How to safely hold kernel packages ?
Hi all,
I wanted to avoid kernel updates after the Spectre/Meltdown 'bug', also
known as KPTI or kaiser CPU flaw. In my specific context, these patches
are useless or even harmful.
Before applying an aptitude update/upgrade to all the servers and VMs
I'm in charge, I've done a little test on a Debian 9 stable workstation,
with the kernel linux-image-4.9.0-4-amd64 release 4.9.51-1
So, after an aptitude search ~i~linux- I hold theses meta-packages :
aptitude hold linux-image-amd64
aptitude hold linux-headers-amd64
Then I check the applied holds :
aptitude search ~ahold
ihA linux-headers-amd64
ih linux-image-amd64
then... aptitude update/upgrade
After that... I discover a kernel change :
linux-image-4.9.0-4-amd64 release 4.9.65-3 (instead of previously 4.9.51-1)
Reading :
http://metadata.ftp-master.debian.org/changelogs/main/l/linux/linux_4.9.65-3+deb9u2_changelog
I discovered I've perfectly applied the patch I wished to avoid.
linux (4.9.65-3+deb9u2) stretch-security; urgency=high
.../...
* [amd64] Implement Kernel Page Table Isolation (KPTI, aka KAISER)
(CVE-2017-5754)
Hopefully, there is a new "nokaiser" boot option !
(happy end).
So it seems I just learn that 'hold' aptitude command is for packet
version (i.e 4.9.0-4), not for package security fixes versions (4.9.65-3)...
But is there a way to really *freeze* a packet (block all updates) ?
Is it the 'keep' aptitude option ? (can't really see the difference with
'hold')
Or may be it's better to apply security patches and use the new
"nokaiser" boot option...
Thanks a lot in advance for your advices ;)
All the best from France...
--
Stéphane Rivière
Ile d'Oléron - France
Reply to: