From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: Meltdown / Spectre Date: Tue, 16 Jan 2018 11:57:11 +0100 Message-ID: <87po6a841k.fsf@gnu.org> References: <874lnzcedp.fsf@gmail.com> <20180106174358.GA28436@jasmine.lan> <87vageeobi.fsf@netris.org> <87incedvgv.fsf@netris.org> <87k1wtcq7m.fsf@netris.org> <87wp0qognk.fsf@gmail.com> <20180110045930.GA29390@jasmine.lan> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:49333) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ebOve-00012s-NX for guix-devel@gnu.org; Tue, 16 Jan 2018 05:57:19 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ebOvb-0004UN-Lr for guix-devel@gnu.org; Tue, 16 Jan 2018 05:57:18 -0500 Received: from hera.aquilenet.fr ([2a0c:e300::1]:48962) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ebOvb-0004Tf-EJ for guix-devel@gnu.org; Tue, 16 Jan 2018 05:57:15 -0500 In-Reply-To: <20180110045930.GA29390@jasmine.lan> (Leo Famulari's message of "Tue, 9 Jan 2018 23:59:30 -0500") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Leo Famulari Cc: guix-devel@gnu.org Hello, Leo Famulari skribis: > On Wed, Jan 10, 2018 at 05:39:59AM +0800, Alex Vong wrote: >> I have an idea. Should we add a news entry to Guix blog[0] summarizing >> all the above? For example, we can advice users to install noscript and >> turn off javascript by default and only enable it on trusted site when >> necessary. > > I think it's a good idea to publish an advisory of some sort but I don't > know if I'll have time in the next few days to write it. It=E2=80=99s a good idea. I think the message you sent at the beginning of= this thread would be a good start. Not much more needs to be added at this point, IMO. >> About the "Retpoline" mitigation technique[1]. Right now only GCC 7.2.0 >> is patched, but our default gcc version is 5.4.0 in master and 5.5.0 in >> core-updates. So I tried to apply the patches apply the patches to >> 5.5.0. There are totally 17 commits/patches. The first 3 patch can be >> modified to work while the 4th patch cannot be easily modified to work >> because the function ``ix86_nopic_noplt_attribute_p'' is not present on >> 5.5.0. Perhaps discarding the hunk would be fine, but we need to be >> careful about it (maybe running tests make sure the fix really works). >>=20 >> Do you think we should modify the patch to make it work on GCC 5 or >> update core-updates to GCC 7 instead? > > So far I haven't had time to read about Retpoline, how it works, and the > degree to which other mitigations work without it. So the following > opinion is from a place of ignorance. I'm very interested to hear what > everyone else thinks about your suggestion. > > Having said that, my opinion is that it's too late in this core-updates > cycle to change the default GCC version, especially two major versions, > from 5 to 7. No doubt about it. :-) > Something we can do very easily, even on the master branch, is to build > specific packages with GCC 7, assuming the Retpoline technique would be > effective in that context. Yes, I see Alex submitted a patch already. Thanks, Ludo=E2=80=99.