| 1 |
On Wednesday, 31 January 2018 11:30:13 GMT Martin Vaeth wrote: |
| 2 |
> Nikos Chantziaras <realnc@×××××.com> wrote: |
| 3 |
> > Yeah, that's the kind of software that benefits from the Spectre |
| 4 |
> > mitigation patches. Like browsers, virtualization or emulation software, |
| 5 |
> > the kernel, etc. |
| 6 |
> |
| 7 |
> No. It's software like gnupg, encfs, openssl and all the library they |
| 8 |
> use (glibc, glib, X etc) which need these patches. |
| 9 |
> |
| 10 |
> > Rebuilding the whole system with these flags on doesn't sound like a |
| 11 |
> > good idea. Now, I don't know if it would hurt anything, but it's not |
| 12 |
> > uncommon for build flags to break random stuff. |
| 13 |
> |
| 14 |
> Yep. On x86, gcc cannot compile itself if built with -fno-plt. |
| 15 |
> |
| 16 |
> > I haven't seen any word from anyone yet as to whether these flags are |
| 17 |
> > actually recommended or not on a system-wide basis. |
| 18 |
> |
| 19 |
> Actually, it is not even clear in the moment which flags should be |
| 20 |
> used in which settings. (There has been some discussion in the |
| 21 |
> gentoo forums but to no completely satisfactory result yet.) |
| 22 |
> |
| 23 |
> > So my educated guess is: No. Don't do that. |
| 24 |
> |
| 25 |
> Yes and no: It is probably recommended, but the flags are so no and |
| 26 |
> so poorly understood that people are hesitating with recommendations. |
| 27 |
> Also, spectre is hard to exploit, so it is perhaps better to wait in |
| 28 |
> the moment until some experience ins there. |
| 29 |
> |
| 30 |
> > If a package is affected, it |
| 31 |
> > stands to reason that the upstream of that package would change their |
| 32 |
> > build system to use these new flags where needed. |
| 33 |
> |
| 34 |
> No, for many reasons: |
| 35 |
> |
| 36 |
> 1. Packages often try to not add any flags; especially in gentoo it is a |
| 37 |
> policy that they _must_ not: If they do, it would get patched out in gentoo. |
| 38 |
> |
| 39 |
> 2. A library has no idea what it is used for. Why should it add something, |
| 40 |
> only because some program using it should be protected? |
| 41 |
> |
| 42 |
> 3. Adding the flags slows down the programs. It is the user who must |
| 43 |
> decide whether patches are desirable for his use case and architecture. |
| 44 |
> (Maybe this is less relevant know but in a while when versions of |
| 45 |
> processors "immune" to spectre come out.) |
| 46 |
|
| 47 |
Just to dilute my confusion on what I should do to keep desktops safe(r), |
| 48 |
would someone please clarify: |
| 49 |
|
| 50 |
Is it necessary to keyword gcc 7.3 + kernel 4.15 and emerge kernel 4.15 with |
| 51 |
gcc 7.3, or wait until these versions have been stabilised in the tree? |
| 52 |
|
| 53 |
What gcc version shall I use to update @world from then on? |
| 54 |
|
| 55 |
PS. Some desktops are Intel, some are AMD and I also have 3-4 devices with ARM |
| 56 |
in them ... |
| 57 |
-- |
| 58 |
Regards, |
| 59 |
Mick |
Archives