood that people are hesitating with recommendations. |
| 26 |
Also, spectre is hard to exploit, so it is perhaps better to wait in |
| 27 |
the moment until some experience ins there. |
| 28 |
|
| 29 |
> If a package is affected, it |
| 30 |
> stands to reason that the upstream of that package would change their |
| 31 |
> build system to use these new flags where needed. |
| 32 |
|
| 33 |
No, for many reasons: |
| 34 |
|
| 35 |
1. Packages often try to not add any flags; especially in gentoo it is a |
| 36 |
policy that they _must_ not: If they do, it would get patched out in gentoo. |
| 37 |
|
| 38 |
2. A library has no idea what it is used for. Why should it add something, |
| 39 |
only because some program using it should be protected? |
| 40 |
|
| 41 |
3. Adding the flags slows down the programs. It is the user who must |
| 42 |
decide whether patches are desirable for his use case and architecture. |
| 43 |
(Maybe this is less relevant know but in a while when versions of |
| 44 |
processors "immune" to spectre come out.) |
Archives