On Wednesday, 31 January 2018 11:30:13 GMT Martin Vaeth wrote:
> Nikos Chantziaras <rea...@gmail.com> wrote:
> > Yeah, that's the kind of software that benefits from the Spectre
> > mitigation patches. Like browsers, virtualization or emulation software,
> > the kernel, etc.
> 
> No. It's software like gnupg, encfs, openssl and all the library they
> use (glibc, glib, X etc) which need these patches.
> 
> > Rebuilding the whole system with these flags on doesn't sound like a
> > good idea. Now, I don't know if it would hurt anything, but it's not
> > uncommon for build flags to break random stuff.
> 
> Yep. On x86, gcc cannot compile itself if built with -fno-plt.
> 
> > I haven't seen any word from anyone yet as to whether these flags are
> > actually recommended or not on a system-wide basis.
> 
> Actually, it is not even clear in the moment which flags should be
> used in which settings. (There has been some discussion in the
> gentoo forums but to no completely satisfactory result yet.)
> 
> > So my educated guess is: No. Don't do that.
> 
> Yes and no: It is probably recommended, but the flags are so no and
> so poorly understood that people are hesitating with recommendations.
> Also, spectre is hard to exploit, so it is perhaps better to wait in
> the moment until some experience ins there.
> 
> > If a package is affected, it
> > stands to reason that the upstream of that package would change their
> > build system to use these new flags where needed.
> 
> No, for many reasons:
> 
> 1. Packages often try to not add any flags; especially in gentoo it is a
> policy that they _must_ not: If they do, it would get patched out in gentoo.
> 
> 2. A library has no idea what it is used for. Why should it add something,
> only because some program using it should be protected?
> 
> 3. Adding the flags slows down the programs. It is the user who must
> decide whether patches are desirable for his use case and architecture.
> (Maybe this is less relevant know but in a while when versions of
> processors "immune" to spectre come out.)

Just to dilute my confusion on what I should do to keep desktops safe(r), 
would someone please clarify:

Is it necessary to keyword gcc 7.3 + kernel 4.15 and emerge kernel 4.15 with 
gcc 7.3, or wait until these versions have been stabilised in the tree?

What gcc version shall I use to update @world from then on?

PS. Some desktops are Intel, some are AMD and I also have 3-4 devices with ARM 
in them ...
-- 
Regards,
Mick

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply via email to