On Fri, 2018-06-29 at 22:31 +0200, Moritz Mühlenhoff wrote: > Niels Thykier wrote: > > If the issues and concerns from you or your team are not up to date, > > then please follow up to this email (keeping debian-release@l.d.o and > > debian-ports@l.d.o in CC to ensure both parties are notified). > > Two issues that we discussed at the recent Security Team sprint wrt > problems affecting buster: > > (1) Linux upstream security support for i386 seems at risk at this point. > E.g. KPTI for i386 still isn't merged in Linux master half a year later after > the public Meltdown disclosure in early January (and the development of KPTI > started months before that). Someone at SuSE actually developed patches > as an older SLES release using Linux 3.0 (!) still supports i386, but that > will also EOL at some point and if we don't have the manpower to > develop upstream fixes for future i386-specific flaws. > > It's not a strict blocker, but we wanted to raise the discussion whether > it still makes sense to ship 32 bit kernels for buster, which means with > support until ~ 2022. [...] The lack of Meltdown mitigation on i386 is concerning, though I remain somewhat hopeful that it will get fixes eventually. A quick look through kernel-sec finds maybe 3 other i386-specific issues in the last 5 years (CVE-2013-0190, CVE-2014-4508, CVE-2016-3672), and none of the fixes were difficult to backport. It's worth noting that Meltdown also never got mitigated for any of the other affected architectures (at least ppc64el and s390x) in jessie, despite being addressed upstream. So I don't think it makes sense to pick on i386 as being particularly vulnerable. Also, I don't think it is currently tenable to have a release architecture without a kernel. We still don't have a way to interactively install multiarch amd64/i386 systems. Ben. -- Ben Hutchings Sturgeon's Law: Ninety percent of everything is crap.
Attachment:
signature.asc
Description: This is a digitally signed message part