Re: current status of spectre/meltdown

[Antoine Beaupré <anarcat@orangeseeds.org>]

On 2018-02-21 21:12:31, Fabian Grünbichler wrote:
> On 02/21/2018 08:40 PM, Antoine Beaupré wrote:
>> Hi,
>> 
>> Trying to do a recap here to update the wiki page correctly:
>> 
>> https://wiki.debian.org/DebianSecurity/SpectreMeltdown
>> 
>> See if you can fill in the blanks I've found...
>
> (Disclaimer: not involved in all of in any capacity on the Debian side
> besides testing the preview gcc packages for downstream usage, so please
> take with a grain of salt ;) I don't know any details about non-x86, so
> refraining from commenting too much on those parts)

[...]

> this got kinda long, sorry ;)

Well, that's a great response!

I've tried to summarize your responses and those of others in the thread
in the wiki, which gives us the following diff:

https://wiki.debian.org/DebianSecurity/SpectreMeltdown?action=diff&rev2=30&rev1=26

You'll also noticed I flipped the "yellow" color back to "green" for
Spectre v1. I'm not sure why this was yellow: I chose that color before
because I felt this was only partially mitigated, but I feel that we
have "as good as we can get" mitigation.

>From what I understand, we'd need a full audit of the complete source
code of the Debian archive (!) and, once that's done), a full rebuild
with retpoline. That is not a realistic expectation and so I simply
noted that we do not plan to do a full rebuild at this stage.

Hutchings also added per-architecture tables and more details, thanks
for that!

Hopefully we're a little better in terms of documentation. I'd still
like to see a better userland section, but I'm not sure where to
start...

Thanks for your help!

A.

-- 
To be naive and easily deceived is impermissible, today more than
ever, when the prevailing untruths may lead to a catastrophe because
they blind people to real dangers and real possibilities.
                        - Erich Fromm