On Thursday 18 July 2019 04:22:03 Oliver Grawert wrote:
> Am Mittwoch, den 17.07.2019, 21:03 +0200 schrieb Ralf Mardorf via
> > On Wed, 17 Jul 2019 12:21:46 +0200, Oliver Grawert wrote:
> > > what a user really only needs to care about is to keep the system
> > > up to
> > > date.
> > Hi,
> > I disagree, if a package from "main" such as openssl suffers from
> > something like Heartbleed, it might be better to wait a few days for
> > a
> > fix, before continue using such a package's software.
> you mean keeping your system vulnerable for a few extra days makes
> much sense ?
That depends on whats between your machines and the net. With a router
reflashed to dd-wrt (theres other equally secure stuff out there),
outsiders getting in is not a consideration. In 19 years, or close to
it, no one has gained access to my local network that wasn't given the
credentials. It's simply not happened. So the fact that I've got 3
machines still running an old version is not a concern.
> > It was even announced by television news and Bruce Schneier said:
> > "Catastrophic is the right word. On the scale of 1 to 10, this is an
> > 11."
> my mom: "who is bruce schneier ?"
> > The Ubuntu help explains that not all repositories are supported and
> > warns regarding the risk using packages from those repos.
> and because of this what i said is not true?
> yes, there are repo parts that are maintained by the community that
> possibly get security fixes in a slower cadence (or probably none at
> all, which is one of the reasons snap packages exist). but thats
> completely orthogonal to the fact that you should immediately pull in
> a security fix if it is available ... and that you should do this when
> the update manager notifies you about it.
> 90% of ubuntu users out there install their software by simply
> clicking the install button in the software-center, they dont know
> what heartbleed is or who bruce schneier is, they only want to use
> their computer. and the most important thing to keep these peoples
> machines secure is to teach them to always apply the updates their
> system offers them ASAP ... keeping your system up to date with the
> updates it offers to you is the number one security rule no matter
> wether you are a computer nerd who is best friends with bruce schneier
> or my mom ...
Cheers, Gene Heskett
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If we desire respect for the law, we must first make the law respectable.
- Louis D. Brandeis
Genes Web page <http://geneslinuxbox.net:6309/gene>
Am Donnerstag, den 18.07.2019, 09:36 +0000 schrieb
> Though we observed instable behavior with regards to default
> gateways, and name-resolving in combination with tunnel product.
> Something we never observed in 16.04. This "might" be related to the
> ever expanding influence of systemd...
Am Donnerstag, den 18.07.2019, 05:46 -0400 schrieb Gene Heskett:
> > you mean keeping your system vulnerable for a few extra days makes
> > much sense ?
> That depends on whats between your machines and the net. With a
> reflashed to dd-wrt (theres other equally secure stuff out there),
> outsiders getting in is not a consideration. In 19 years, or close
> it, no one has gained access to my local network that wasn't given
> credentials. It's simply not happened. So the fact that I've got 3
> machines still running an old version is not a concern.
old versions of what ?
if your browser has a vulnerability that allows an attacker a
simply read all your ssh keys on disk ) and sends it out with the next
HTTP request to the hacker, a safe firewall doesnt gain you anything.
a firewall is fine to save you from attacks against something you didnt
allow, but not for stuff you allow to go in and out (which you
certainly do for some stuff, else you wouldnt have to have a router at
On Thu, 18 Jul 2019 at 11:38, <[hidden email]> wrote:
> Hi Liam,
> You replied by raising lots of topics... (hence commenting here)
I hope it's helpful.
But I need to say: I find your reply very hard to follow.
This is not a forum. It is a mailing list. (So I do not know what you
mean by "commenting here".)
Please follow proper traditional email etiquette. Quote *only* the
parts of the email that you are responding to, and put your reply
*underneath* those parts. That is what I am doing here.
Do not include anything else you are not responding to; trim it out.
Quote text should have
... in front of each line.
Many Microsoft email clients can't do this. If so I suggest switching
to a working email client. Outlook is badly broken.
> We oversee the use of many tens-of-thousands instances. Therefor stability, is our second concern (after security)
> We do want to progress from 16.04 forward, as we need to support newer hardware.
> Though we observed instable behavior with regards to default gateways, and name-resolving in combination with tunnel product.
I do not know what "tunnel product" means.
> Something we never observed in 16.04. This "might" be related to the ever expanding influence of systemd...
It could be, yes. However, it is hard to avoid these days.
For some thing I am now using Devuan. It is a fork of Debian with no
systemd and nothing that requires systemd.
You might wish to evaluate it.
> The support-period of any release is not such a big deal, as long as we are ahead of any dead-line.
> My goal is to provide quarterly (or even more monthly) new ready-to-run images, with as much of the latest drivers and patches.
> And rather take smaller steps, than the bigger leaps between each LTS
Ah, I see. Then maybe the LTS releases are not for you.
On Thu, 18 Jul 2019 12:32:36 +0200, Oliver Grawert wrote:
>old versions of what ?
I dislike to trash old hardware that still works without issues, but if
the old hardware isn't supported anymore, the usage requires
reconsideration. Online banking is the first kind of usage I would stop
The CPU of my Linux PC is a 6.60.3 Intel Celeron G1840 formerly
Haswell. It seemingly still gets microcode updates .
It should be no issue to update Linux (kernel and apps) as long as my
mobo and Celeron are still working. I wonder how important
microcode updates are.
I still own an old iPad. The last iOS update for this iPad was released
August 25, 2016. Some apps still get updates, but not all apps and
especially not the underlying OS.
My new iPadPro 3rd gen is the newest available, released in the end of
I wonder when Intel stops providing updates for the Celeron and when
Apple stops providing iOS updates for the iPadPro. Ubuntu and other
distros for sure support the Celeron for way more than long enough.
For light-scribe only I still keep a very, very outdated Ubuntu
install, just in case it one day should break for my current installs.
On Thu, 18 Jul 2019 14:06:15 +0200, Oliver Grawert wrote:
>Am Donnerstag, den 18.07.2019, 13:31 +0200 schrieb Ralf Mardorf:
>> I wonder how important microcode updates are.
>judge yourself by just looking at these three links ;)
I wasn't clear enough, since Intel still provides microcode for my CPU,
I asked the crystal ball, if updates for the microcode are still that
important, if matured microcode already exists.
$ cat /sys/devices/system/cpu/vulnerabilities/*
Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT disabled
Mitigation: Clear CPU buffers; SMT disabled
Mitigation: Speculative Store Bypass disabled via prctl and seccomp
Mitigation: __user pointer sanitization
Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: disabled, RSB filling
In the beginning there were less mitigations, however, I suspect before
Intel stops providing microcode for my CPU, there unlikely is much more
that could be done, related to Spectre and Meltdown. It can't be solved
and the mitigations are already now quite matured.
The question is, how likely it is, that old Intel CPUs will suffer from
something new, that is as problematic as Spectre and Meltdown are.
Microcode is not only important regarding security, it's also important
to fix possible issues with CPU features, but I guess that fixes for
those issues are also already matured.
While AMD CPUs don't suffer that much from Spectre and Meltdown as
Intel CPUs do, I don't want to use AMD CPUs again, since I get rid of
almost all issues I experienced with my AMD CPUs when I migrated to
Intel. Pro-audio performance is way better and there are absolutely no
graphics related issues. NVIDIA and ATI are a PITA. However, in regards
to Spectre and Meltdown, it might be better to use AMD CPUs.
Whilst this has, I believe, digressed from the topic of the thread,
one point that I make here, is that, from my experience, nVidia seems
to work okay with Ubuntu.
Some years ago, I bought a souperdooper new laptop (Acer Aspire
V3-772G), that has an i7 CPU of the Haswell architecture, and, an
nVidia GeForce thingy, with nVidia Optimus.
The computer has MS Windows 8 installed on it, which I found too
difficult to use, and, at that time, I had been using Debian as my
Linux distribution of choice. Having forgotten the MS Win8 password,
through lack of use, the 250GB or whatever, of HDD space, is written
I could not get an external screen working with the laptop, running Debian.
However, after months of stuffing around with it, and, researching, I
found that only two non-MS operating systems, worked with the Haswell
architecture; DragonflyBSD and Ubuntu Linux. But, DragonflyBSD did
not, and, had no intention of trying to, work with the nVIDIA Optimus
thingy, and, Ubuntu did, and, does. Ubuntu, going back to 12.04,
worked okay with both the Haswell architecture, and, the nVIDIA
Optimus thingy, and, Ubuntu is the only non-MS operating system that I
found that works okay with the nVIDIA Optimus thingy - I think it uses
the nouveau driver.
So, for me, from memory, from my experience, nVIDIA has not provided
problems, with Ubuntu. The i7 system, and, an i3 desktop, with a
different model nVIDIA thingy, without Optimus, both are currently
running UbuntuMATE 16.04, without any remembered problems.
"So once you do know what the question actually is,
you'll know what the answer means."
- Deep Thought,
Chapter 28 of Book 1 of
"The Hitchhiker's Guide to the Galaxy:
A Trilogy In Four Parts",
written by Douglas Adams,
published by Pan Books, 1992