=== JackFrost is now known as Unit193 [00:41] Personally, I'd rather build a reboot-friendly application architecture. [00:41] :) [04:02] Is this channel alive? [05:30] Is there anybody here who can check/approve/merge security related debdiffs for a package in universe or somebody who knows a person who can do that? [05:55] Hi everyone. I have a list of installed packages on my system with dpkg. Is there any library/package that will allow me to convert the package names to its respective CPE? [06:09] yurtesen: do you have a launchpad bug or other pointer? [06:09] Teachmehow: sadly, there is not really that I'm aware of, though happy to be corrected if someone knows of one. [06:55] @sbeattie yes I prepared a small debdiff also https://bugs.launchpad.net/ubuntu/+source/tomcat9/+bug/1915911/comments/4 [06:57] yurtesen: thanks, I saw some chatter about that bug, I'll poke further. [08:24] Thankyou, That was my first debdiff. Hopefully it is somewhat acceptable. I had a few questions about how to track if anybody is looking at a debdiff and format of the changelog if anybody can answer. See comment 8 for formatting question: https://answers.launchpad.net/ubuntu/+source/tomcat9/+question/700934 [08:45] i just brought this up in -kernel, but maybe you could also give me feedback, maybe i'm missing something. i'm running 18.04 amd64 with HWE (5.4.0-104-generic #118~18.04.1-Ubuntu). "cat /sys/devices/system/cpu/vulnerabilities/spectre_v2" reports "Mitigation: LFENCE, IBPB: conditional, STIBP: disabled, RSB filling" (on this Ryzen 7 1800X), so it seems the kernel has not been compiled with a retpoline-aware compiler, which would suggest [08:45] the system is affected by spectre_v2, and apparently so because a compiler which does not (yet) support full_retpoline is used to build these kernels. [08:49] buildd@ubuntu built this one using gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04) on Thu Mar 3 13:53:15 UTC 2022. [09:18] tomreyn: gcc 7.5 supports retpoline. until this last week lfence/jump was amd's recommended mitigation. You could force generic retpoline using the kernel boot parameter spectre_v2=retpoline,generic [09:18] see: https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1036 [09:42] jjohansen: I can't force it with spectre_v2=retpoline,lfence (suggested by apw in #ubuntu-kernel - sorry for cross-posting here): cat /proc/version /proc/cmdline /sys/devices/system/cpu/vulnerabilities/spectre_v2 | nc termbin.com 9999 [09:42] https://termbin.com/gbhc [09:50] interestnigly, AMDs advisory states "LFENCE/JMP (mitigation V2-2) may not sufficiently mitigate CVE-2017-5715 on *some* AMD CPUs" (*stress* added by myself) and does *not* list Ryzen 1000 series Desktop CPUs below. which could mean those are not affected, or are not being handled. [09:50] Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis. [10:14] jjohansen: you have a point. i booted with spectre_v2=retpoline,generic now and got "Mitigation: Retpolines, IBPB: conditional, STIBP: disabled, RSB filling" [10:27] on a related point, mitigation for spectre and meltdown result in a performance hit. Do we only need this mitigation on multiuser machines? [10:27] For a single-user desktop (or small multiuser system of trusted users) can we disable this mitigating features and boost system performance...? [10:40] Nicholas[m]: that entirely depends on what software you run on those machines. VMs that you don't trust - no [10:41] web browsers connected to the internet, well just about anything that could run untrusted scripts like the web browser [10:41] not === chrisccoulson_ is now known as chrisccoulson