From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: Meltdown / Spectre Date: Tue, 9 Jan 2018 23:59:30 -0500 Message-ID: <20180110045930.GA29390@jasmine.lan> References: <874lnzcedp.fsf@gmail.com> <20180106174358.GA28436@jasmine.lan> <87vageeobi.fsf@netris.org> <87incedvgv.fsf@netris.org> <87k1wtcq7m.fsf@netris.org> <87wp0qognk.fsf@gmail.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="wac7ysb48OaltWcw" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:35856) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eZ8Um-0001Ow-8y for guix-devel@gnu.org; Wed, 10 Jan 2018 00:00:13 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eZ8Ui-0000zE-7F for guix-devel@gnu.org; Wed, 10 Jan 2018 00:00:12 -0500 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:59457) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1eZ8Ui-0000y8-18 for guix-devel@gnu.org; Wed, 10 Jan 2018 00:00:08 -0500 Content-Disposition: inline In-Reply-To: <87wp0qognk.fsf@gmail.com> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Alex Vong Cc: guix-devel@gnu.org --wac7ysb48OaltWcw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jan 10, 2018 at 05:39:59AM +0800, Alex Vong wrote: > I have an idea. Should we add a news entry to Guix blog[0] summarizing > all the above? For example, we can advice users to install noscript and > turn off javascript by default and only enable it on trusted site when > necessary. I think it's a good idea to publish an advisory of some sort but I don't know if I'll have time in the next few days to write it. > About the "Retpoline" mitigation technique[1]. Right now only GCC 7.2.0 > is patched, but our default gcc version is 5.4.0 in master and 5.5.0 in > core-updates. So I tried to apply the patches apply the patches to > 5.5.0. There are totally 17 commits/patches. The first 3 patch can be > modified to work while the 4th patch cannot be easily modified to work > because the function ``ix86_nopic_noplt_attribute_p'' is not present on > 5.5.0. Perhaps discarding the hunk would be fine, but we need to be > careful about it (maybe running tests make sure the fix really works). >=20 > Do you think we should modify the patch to make it work on GCC 5 or > update core-updates to GCC 7 instead? So far I haven't had time to read about Retpoline, how it works, and the degree to which other mitigations work without it. So the following opinion is from a place of ignorance. I'm very interested to hear what everyone else thinks about your suggestion. Having said that, my opinion is that it's too late in this core-updates cycle to change the default GCC version, especially two major versions, =66rom 5 to 7. My impression is that we are relatively close to finishing this cycle. Changing the default GCC would surely cause lots of new build failures requiring fixes to affected packages. There are probably many unpublicized / undiscovered security fixes in many of the updates on core-updates. It's valuable to deploy those as quickly as possible. Is it more valuable than waiting until we can build the packages with GCC 7? I don't know. Something we can do very easily, even on the master branch, is to build specific packages with GCC 7, assuming the Retpoline technique would be effective in that context. --wac7ysb48OaltWcw Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlpVna8ACgkQJkb6MLrK fwjg0Q//RG/OlsbnRcCS84cgV1Lhw684uU4/TDG4l17eMehFYc3CQlHHJ/hc53+e a2KgcnMosgmuE9GCvqUzUy0BfZd/4B9hioWhurIfd47shJ9eI7xsJrAcmAOGsoFW W4f7m8iUwp7AIILK+7ripTu2o2Ck1is5cr6Ha++5yczRmmTMgg1cuiPz1TFBGqLM zjHJzBJWBXGPI/4oP3F7k3qVPLmr8J1oYSl49ntg/cwRVhL1Rmc9IW8KHmARdIJR ahFBSB9WuU5rK8ftIXpt/iM/hjejown2T2UIR3aFrc4wVVVHOSjN+tYcsIaE84Vs GftZyRqfd9UHk4cb8S0JVNDi+Jh8MLBiMRAj17n2VZKoTpWHmoRdPZo3wCh3Y6Jd DUSt9WeH4rULVo+SDDRW2C+rN0W54hSTxMLldOh5ihkNsSjobdzqKTVWhEIzY36M W5gws4Z7T8SSn5GxvtEayw+x2V8be6S4gqoqnpJt/l4ymZrhefflRNZD90TazOMd NFDX/HP5hUN6oOw6M0s28kX7LeHXn489bCLD8iWzqG7thrl9rVuQuIxHe7CwhP/E 62LP5HeHg3A2NUitL2d77FzgqXPIs0cs9dAHqVpVcAQah3uXxHBRMx8I4ygKiJYu qyaRw6yHIq86tsDZypIRz80GAJACt/xwcUVnIBIRg0hpRyUFYNw= =eeNK -----END PGP SIGNATURE----- --wac7ysb48OaltWcw--