Hi Peter,
On Thu, Dec 06, 2018 at 10:45:29AM +0100, Peter Dreuw wrote:
> sorry for replying late. I picked up a cold and was out of office some
> days.
/me also waves with a jojo-cold (going up and down)
> > If some of the Spectre mitigations can't be backported, make a detailed
> > writeup of what people are missing in 4.4 and let them handle it
> > based on that data (update to stretch or stick with 4.4/jessie); there's
> > still plenty of legitimate use cases which can be run in a secure
> > manner with 4.4 (internal VMs with trusted users etc).
>
> I doubt that this is a valid point. In a (totally) "secure" environment
> (=internal VMs) with trusted users, there is not much point doing most
> of the security fixes at all. But we do this? Because there is no such
> thing as a (perfect) secure environment.
sure, there is the point where it's too much work or impossible to
backport a fix. (and as such there is a point for running known buggy
software, in contained environments where such risks can be taken.)
And that's why Moritz suggest to make a list, or rather
two: one, which shows which spectre (and other) migations have been
backported to xen 4.4 and another list with those which not have been.
with that list, users can then decide, whether they can still afford to
run jessie or need to upgrade.
> The only questions to be asked are:
>
> A) can we do it?
> B) can it be afforded?
indeed. And AIUI you said "yes" to A.
> What users might do with the software distributed is out of our scope.
> While question A is very technical and right now for me not clearly to
> be answered with a "yes" - at least not 100% - Question B is not only
> about available working time but also about commitment. How much
> workload a (LTS) project is willing to take?
to answer B: LTS can afford you to spend up to 40h on this (now, maybe
more in January, we'll see). *But please* don't spend those 40h now and
then report what you have done, but rather report here after 20h spent
(or so, could be 15h too, maybe 25h is fine as well).
Also, - if possible - please make it your goal to finish some fixes with
a xen upload to LTS (within those 40h), so your work reaches the users.
And then we can include those two lists (see above) in the DLA, saying
which things are fixed and which arent yet.
Hoping this makes sense and is a sensible path forward. If not, please
clarify/correct me.
--
cheers,
Holger
-------------------------------------------------------------------------------
holger@(debian|reproducible-builds|layer-acht).org
PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
Attachment:
signature.asc
Description: PGP signature