1 |
On Wednesday, 31 January 2018 11:30:13 GMT Martin Vaeth wrote: |
2 |
> Nikos Chantziaras <realnc@×××××.com> wrote: |
3 |
> > Yeah, that's the kind of software that benefits from the Spectre |
4 |
> > mitigation patches. Like browsers, virtualization or emulation software, |
5 |
> > the kernel, etc. |
6 |
> |
7 |
> No. It's software like gnupg, encfs, openssl and all the library they |
8 |
> use (glibc, glib, X etc) which need these patches. |
9 |
> |
10 |
> > Rebuilding the whole system with these flags on doesn't sound like a |
11 |
> > good idea. Now, I don't know if it would hurt anything, but it's not |
12 |
> > uncommon for build flags to break random stuff. |
13 |
> |
14 |
> Yep. On x86, gcc cannot compile itself if built with -fno-plt. |
15 |
> |
16 |
> > I haven't seen any word from anyone yet as to whether these flags are |
17 |
> > actually recommended or not on a system-wide basis. |
18 |
> |
19 |
> Actually, it is not even clear in the moment which flags should be |
20 |
> used in which settings. (There has been some discussion in the |
21 |
> gentoo forums but to no completely satisfactory result yet.) |
22 |
> |
23 |
> > So my educated guess is: No. Don't do that. |
24 |
> |
25 |
> Yes and no: It is probably recommended, but the flags are so no and |
26 |
> so poorly understood that people are hesitating with recommendations. |
27 |
> Also, spectre is hard to exploit, so it is perhaps better to wait in |
28 |
> the moment until some experience ins there. |
29 |
> |
30 |
> > If a package is affected, it |
31 |
> > stands to reason that the upstream of that package would change their |
32 |
> > build system to use these new flags where needed. |
33 |
> |
34 |
> No, for many reasons: |
35 |
> |
36 |
> 1. Packages often try to not add any flags; especially in gentoo it is a |
37 |
> policy that they _must_ not: If they do, it would get patched out in gentoo. |
38 |
> |
39 |
> 2. A library has no idea what it is used for. Why should it add something, |
40 |
> only because some program using it should be protected? |
41 |
> |
42 |
> 3. Adding the flags slows down the programs. It is the user who must |
43 |
> decide whether patches are desirable for his use case and architecture. |
44 |
> (Maybe this is less relevant know but in a while when versions of |
45 |
> processors "immune" to spectre come out.) |
46 |
|
47 |
Just to dilute my confusion on what I should do to keep desktops safe(r), |
48 |
would someone please clarify: |
49 |
|
50 |
Is it necessary to keyword gcc 7.3 + kernel 4.15 and emerge kernel 4.15 with |
51 |
gcc 7.3, or wait until these versions have been stabilised in the tree? |
52 |
|
53 |
What gcc version shall I use to update @world from then on? |
54 |
|
55 |
PS. Some desktops are Intel, some are AMD and I also have 3-4 devices with ARM |
56 |
in them ... |
57 |
-- |
58 |
Regards, |
59 |
Mick |