ucode-intel update concern

Hello OpenSusers,

I am running Leap 42.3 on my system. I recently tried to do a distribution upgrade with "zypper install dup". Upon reading the list, Zypper informed me that it wanted to downgrade ucode-intel to the previous version. However, after the news about Meltdown and Spectre, I was hesitant, so I began to try and do some research. Right now, I believe I have the most up to date version (20180108-16.1). I didn't know where to start, but I looked at both ucode-intel's changelog and tried the Security Portal to search for any updates since the 8th and have found nothing referencing needing to rollback.

Am I right to worry? Does anyone know why a downgrade is being recommended? If it’s legit (no reason to assume a problem with my keys yet), I have no problem doing so, but given the news around these exploits, I’d like to know where I’m missing the reason as to why a downgrade is being recommended (and where I can go so I don’t have to trouble anyone with this kind of question again).

Edit 1 (Additional note): Also, I figured “Applications” would be the best place to put this thread since it’s software, but if there’s somewhere more appropriate, please let me know.

Hi and welcome to the Forum :slight_smile:
The dup option is only used for distribution upgrade, not normal updates (it will downgrade because it pulls from the oss repo and not updates) only use zypper up to update a normal release (Tumbleweed must use dup since it’s a rolling one).

So just run zypper up and you should be fine.

I have installed;


Name           : ucode-intel                                
Version        : 20180108-16.1  

Some more info in this thread and links;
https://forums.opensuse.org/showthread.php/529156-Spectre-Meltdown-chip-bugs-and-Linux

On Sun, 21 Jan 2018 02:16:01 +0000, tiredpenguin72 wrote:

> I am running Leap 42.3 on my system. I recently tried to do a
> distribution upgrade with “zypper install dup”.

I’m guessing you mean ‘zypper dup’ here. What are you attempting to
upgrade to?

Jim

Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

@malcolmlewis : Hmmm. When I try to run “zypper update”, it doesn’t give the ucode-intel package in the list, but it does give others. Would something rolling like Tumbleweed be rolled back for any reason besides a mistake in the release of the firmware for the distro? I usually have used the dup option with no issue, but I’ll fall back for awhile to just “zypper update” instead.

@hendersj : Yeah, definitely meant “zypper dup” there instead. Oops. And I was running “zypper dup” just to upgrade all the packages on my system.

Hi
Typo on my part, yes only zypper dup… :wink:

Somehow the last few comments seem confusing to me, so might confuse the OP, as well.

To Clarify:

Each release of Tumbleweed is a new Distribution, instead of just package updates. This is why it is called a “rolling release”.

Therefore, instead of using the command to get updates, Tumbleweed users must instead use the Distribution Upgrade option:

zypper dup

For other versions, as in LEAP, you normally only want the updates, so in LEAP you would use:

zypper up

If you use the Distribution Upgrade option in LEAP, but have not changed your repos from one version to another (say, 42.2 to 42.3, in which case “dup” would upgrade you from 42.2 to 42.3), then it actually reverts you to the non-updated release. In effect, it will actually downgrade much of what is in your system.

That is why, when you ran “zypper dup” on 42.3, it wanted to go backwards and remove that ucode item.

Hope that helps clear it up.:wink:

@Fraser_Bell : Thanks for that. To be honest, I’ve been using Linux distros for years, but have only scratched the surface. Never got into managing what repos I have in my update settings (but now may be a good time to start).

I still have to wonder though, if the case is such that I do nothing with my repos (as I never have explicitly), it shouldn’t have upgraded my ucode-intel to the newest version as it is now.

Nevertheless, to clarify, if a proper release of ucode-intel should be filtered down for Leap 42.3, it should come up when I issue “zypper update” and zypper goes about pulling updated repository info from online caches? Do I have that right?

(Also: Do I need to mark this as “solved”?)

And also, thank you to the other two posters as well. Much appreciated! :slight_smile: :slight_smile:

Well, yes, it should, since a ucode-intel security update was issued for 42.3.

… that is, if I am understanding you properly.

Nevertheless, to clarify, if a proper release of ucode-intel should be filtered down for Leap 42.3, it should come up when I issue “zypper update” and zypper goes about pulling updated repository info from online caches? Do I have that right?

… online repositories. Correct.

BTW: Now would be a good time to check what repositories you have enabled.

How about give us the output from:

zypper lr -d

so we can make certain you are not shooting yourself in the foot.:slight_smile:

(Also: Do I need to mark this as “solved”?)

We actually do not do that in these forums. Generally, we simply expect the person who receives help to come back with a final post to say “It worked” or “It did not work”, which is usefull information for anyone looking into this thread for the same problem.

The 20180108 ucode-intel update got retracted and removed from the update repo because it caused problems on some systems.
IOW, the described behaviour is perfectly normal, because the current latest version for 42.3 is 20170707-10.1.

AFAIK, (most) necessary fixes are in the previous version already (the security vulnerabilities had to be fixed/workarounded in the kernel anyway), OTOH there definitely will be another update at some point if necessary.

Though, you can of course keep 20180108 if you want (and your system works fine with it).

Really?? What is the source for that statement re a dist-upgrade on Leap 42.3?

Doing a “dry run” on my 42.3 using "zypper -v dup -D" yields this summary:

27 packages to upgrade, 1 to downgrade, 4 new, 26  to change vendor.

The only downgrade is:

The following package is going to be downgraded:
  ucode-intel  20180108-16.1 -> 20170707-10.1

because the update was removed as already posted. BTW the new ones and the upgrades / vendor changes look to be from Packman repos, and are not needed here.

The plain dist-upgrade will resolve from all enabled repos (including the two openSUSE Update repos). You can of course limit the repos enabled, or by using options on the command line.

Ah, yes, well that explains a lot. Thanks.

Yeah, at my age, and with my multiple projects on the go, I sometimes get confused.

Not good to give out misinformation. I suppose it would be better if I quit trying to help people here and left it all to you sharper youngsters.

Don’t beat yourself up. No one gets it right all the time and we’re all volunteers trying to assist where we can. All good.

No need to quit over any of that, or any other “senior moment” (mine are more frequent on the telephone - less thinking time). :wink:

You were right that earlier posts were somewhat confusing, probably leading to overstated conclusions, and also right that “zypper up” is best practice on Leap. Where Tumbleweed is not regularly in use, “dup” can be a rare and complex experience depending on number of repos deployed, with much historical debate and disagreement on mailing list and forum.

I think there was an earlier assumption that “dup” had resolved to the OSS repo, but in this case it resolved to the previous update to ucode-intel.

PS, see here for more information about the current state regarding the Meltdown and Spectre vulnerabilities:

In particular, it states this about the ucode-intel update:

What is partially mitigated:

– The Spectre Variant 2 …

The initial kernel updates we have released require CPU Microcode updates.

While we have released updates for some Intel chipsets and also AMD Ryzen, the Intel CPU Microcode updates were later found to be unstable and have now been retracted.

Intel is currently working on better versions of the CPU Microcode, which we will ship once they become available.

For openSUSE Tumbleweed we have reverted the “ucode-intel” package to the pre-Spectre state.

For openSUSE Leap 42.2 and 42.3 we have retracted the updated “ucode-intel” packages, so it is necessary to downgrade them manually if you are encountering problems like MCE errors.

This can be done by:

– openSUSE Leap 42.2: zypper in -f ucode-intel-20170707-7.6.1
– openSUSE Leap 42.3: zypper in -f ucode-intel-20170707-10.1