On 180206-11:32+0000, KatolaZ wrote: > On Tue, Feb 06, 2018 at 10:57:39AM +0000, Miroslav Rovis wrote: > > This is a re-send, because indeed the planned changed subject (just below) > > got > > lost. All the rest of the email is same as the previous. Pls. if you do > > reply, > > use this one with the changed subject. > > > Miroslav, > > the microcode packages in Devuan come from Debian, so there is no > obscure plan to weaken Devuan. Neither did I allude there was any such plan. :)
But first, thanks for replying. > Those packages belong to the non-free component, and nobody can alter > the content since they are proprietary closed-source stuff, coming > directly from the HW producers, just presented to you within a .deb > wrapping. You use them at your own risk, and when you use them you are > trusting the HW producer, not Devuan or Debian. Known to me, what you write above. With "reaffirm security" I meant: fight spectre-meltdown vulns, not find any imaginary weasels that weaken Devuan. I don't imagine any. BTW, to reply to one of my two main queries in my previous mail (the other one about the compiler toolchain remains and itch), I found the new amd64-microcode [1] , is (allegedly [2]) in Devuan. Just, non-expert as I am, I got a little confused with Ceres that I have run for a month or two, and in the last few days wanted to go back to Ascii... Alas, it must be in some of the commented out in my /etc/apt/sources.list: #deb tor+https://pkgmaster.devuan.org/merged ceres main contrib non-free #deb tor+https://packages.devuan.org/merged ceres main contrib non-free Uncommenting them now to get that new spectre-meltrown mitigating amd64-microcode from Devuan, not by dpkg, as I have previously tried. > A 100-lines long rant won't change this state of things, unfortunately. No, it's not. It's where some security might be coming to be reaffirmed, with grsecunoff, for GNU/Linux, not just Devuan. And it's my work there too, which would need more experienced looking into than mine to be improved, and some testing by less and more experienced users alike (the kernel packages that I offer). We now mostly need the amd64-microcode to get loaded, and AMD64 owners can get almost secure again with that work/code available on those minipli pages, and from those. The biggest vulns still open now even with grsecunoff will than be mitigated for AMD64. Sadly, grsecunoff has unknown mileage ahead to reaffirm security for Intel owners... too much conflicting code, aa I quoted minipli's own words in the mail that you replied to (my previous mail). But thanks for your, as usually, stern but still kind reply. --- [1] originally distributed by Suse ahead of specter-meltdown going public, remember the hypothesis on the Schmoog the credit stealer from my previous email... In relation to that hypothesis: Gosh, for more than six months all the top world GNU/Linux developers and coders and maintainers, well of course, just the few really top of that close-knit circle, knew all about it... For more than six freaking months! How many times were those exploits sold and resold, how many people abused with those exploits, just imagine! [2] https://distrowatch.com/table.php?distribution=devuan&pkglist=true&version=unstable shows, currently: amd64-microcode^3.20171205.1 > HND > > KatolaZ > > -- > [ ~.,_ Enzo Nicosia aka KatolaZ - Devuan -- Freaknet Medialab ] > [ "+. katolaz [at] freaknet.org --- katolaz [at] yahoo.it ] > [ @) http://kalos.mine.nu --- Devuan GNU + Linux User ] > [ @@) http://maths.qmul.ac.uk/~vnicosia -- GPG: 0B5F062F ] > [ (@@@) Twitter: @KatolaZ - skype: katolaz -- github: KatolaZ ] Regards! -- Miroslav Rovis Zagreb, Croatia https://www.CroatiaFidelis.hr
signature.asc
Description: PGP signature
_______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
