On Wednesday, 31 January 2018 11:30:13 GMT Martin Vaeth wrote: > Nikos Chantziaras <rea...@gmail.com> wrote: > > Yeah, that's the kind of software that benefits from the Spectre > > mitigation patches. Like browsers, virtualization or emulation software, > > the kernel, etc. > > No. It's software like gnupg, encfs, openssl and all the library they > use (glibc, glib, X etc) which need these patches. > > > Rebuilding the whole system with these flags on doesn't sound like a > > good idea. Now, I don't know if it would hurt anything, but it's not > > uncommon for build flags to break random stuff. > > Yep. On x86, gcc cannot compile itself if built with -fno-plt. > > > I haven't seen any word from anyone yet as to whether these flags are > > actually recommended or not on a system-wide basis. > > Actually, it is not even clear in the moment which flags should be > used in which settings. (There has been some discussion in the > gentoo forums but to no completely satisfactory result yet.) > > > So my educated guess is: No. Don't do that. > > Yes and no: It is probably recommended, but the flags are so no and > so poorly understood that people are hesitating with recommendations. > Also, spectre is hard to exploit, so it is perhaps better to wait in > the moment until some experience ins there. > > > If a package is affected, it > > stands to reason that the upstream of that package would change their > > build system to use these new flags where needed. > > No, for many reasons: > > 1. Packages often try to not add any flags; especially in gentoo it is a > policy that they _must_ not: If they do, it would get patched out in gentoo. > > 2. A library has no idea what it is used for. Why should it add something, > only because some program using it should be protected? > > 3. Adding the flags slows down the programs. It is the user who must > decide whether patches are desirable for his use case and architecture. > (Maybe this is less relevant know but in a while when versions of > processors "immune" to spectre come out.)
Just to dilute my confusion on what I should do to keep desktops safe(r), would someone please clarify: Is it necessary to keyword gcc 7.3 + kernel 4.15 and emerge kernel 4.15 with gcc 7.3, or wait until these versions have been stabilised in the tree? What gcc version shall I use to update @world from then on? PS. Some desktops are Intel, some are AMD and I also have 3-4 devices with ARM in them ... -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.