1 |
Nikos Chantziaras <realnc@×××××.com> wrote: |
2 |
> Yeah, that's the kind of software that benefits from the Spectre |
3 |
> mitigation patches. Like browsers, virtualization or emulation software, |
4 |
> the kernel, etc. |
5 |
|
6 |
No. It's software like gnupg, encfs, openssl and all the library they |
7 |
use (glibc, glib, X etc) which need these patches. |
8 |
|
9 |
> Rebuilding the whole system with these flags on doesn't sound like a |
10 |
> good idea. Now, I don't know if it would hurt anything, but it's not |
11 |
> uncommon for build flags to break random stuff. |
12 |
|
13 |
Yep. On x86, gcc cannot compile itself if built with -fno-plt. |
14 |
|
15 |
> I haven't seen any word from anyone yet as to whether these flags are |
16 |
> actually recommended or not on a system-wide basis. |
17 |
|
18 |
Actually, it is not even clear in the moment which flags should be |
19 |
used in which settings. (There has been some discussion in the |
20 |
gentoo forums but to no completely satisfactory result yet.) |
21 |
|
22 |
> So my educated guess is: No. Don't do that. |
23 |
|
24 |
Yes and no: It is probably recommended, but the flags are so no and |
25 |
so poorly understood that people are hesitating with recommendations. |
26 |
Also, spectre is hard to exploit, so it is perhaps better to wait in |
27 |
the moment until some experience ins there. |
28 |
|
29 |
> If a package is affected, it |
30 |
> stands to reason that the upstream of that package would change their |
31 |
> build system to use these new flags where needed. |
32 |
|
33 |
No, for many reasons: |
34 |
|
35 |
1. Packages often try to not add any flags; especially in gentoo it is a |
36 |
policy that they _must_ not: If they do, it would get patched out in gentoo. |
37 |
|
38 |
2. A library has no idea what it is used for. Why should it add something, |
39 |
only because some program using it should be protected? |
40 |
|
41 |
3. Adding the flags slows down the programs. It is the user who must |
42 |
decide whether patches are desirable for his use case and architecture. |
43 |
(Maybe this is less relevant know but in a while when versions of |
44 |
processors "immune" to spectre come out.) |