Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Update spectre meltdown checker #620
Spectre Meltdown checker was last updated around May : #464
Update to most recent version with
Tested, works as expected
How to test
Pull the branch and run
By the way : so far we are only checking Variant 3 (c.f. this comment : #406 (comment) )
What about other variants ? In particular, on one of my test machines (a VPS), I noticed that it is vulnerable to newer variants, though it's not clear how I'm supposed to fix them (maybe they can't be fixed for now)
It's a hard question: those other variants aren't fixed everywhere according to debian CVE pages. So, what should we do? Options that I see:
For me it's either 1 or 3 and probably 1 in the meantime, 2 wouldn't be god as a UX stand point because informing users that they are vulnerable with not way to fix that would sucks I think (but ... they are still vulnerable and I don't like that x( but that's on debian/hardware builder side I think :/) and only generate problems that can't be solved and support for us.
That's not really a trivial situation :/
I dunno much what to do either :/
An interesting anecdote is a user who recently checked this and the script reported that the instance was vulnerable to variant 3. After contacting the VPS provider (Gandi), they told that "everything has been done to mitigate the issue and this is probably the tool misdiagnosis this" (paraphrasing what they wrote but this is pretty close).
If they are right, then that is disappointing that they are not contacting the script author in order to improve the accuracy of the diagnosis ... But that basically adds more questions to what should be done about those diagnosis results.
Naively I would just test all variants and inform the user about vulnerabilities found, but just make it "less scary" somehow, and provide link to human-readable infos about this, idk @.@