[LAU] Major CPU bugs - Was: Christmas present for self.

[Ralf Mardorf]

>On 01/04/2018 10:09 PM, Rob wrote:
>> https://lwn.net/Articles/741878/

So for a DAW "There will be a   nopti   command-line option to disable
this mechanism at boot time."

Let alone that there might be easier to use targets for an attacker:

[rocketmouse at archlinux ~]$ echo $(arch-audit -f "%n | " | sort) | sed s/.$//
binutils | cairo | exiv2 | ffmpeg | ffmpeg2.8 | glibc | jasper | lame | lib32-glibc | lib32-openssl | libffi | libvorbis | linux | mkinitcpio-busybox | openssl | pcre | perl-xml-libxml | rsync | zziplib 
[rocketmouse at archlinux ~]$ arch-audit --upgradable --quiet
lib32-openssl>=1:1.1.0.h-1
openssl>=1.1.0.h-1
perl-xml-libxml>=2.0130-1

For more information see https://security.archlinux.org/ .

Let alone the risk of using the Ubuntu "universe" repository:

"Canonical does not provide a guarantee of regular security updates for
software in the universe component, but will provide these where they
are made available by the community. Users should understand the risk
inherent in using these packages." -
https://help.ubuntu.com/community/Repositories#Universe

It for example Ubuntu provides webkitgtk still for bionic:
https://packages.ubuntu.com/bionic/libwebkitgtk-1.0-0

For more information see https://usn.ubuntu.com/usn/ .

It makes me wonder that people care about performance issues by
something that could be disabled and that isn't needed for a DAW at
all. If the DAW is used for something else, simply reboot without
disabling. But again, many users don't care about all the vulnerability
caused by using the Ubuntu "universe" repository, so booting with nopti
seems to be the last to worry about. Btw. using a pulseaudio bridge
when running jackd might cause real-time issues, too. In short, it's
hysteric to decide against an Intel CPU in favour of an AMD CPU, if the
reason should be performance concerns regarding KPTI.