Re: Arch qualification for buster: call for DSA, Security, toolchain concerns

To: Ben Hutchings <ben@decadent.org.uk>
Cc: debian-release@lists.debian.org, team@security.debian.org, debian-kernel@lists.debian.org
Subject: Re: Arch qualification for buster: call for DSA, Security, toolchain concerns
From: Moritz Mühlenhoff <jmm@inutil.org>
Date: Sat, 30 Jun 2018 22:18:27 +0200
Message-id: <[🔎] 20180630201827.GA23635@pisco.westfalen.local>
In-reply-to: <[🔎] 3fab1d3e14b6c926c612da2c89304c3e7fff07e1.camel@decadent.org.uk>
References: <d47ea159-ace7-e36d-ccb7-14ea911dbc6e@thykier.net> <[🔎] 20180629203156.GA13688@pisco.westfalen.local> <[🔎] 3fab1d3e14b6c926c612da2c89304c3e7fff07e1.camel@decadent.org.uk>

On Fri, Jun 29, 2018 at 10:33:16PM +0100, Ben Hutchings wrote:
> On Fri, 2018-06-29 at 22:31 +0200, Moritz Mühlenhoff wrote:
> > Niels Thykier wrote:
> > > If the issues and concerns from you or your team are not up to date,
> > > then please follow up to this email (keeping debian-release@l.d.o and
> > > debian-ports@l.d.o in CC to ensure both parties are notified).
> > 
> > Two issues that we discussed at the recent Security Team sprint wrt
> > problems affecting buster:
> > 
> > (1) Linux upstream security support for i386 seems at risk at this point.
> > E.g. KPTI for i386 still isn't merged in Linux master half a year later after
> > the public Meltdown disclosure in early January (and the development of KPTI
> > started months before that). Someone at SuSE actually developed patches
> > as an older SLES release using Linux 3.0 (!) still supports i386, but that
> > will also EOL at some point and if we don't have the manpower to
> > develop upstream fixes for future i386-specific flaws.
> > 
> > It's not a strict blocker, but we wanted to raise the discussion whether
> > it still makes sense to ship 32 bit kernels for buster, which means with
> > support until ~ 2022.
> [...]
> 
> The lack of Meltdown mitigation on i386 is concerning, though I remain
> somewhat hopeful that it will get fixes eventually.  A quick look
> through kernel-sec finds maybe 3 other i386-specific issues in the last
> 5 years (CVE-2013-0190, CVE-2014-4508, CVE-2016-3672), and none of the
> fixes were difficult to backport.

Fair enough. Ultimately it's your call, but we wanted to raise it due to
the long term perspective upstream.

> It's worth noting that Meltdown also never got mitigated for any of the
> other affected architectures (at least ppc64el and s390x) in jessie,
> despite being addressed upstream.  So I don't think it makes sense to
> pick on i386 as being particularly vulnerable.

Well, the difference is that 99% of users still installing a buster system
with i386 are doing it out of ignorance and would otherwise be protected
if they'd picked amd64. For ppc64el and s390x no such alternative exists.

Cheers,
        Moritz

Reply to:

References:
- Re: Arch qualification for buster: call for DSA, Security, toolchain concerns
  - From: Moritz Mühlenhoff <jmm@inutil.org>
- Re: Arch qualification for buster: call for DSA, Security, toolchain concerns
  - From: Ben Hutchings <ben@decadent.org.uk>

Prev by Date: Bug#902777: linux-image-4.9.0-6-amd64: debian crash on laptop lenovo carbon with intel i915 video card
Previous by thread: Re: Arch qualification for buster: call for DSA, Security, toolchain concerns
Next by thread: linux wrongly treated as passing autopkgtests
Index(es):
- Date
- Thread