At first thanks you all for you good advices.
I will follow them, update kernels and apply the appropriate options
(thanks for the link). I did not find what exactly is the nokaiser
option and I will use nopti.
I agree dpkg-jiu-jitsu is an uncomfortable sport and understand i've
hold the wrong (meta) packages.
All the best from here...
Stef
-----------------------------
Finally, just for fun, my reasoning (for what it's worth), about
avoiding these patches
Theses incompletes and CPU consuming patchs are *mandatory* if using
(for example):
- A VM in a public cloud (wild neighborhood ;)
- A VM in a dedicated server which host others VM of different security
level (datas, users and admins of different security levels)
- A multi-user system with users handling information at different
levels of security
In my use case:
- Servers are real dedicated ones (no public or private cloud)
- Hypervisors and VMs are under control of people of same level security
- All VM are equal in a security point of view (datas & people involved)
Keep in mind theses flaws are (perhaps) useable if, and only if a VM is
already infected (theses flaws needs a local running process !)
My reasoning is that if I have a wild running process in a VM, then this
VM is compromised and I must simply destroy it !
I'm really concerned about security, performance and reliability. I talk
about this with a lot of others OVH sysadmins customers (we share an ML
called b...@ml.ovh.net (in french). But I do not pretend to be right, and
also open to different points of view.
In any case :
- These hardware bugs are simply catastrophic.
- The patches applied are partial, with bads side-effects
- Some of the bugs can't be correcting (whithout changing the CPU)
--
Stéphane Rivière
Ile d'Oléron - France
