Re: Better communication about spectre/meltdown

To: Roberto C. Sánchez <roberto@debian.org>, Ben Hutchings <ben@decadent.org.uk>, Antoine Beaupré <anarcat@orangeseeds.org>, Moritz Mühlenhoff <jmm@inutil.org>, debian-lts@lists.debian.org, team@security.debian.org
Subject: Re: Better communication about spectre/meltdown
From: Emilio Pozuelo Monfort <pochu@debian.org>
Date: Sun, 1 Apr 2018 17:04:03 +0200
Message-id: <[🔎] 0973c9dc-7377-51de-ac9f-ac3a8610d03d@debian.org>
In-reply-to: <[🔎] 20180401114855.kkpvfzbqiwm4h7la@connexer.com>
References: <871sh7tu7z.fsf@curie.anarc.at> <1519686363.2617.351.camel@decadent.org.uk> <20180301125645.wt3nkodmksce3a6v@connexer.com> <1520087480.2617.367.camel@decadent.org.uk> <20180303151806.widvs35uya6se2x3@santiago.connexer.com> <1520090534.2617.370.camel@decadent.org.uk> <20180303160712.3xrlbel5vdgmy47e@connexer.com> <1520109616.2617.381.camel@decadent.org.uk> <1520561116.2495.24.camel@decadent.org.uk> <1521505828.2495.198.camel@decadent.org.uk> <[🔎] 20180401114855.kkpvfzbqiwm4h7la@connexer.com>

On 01/04/18 13:48, Roberto C. Sánchez wrote:
> On Tue, Mar 20, 2018 at 12:30:28AM +0000, Ben Hutchings wrote:
>>
>> I released Linux 3.2.101 today with a backport of the retpoline
>> changes, and have rebased that branch onto it.  The new orig tarball is
>> at https://people.debian.org/~benh/linux_3.2.101.orig.tar.xz
>>
>> I was able to build this branch for amd64 using gcc-4.9 from jessie,
>> and it reports full retpoline support.
>>
> 
> Hi everyone.
> 
> My apologies for the unreasonably long delay in my follow-up to this. I
> was able to backport the gcc-4.9 packages to wheezy. It required
> adjusting several of the build dependencies:
> 
>  - libcloog-isl-dev: 0.18 -> 0.17
>  - libmpc-dev: 1.0 -> 0.9
>  - dpkg-dev: 1.17.11 -> 1.16.18
>  - libc6-dev-x32: removed (x32 achitecture not supported in wheezy)
>  - libx32gcc1: removed (x32 achitecture not supported in wheezy)
>  - binutils: 2.25-3 -> 2.22-8
>  - binutils-multiarch: 2.25-3 -> 2.22-8
> 
> At first I was worried about the versions of the build dependencies.
> However, in each case I looked at the packaging history and tried to
> identify if there was an identifiable reason for the specific version of
> the build dependency. In nearly every case I was able to conclusively
> determine that the version was simply "the current version of that
> package when the build dependency was introduced/updated."
> 
> Based on that, I am comfortable that successful completion of the build
> indicates that my backport was "correct" and that the build dependency
> version adjustments did not break anything.
> 
> That said, I did notice a difference between the built packages on
> jessie and wheezy. Specifically, none of the lib64<foo>, libn32<foo>,
> and libx32<foo> packages were built on wheezy. I expected the libx32
> packages to be missing, but I was surprised by the others. I presume
> that they too are associated with x32 in some way. Is this correct?
> 
> I was also concerned about building amd64 packages only and uploading
> those. In particular, I would have preferred to perform a source upload,
> but as I understand it, that will not work for wheezy. Additionally,
> when I checked the PTS for information on the recent jessie upload it
> was a binary upload built for amd64. That makes me somewhat less
> concerned. Would it be correct to think that this would be a "normal"
> upload that will end up getting built for all supported LTS
> architectures? I don't suppose that there would be a reason to restrict
> the upload to amd64 only.
> 
> The packages can be found here:
> 
> https://people.debian.org/~roberto/
> https://people.debian.org/~roberto/gcc-4.9_4.9.2-10+deb7u1.dsc
> 
> (I have signed the .dsc and .changes files with my GPG key)
> 
> At this point I feel like the packages are ready for upload, but it
> seems prudent to first wait for confirmation that the kernel build on
> wheezy works with this backported gcc. Once I receive that confirmation,
> I will proceed with uploading and releasing a DLA (patterned after
> DSA-4117-1). Is there anything special that will need to be done in
> order to introduce a new source package to wheezy?
> 
> As I was finishing this message I just noticed that I forgot to include
> the orig.tar.gz in the packages that I built, so I have started another
> build that will include it. That will be what I end up uploading, unless
> changes are required.

Your new GCC builds binaries such as libgcc1 and libstdc++6. That is going to
affect nearly all the archive at runtime, and I wonder if it's the right
approach. We introduced GCC 4.8 in wheezy, named gcc-mozilla (a bad name I know)
which didn't build these libraries, so it didn't affect the rest of the archive,
which was still building with GCC 4.6 or 4.7 (depending on the architecture).

One option here would be to use your gcc-4.9 with the gcc-mozilla packaging to
build everything in one binary, we'd only need to make sure that
firefox/thunderbird are still happy about it. Perhaps that's just complicating
things, so I'm not opposed to introducing gcc-4.9. Just wondering about the
consequences of the library updates.

Cheers,
Emilio

Reply to:

Follow-Ups:
- Re: Better communication about spectre/meltdown
  - From: Roberto C. Sánchez <roberto@debian.org>
- Re: Better communication about spectre/meltdown
  - From: Florian Weimer <fw@deneb.enyo.de>

References:
- Re: Better communication about spectre/meltdown
  - From: Roberto C. Sánchez <roberto@debian.org>

Prev by Date: Re: Better communication about spectre/meltdown
Next by Date: Re: [SECURITY] [DLA 1334-1] mosquitto security update
Previous by thread: Re: Better communication about spectre/meltdown
Next by thread: Re: Better communication about spectre/meltdown
Index(es):
- Date
- Thread