<andi->
The amount of delay of the NVD/MITRE latency is making me a bit angry... I am tempted to invest into scraping various websites and mailing lists :/ only after the bare thing is working tho..
biopandemic has quit [Ping timeout: 256 seconds]
pie_ has joined #nixos-security
pie_ has quit [Ping timeout: 272 seconds]
biopandemic has joined #nixos-security
pie_ has joined #nixos-security
pie_ has quit [Remote host closed the connection]
pie_ has joined #nixos-security
pie_ has quit [Ping timeout: 240 seconds]
<andi->
What kind of benefit would we get from also tracking staging(-next) and the -small branches? Is that of any value? I have a few pros and cons myself.
<MichaelRaskin>
For those who — like me — glanced at https://foreshadowattack.eu/ and decided «Ah, Meltdown-SGX»: the attack claims to extract the CPU's signing key for remote attestation, which would include complete breakdown of SGX remote attestation for all the currently deployed silicon.
pie_ has joined #nixos-security
<andi->
I don't know what one should do besides shrugging and going with other broken hardware from other broken companies... I mean at this stage there isn't much you can do besides hoping that intel provides fixes/replacemnets or buy new. Pretty sad.
<MichaelRaskin>
Well, apparently you also should just know that this generation of remote attestation of deployed code is plainly broken
<MichaelRaskin>
I think AMD had some completely different problem that also breaks trust in remote attestation
<andi->
I vaguely remember a discussion 1 or 2 years back where I questioned the whole idea... I just lost trust in technology :/
<MichaelRaskin>
I remember the discussions of «Object Storage» that people on LKML declared a bad idea because people who mess up RAID1 should not be asked to implement something actually complex.