<div dir="ltr"><div class="gmail_default" style="font-family:tahoma,sans-serif">Yes, as a relative newbie to the Linux world(one year), I was pretty dismayed with the developments in the last few weeks.</div><div class="gmail_default" style="font-family:tahoma,sans-serif"></div><div class="gmail_default" style="font-family:tahoma,sans-serif"><br></div><div class="gmail_default" style="font-family:tahoma,sans-serif">Running LM allows me to have pretty easy and complete control over the kernel installed/used. <br></div><div class="gmail_default" style="font-family:tahoma,sans-serif"></div><div class="gmail_default" style="font-family:tahoma,sans-serif"><br></div><div class="gmail_default" style="font-family:tahoma,sans-serif">I just updated from 4.4.0.97 to 4.4.0.104 today. <br></div><div class="gmail_default" style="font-family:tahoma,sans-serif">The LM repo shows 4.4.0.109 available since the "108" release caused issues for quite a few users. <br></div><div class="gmail_default" style="font-family:tahoma,sans-serif"><br></div><div class="gmail_default" style="font-family:tahoma,sans-serif">I am sticking with a self-imposed 90-day update cycle to the 4.4 kernel if there is a really compelling reason(from reading the changelog) to update. If no "urgency=medium/high" are listed i nthe changelog, I will just ignore the kernel updates.</div><div class="gmail_default" style="font-family:tahoma,sans-serif"><br></div><div class="gmail_default" style="font-family:tahoma,sans-serif">I know delaying kernel updates can potentially be quite dangerous and LM has been criticized for their Software Updater default update settings, but I prefer it simply to have a better shot at the best system stability.<br></div><div class="gmail_default" style="font-family:tahoma,sans-serif"><br></div><div class="gmail_default" style="font-family:tahoma,sans-serif">I am very averse to a re-install as I am lazy to the core. and not keen on dealing with the spectre of a total system meltdown due to applying kernel/firmware changes as soon as they appear. Sorry...just had to do it.</div><div class="gmail_default" style="font-family:tahoma,sans-serif"><br></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature">Thanks,<br><br>Ron Singh<br>"in transit, via mobile comm device"</div></div>
<br><div class="gmail_quote">On Sat, Jan 20, 2018 at 1:59 PM, Khalid Baheyeldin <span dir="ltr"><<a href="mailto:kb@2bits.com" target="_blank">kb@2bits.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">The link below is exactly why I chose to have a hold on the kernel packages for my bare metal desktops and servers until all this mess is sorted out, and we have stability back again, as we are used to ...<br><br>First it was Meltdown fixes and Ubuntu: booting issues.<br>Now it is Spectre and RedHat: booting issues.<br><br>This is why many of us fled the Microsoft ecosystem: lack of stability and predictability. <br><br>Once things are stable again, I will apply the kernel updates as I have been doing for years past ... <br><br><a href="https://linux.slashdot.org/story/18/01/20/178204/red-hat-reverts-spectre-patches-to-address-boot-issues" target="_blank">https://linux.slashdot.org/<wbr>story/18/01/20/178204/red-hat-<wbr>reverts-spectre-patches-to-<wbr>address-boot-issues</a><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jan 12, 2018 at 10:25 AM, Khalid Baheyeldin <span dir="ltr"><<a href="mailto:kb@2bits.com" target="_blank">kb@2bits.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote"><span>On Fri, Jan 12, 2018 at 10:08 AM, Chris Irwin <span dir="ltr"><<a href="mailto:chris@chrisirwin.ca" target="_blank">chris@chrisirwin.ca</a>></span> wrote:<br></span><span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><span>On Wed, Jan 10, 2018 at 9:24 AM, Khalid Baheyeldin <span dir="ltr"><<a href="mailto:kb@2bits.com" target="_blank">kb@2bits.com</a>></span> wrote:<br></span><span><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div>Wow, the differences are significant ... <br><br>For a dedicated server, the fix for Meltdown is not really needed, since no one else is accessing RAM by exploiting the speculative execution. <br><br>So I am thinking of pinning the kernel to what it is on those machines.<br></div></div></div></blockquote><div><br></div></span><div>Don't pin your kernel to avoid the KPTI patches. All future kernels, likely forever (considering linux still supports 486
CPUs), will carry this functionality to be used with affected CPUs. Pinning your kernel will only serve to prevent you from getting other security-related kernel updates.</div></div></div></div></blockquote><div><br></div></span><div>This is only temporary until things settle down. Will avoid the failed reboots and such.<br> <br></div><span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div>If you really, *really* want to disable KPTI, put "nopti" on the kernel command-line. I obviously don't recommend this. Unless your typical workload resembles a synthetic benchmark, the performance impact will likely be negligible.<br></div></div></div></div></blockquote><div><br></div></span><div>Meltdown and Spectre only affect machines that run a load from different parties. Think about a physical server running virtualized instances. One instance can sneakily look at the memory of another instance. <br><br></div><div>But on a dedicated server, or my laptop, there is no such risk. Yes, in theory there can be, but if someone has managed to execute programs on such machines behind my back, then KPTI or not, there are bigger issues. <br><br></div><div>So disabling KPTI is good for those two cases. <br><br></div><div>But again, I will wait until things settle down. <br></div><span><div> <br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div>The security threat posted by meltdown and spectre is serious, even if
you don't see an attack vector. Any unrelated remote code execution
exploit (in apache, etc) could potentially in turn exploit meltdown and
spectre.</div></div></div></div></blockquote><div><br></div></span><div>If there is remote code execution, then it is a serious problem on its own, and the machine will be owned regardless. </div></div><span class="HOEnZb"><font color="#888888"><span><br>-- <br><div class="m_-1849746934291363609m_-4964741724621935777gmail_signature" data-smartmail="gmail_signature">Khalid M. Baheyeldin<br><a href="http://2bits.com" target="_blank">2bits.com</a>, Inc.<br>Fast Reliable Drupal<br>Drupal optimization, development, customization and consulting.<br>Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra<br>Simplicity is the ultimate sophistication. -- Leonardo da Vinci<br>For every complex problem, there is an answer that is clear, simple, and wrong." -- H.L. Mencken<br></div>
</span></font></span></div></div><span class="HOEnZb"><font color="#888888">
</font></span></blockquote></div><span class="HOEnZb"><font color="#888888"><br><br clear="all"><br>-- <br><div class="m_-1849746934291363609gmail_signature" data-smartmail="gmail_signature">Khalid M. Baheyeldin<br><a href="http://2bits.com" target="_blank">2bits.com</a>, Inc.<br>Fast Reliable Drupal<br>Drupal optimization, development, customization and consulting.<br>Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra<br>Simplicity is the ultimate sophistication. -- Leonardo da Vinci<br>For every complex problem, there is an answer that is clear, simple, and wrong." -- H.L. Mencken<br></div>
</font></span></div>
<br>______________________________<wbr>_________________<br>
kwlug-disc mailing list<br>
<a href="mailto:kwlug-disc@kwlug.org">kwlug-disc@kwlug.org</a><br>
<a href="http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org" rel="noreferrer" target="_blank">http://kwlug.org/mailman/<wbr>listinfo/kwlug-disc_kwlug.org</a><br>
<br></blockquote></div><br></div>