Re: Arch qualification for buster: call for DSA, Security, toolchain concerns

To: debian-release@lists.debian.org, debian-ports@lists.debian.org, debian-riscv@lists.debian.org
Cc: debian-admin@lists.debian.org, team@security.debian.org, debian-gcc@lists.debian.org, debian-glibc@lists.debian.org
Subject: Re: Arch qualification for buster: call for DSA, Security, toolchain concerns
From: Luke Kenneth Casson Leighton <lkcl@lkcl.net>
Date: Fri, 29 Jun 2018 10:20:50 +0100
Message-id: <[🔎] CAPweEDyMk+W5BEQ5JCLDQ5xBcwAyzojY56W1nkvqn2eaeM_2sA@mail.gmail.com>
In-reply-to: <[🔎] d47ea159-ace7-e36d-ccb7-14ea911dbc6e@thykier.net>
References: <[🔎] d47ea159-ace7-e36d-ccb7-14ea911dbc6e@thykier.net>

On Wed, Jun 27, 2018 at 9:03 PM, Niels Thykier <niels@thykier.net> wrote:

> armel/armhf:
> ------------
>
>  * Undesirable to keep the hardware running beyond 2020.  armhf VM
>    support uncertain. (DSA)
>    - Source: [DSA Sprint report]

 [other affected 32-bit architectures removed but still relevant]

 ... i'm not sure how to put this other than to just ask the question.
has it occurred to anyone to think through the consequences of not
maintaining 32-bit versions of debian for the various different
architectures?  there are literally millions of ARM-based tablets and
embedded systems out there which will basically end up in landfill if
a major distro such as debian does not take a stand and push back
against the "well everything's going 64-bit so why should *we*
bother?" meme.

 arm64 is particularly inefficient and problematic compared to
aarch32: the change in the instruction set resulted in dropping some
of the more efficiently-encoded instructions that extend a 64-bit
program size, require a whopping FIFTY PERCENT instruction-cache size
increase to compensate for, whch increased power consumption by over
15%.

 in addition, arm64 is usually speculative OoO (Cavium ThunderX V1
being a notable exception) which means it's vulnerable to spectre and
meltdown attacks, whereas 32-bit ARM is exclusively in-order.  if you
want to GUARANTEE that you've got spectre-immune hardware you need
either any 32-bit system (where even Cortex A7 has virtualisattion) or
if 64-bit is absolutely required use Cortex A53.

 basically, abandoning or planning to abandon 32-bit ARM *right now*
leaves security-conscious end-users in a really *really* dicey
position.

> We are currently unaware of any new architectures likely to be ready in
> time for inclusion in buster.

 debian-riscv has been repeatedly asking for a single zero-impact line
to be included in *one* file in *one* dpkg-related package which would
allow riscv to stop being a NMU architecture and become part of
debian/unstable (and quickly beyond), for at least six months, now.
cc'ing the debian-riscv list because they will know the details about
this.  it's really quite ridiculous that a single one-line change
having absolutely no effect on any other architecture whatsover is not
being actioned and is holding debian-riscv back because of that.

 what is the reason why that package is not moving forward?

 l.

Reply to:

Follow-Ups:
- Re: Arch qualification for buster: call for DSA, Security, toolchain concerns
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Re: Arch qualification for buster: call for DSA, Security, toolchain concerns
  - From: lsorense@csclub.uwaterloo.ca (Lennart Sorensen)

References:
- Arch qualification for buster: call for DSA, Security, toolchain concerns
  - From: Niels Thykier <niels@thykier.net>

Prev by Date: Re: Arch qualification for buster: call for DSA, Security, toolchain concernsj
Next by Date: Re: Arch qualification for buster: call for DSA, Security, toolchain concerns
Previous by thread: armel/armhf arch qualification for buster: call for DSA, Security, toolchain concernsj
Next by thread: Re: Arch qualification for buster: call for DSA, Security, toolchain concerns
Index(es):
- Date
- Thread