Re: How to safely hold kernel packages ?

[Stéphane Rivière <stef@genesix.org>]

At first thanks you all for you good advices.

I will follow them, update kernels and apply the appropriate options 
(thanks for the link). I did not find what exactly is the nokaiser 
option and I will use nopti.

I agree dpkg-jiu-jitsu is an uncomfortable sport and understand i've 
hold the wrong (meta) packages.

All the best from here...

Stef

-----------------------------

Finally, just for fun, my reasoning (for what it's worth), about 
avoiding these patches

Theses incompletes and CPU consuming patchs are *mandatory* if using 
(for example):

- A VM in a public cloud (wild neighborhood ;)
- A VM in a dedicated server which host others VM of different security 
level (datas, users and admins of different security levels)
- A multi-user system with users handling information at different 
levels of security

In my use case:

- Servers are real dedicated ones (no public or private cloud)
- Hypervisors and VMs are under control of people of same level security
- All VM are equal in a security point of view (datas & people involved)

Keep in mind theses flaws are (perhaps) useable if, and only if a VM is 
already infected (theses flaws needs a local running process !)

My reasoning is that if I have a wild running process in a VM, then this 
VM is compromised and I must simply destroy it !

I'm really concerned about security, performance and reliability. I talk 
about this with a lot of others OVH sysadmins customers (we share an ML 
called bar@ml.ovh.net (in french). But I do not pretend to be right, and 
also open to different points of view.

In any case :
- These hardware bugs are simply catastrophic.
- The patches applied are partial, with bads side-effects
- Some of the bugs can't be correcting (whithout changing the CPU)

--
Stéphane Rivière
Ile d'Oléron - France