Nikos Chantziaras <rea...@gmail.com> wrote: > Yeah, that's the kind of software that benefits from the Spectre > mitigation patches. Like browsers, virtualization or emulation software, > the kernel, etc.
No. It's software like gnupg, encfs, openssl and all the library they use (glibc, glib, X etc) which need these patches. > Rebuilding the whole system with these flags on doesn't sound like a > good idea. Now, I don't know if it would hurt anything, but it's not > uncommon for build flags to break random stuff. Yep. On x86, gcc cannot compile itself if built with -fno-plt. > I haven't seen any word from anyone yet as to whether these flags are > actually recommended or not on a system-wide basis. Actually, it is not even clear in the moment which flags should be used in which settings. (There has been some discussion in the gentoo forums but to no completely satisfactory result yet.) > So my educated guess is: No. Don't do that. Yes and no: It is probably recommended, but the flags are so no and so poorly understood that people are hesitating with recommendations. Also, spectre is hard to exploit, so it is perhaps better to wait in the moment until some experience ins there. > If a package is affected, it > stands to reason that the upstream of that package would change their > build system to use these new flags where needed. No, for many reasons: 1. Packages often try to not add any flags; especially in gentoo it is a policy that they _must_ not: If they do, it would get patched out in gentoo. 2. A library has no idea what it is used for. Why should it add something, only because some program using it should be protected? 3. Adding the flags slows down the programs. It is the user who must decide whether patches are desirable for his use case and architecture. (Maybe this is less relevant know but in a while when versions of processors "immune" to spectre come out.)
