On Fri, Jun 29, 2018 at 10:33:16PM +0100, Ben Hutchings wrote:
> On Fri, 2018-06-29 at 22:31 +0200, Moritz Mühlenhoff wrote:
> > Niels Thykier wrote:
> > > If the issues and concerns from you or your team are not up to date,
> > > then please follow up to this email (keeping debian-release@l.d.o and
> > > debian-ports@l.d.o in CC to ensure both parties are notified).
> >
> > Two issues that we discussed at the recent Security Team sprint wrt
> > problems affecting buster:
> >
> > (1) Linux upstream security support for i386 seems at risk at this point.
> > E.g. KPTI for i386 still isn't merged in Linux master half a year later
> > after
> > the public Meltdown disclosure in early January (and the development of KPTI
> > started months before that). Someone at SuSE actually developed patches
> > as an older SLES release using Linux 3.0 (!) still supports i386, but that
> > will also EOL at some point and if we don't have the manpower to
> > develop upstream fixes for future i386-specific flaws.
> >
> > It's not a strict blocker, but we wanted to raise the discussion whether
> > it still makes sense to ship 32 bit kernels for buster, which means with
> > support until ~ 2022.
> [...]
>
> The lack of Meltdown mitigation on i386 is concerning, though I remain
> somewhat hopeful that it will get fixes eventually. A quick look
> through kernel-sec finds maybe 3 other i386-specific issues in the last
> 5 years (CVE-2013-0190, CVE-2014-4508, CVE-2016-3672), and none of the
> fixes were difficult to backport.
Fair enough. Ultimately it's your call, but we wanted to raise it due to
the long term perspective upstream.
> It's worth noting that Meltdown also never got mitigated for any of the
> other affected architectures (at least ppc64el and s390x) in jessie,
> despite being addressed upstream. So I don't think it makes sense to
> pick on i386 as being particularly vulnerable.
Well, the difference is that 99% of users still installing a buster system
with i386 are doing it out of ignorance and would otherwise be protected
if they'd picked amd64. For ppc64el and s390x no such alternative exists.
Cheers,
Moritz
