X-Original-To: alpine-devel@lists.alpinelinux.org Received: from mail-qt0-f169.google.com (mail-qt0-f169.google.com [209.85.216.169]) by lists.alpinelinux.org (Postfix) with ESMTP id 714375C4DED for ; Thu, 11 Jan 2018 04:01:06 +0000 (GMT) Received: by mail-qt0-f169.google.com with SMTP id u42so312373qte.7 for ; Wed, 10 Jan 2018 20:01:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dereferenced-org.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=5+Ct9c4OvV73QhmrkuTz/bDlbm1atm28W9y9BEATHZk=; b=RtEkMtGcx+crQPSeZR0RcZA+jhoGKyNSoBeoTE0L3zIXNgjljojVPWqK0uPOxStY6W oLxz5XR94PmRqQFk/8KQqR40KNmChLnq8zNLajqhFqczq3EuczObRLeLCm0WBrwxAETO Lc/VvOV9VQzcH4wdV+P5eVKpNKCf1n18WoSGFzkA0hRb7o/23KR9MxHF6GFmFCBy0D99 LyEhl3enSPXbMQG3uXQ20OnGtSu1Lo3HtWoQkf3pF0RR2hWHyToJLaQWmQaTp9aNzbFo OIr8gY6y+k6Uqqo0a+xv5CFwG6/JJw56lh+tIME8AULs/DYi1fsjirAHUQZm0nvrgOLj QBKQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=5+Ct9c4OvV73QhmrkuTz/bDlbm1atm28W9y9BEATHZk=; b=ERWpRomG2uBar/IiH8S1hnVklnxJ92gRkNh0vsUyebOfLmjIxCJDPi4LgqwgStQx7a G0ugs2roqfY3DyfWGaL4zvYWeKAA2/ViE8eiB4LPUmTd6cZvChJDuwwgkyK164i9Bonc wQorubLlmQI/5i0urGjW2rh6tDE+CYp9IwMBqywh4gZghpDDyy/+MwkhyGkh8gV7reIZ nFOwqyMYULWPhsx+4YGOop1qyObE5VxlhdftFBshIKPKCWLFW3I7XIz0AJIzQrkUgNin MEw0IFtASeJC93veIaCP8//aqaeuqHcQeQKD1nNQxj+gX9HhB4jLrFt42wrHpdj6AyoH SzKA== X-Gm-Message-State: AKwxytfSWfOJlFYNyzKfE7d3Xequhpk3yNoNCjUjBSjvm6ehQLJXNShz HRrMcdmaBPSedq15ESt2vc20z6kNw5CeMVMAGmjVEQW/ X-Google-Smtp-Source: ACJfBovbT38oAoz9ckh1Kyu6mm4lDz/WvTk4h5/iLqiGEfFkuA4Kcyow45rtofuRgdTZh1+aXiJhLFoLToG54b0Jhr4= X-Received: by 10.200.16.21 with SMTP id z21mr30383303qti.101.1515643265522; Wed, 10 Jan 2018 20:01:05 -0800 (PST) X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Received: by 10.237.38.162 with HTTP; Wed, 10 Jan 2018 20:01:04 -0800 (PST) From: William Pitcock Date: Wed, 10 Jan 2018 22:01:04 -0600 Message-ID: Subject: [alpine-devel] linux kernel packages and meltdown/spectre To: alpine-dev Content-Type: text/plain; charset="UTF-8" Hello, We have received many inquiries about what our plans are for Meltdown and Spectre. Specifically, we have received many questions about timelines for deploying the "KPTI" backports to our own kernel images by upgrading to latest 4.4 and 4.9 stable kernels. We have been working on this, but have discovered that there were serious reliability patches with these "backports", largely because in reality the mitigation "backported" was actually a derivative of an earlier mitigation called KAISER. We have observed that KAISER had major reliability issues in private testing of the new kernels. Natanael recently pushed 4.9.76 linux-vanilla kernel to edge for public testing and that also verified that there were still regressions in the release that was supposed to fix the regressions in 4.9.75. Accordingly, we are lead to believe that the situation is not likely to get better with trying to fix KAISER any time soon. In addition, it was posted to Hacker News that KAISER has severe design defects that neither the real KPTI or unpatched kernels have[1]. As such, for vanilla our plan is to upgrade all kernels to 4.14.13 which have the real KPTI mitigation. This has already been done in edge, please test the -vanilla kernel if you can! We are still working out the specifics of how to handle linux-hardened, but current research indicates that changes to PaX will be required to do the same style of mitigation. As we are incapable of doing these changes ourselves at this time, we are planning to migrate linux-hardened users to linux-vanilla in a future update. We are presently working out the exact plans to do this, as well as to introduce missing modules and kernel variants (-virt kernel profile) that are missing in linux-vanilla. Once linux-vanilla is at feature parity (in terms of modules and kernel variants offered) we will do this transition in edge. After the transition plan is proven stable in edge, we will push it to the supported releases. A common question is whether or not we will be keeping the linux-hardened and linux-grsec packages themselves around in the release branches. At present we have not made this conclusion. The reality, however, is that backporting security fixes to the hardened kernel is now a lot more difficult due to the introduction of KAISER as a mitigation in the LTS branches, so most likely we will drop it since we feel it would be irresponsible to carry a package that has known vulnerabilities while also claiming it has enhanced security features. William [1]: https://news.ycombinator.com/item?id=16087736 --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---