If a ‘feature’ can be abused it most likely will. So I think, if possible, it is important this gets addressed for NethServer. It can also be a huge pro if NethServer manages as one of the first to fight this. It could make great advocacy if we can flood social media with “NethServer keeps Meltdown and Spectre out”
CentOS has already released updated packages for 7 that mitigate the problems.
To apply the fix to NethServer 7, go to the Software center and install the kernel and microcode_ctl packages (with all the related firmware).
Trivia: the author of the kernel fixes for Redhat is Andrea Arcangeli. Those among you who were at the dinner after the first NethServer conference may remember we talked with him about kernel patching and regressions.
No: problems come from hardware design, you can’t fix hardware with software.
The updates mitigate the problems. Some workloads will suffer from reduced performances.
The impact is still being evaluated.
One of the most debated point is the impact that these workarounds will have into virtualization environment.
It’s almost the fourth “big crack” for hardware or software found during last 6 months. Only WannaCry spotted a patch out-of-release schedule.
I’m quite concerned.
Is not required to replace your current CPU by tomorrow… yet… (unless tomorrow will be 6 months from now and you still did not patch your systems)
Depending on the “weight” of the patch you can still manage to do with current infra load. (you did over-provision your resource load I hope… )
Of course the replacement of the HW will be the solution in the long run (an alternative is not yet available).
in my opinion, this issue does not pose an immediate (read as today/tomorrow) risk since this vulnerability is not easy exploitable. And also keep in mind that there are other factors that keep the exploit in check. (Policies, certified/trusted software, AV etc)
First, a malicious program, will have to get over the usual barriers and then, will be able to deliver the payload to do the seep on the memory pages… (except web content )
We will see POC and first attempts in the next days but also the patches will arrive, so mostly it will be a game of “who is good at housekeeping” and maintenance.
The most impacted will probably be the hosts like esx and xen etc.
They will need to patch asap because you might not have control on what is run on your guest, if the guest is public service.
And on the fun side, the mass-media started to have a incendiary start reporting this With lots of headlines (90% related only to Intel )
I am not that deeply involved in kernel updates, but if there will be an update for the latest kernel version, would it be a good/bad (why) idea to add the elrepo repository to be able to update CentOS/NethServer to a patched kernel version? See https://www.tecmint.com/install-upgrade-kernel-version-in-centos-7/
It’s not installed until now. I want to explore the so hot discused impact on the system.
I noted down the avg. load values for 2h, 8h, day, week and month. So I can compare them later.
Can some one give me some instructions how to compare the impact directly?