On 2018-02-06 at 12:00, Stéphane Rivière wrote: > Hi all, > > I wanted to avoid kernel updates after the Spectre/Meltdown 'bug', > also known as KPTI or kaiser CPU flaw. In my specific context, these > patches are useless or even harmful.
As indicated by Andy Smith, you should probably upgrade anyway and apply a kernel command-line option to disable this behavior, since there are other fixes included in the updated kernels. > Before applying an aptitude update/upgrade to all the servers and VMs > I'm in charge, I've done a little test on a Debian 9 stable > workstation, with the kernel linux-image-4.9.0-4-amd64 release > 4.9.51-1 > > So, after an aptitude search ~i~linux- I hold theses meta-packages : > > aptitude hold linux-image-amd64 aptitude hold linux-headers-amd64 > > Then I check the applied holds : > > aptitude search ~ahold > > ihA linux-headers-amd64 ih linux-image-amd64 > > then... aptitude update/upgrade > > > > After that... I discover a kernel change : > > linux-image-4.9.0-4-amd64 release 4.9.65-3 (instead of previously > 4.9.51-1) > So it seems I just learn that 'hold' aptitude command is for packet > version (i.e 4.9.0-4), not for package security fixes versions > (4.9.65-3)... > > But is there a way to really *freeze* a packet (block all updates) ? There is. 'hold' should do it; I think you just held the wrong packages. As I understand matters, linux-image-amd64 is a metapackage, or something similar to one. It does not contain any actual kernel; it just depends on another package, which does contain a kernel. For example, linux-image-amd64 version 4.9* will depend on a linux-image-4.9.*-amd64 package, and linux-image-amd64 version 4.14* will depend on a linux-image-4.14*-amd64 package. The "below" packages can get new versions even when the "above" package doesn't; in fact, they very commonly do, since AFAIK most of the time there's no need for a new linux-image-amd64 version except when switching from e.g. 4.9.x to 4.14.x. Once that other package is installed, if it has a new version available, a mass "upgrade" command will cause that other package to be upgraded to a new version - even if linux-image-amd64 itself doesn't have a new version. -- The Wanderer The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man. -- George Bernard Shaw
signature.asc
Description: OpenPGP digital signature
