Works as expected.

karma: +1

works for me

By "built with a retpoline capable compiler" I assume you mean it was built with gcc-7.2.1-7, but the latest gcc I can see at https://bodhi.fedoraproject.org/updates/?search=gcc is gcc-7.2.1-2. Shouldn't the gcc package be pushed first, and shouldn't this package have a build dependency on the retpoline capable gcc, so the build can be reproduced by users?

@cesarb yes it is built with gcc-7.2.1-7 and no there is no reason that the gcc packlage is pushed first because it#s about a kernel security update and needless have that to wait for gcc going to updates-testing and all that stuff means either a 4.14.14 with not all security enchanements or a not justified delay and frankly "so the build can be reproduced by users" is nice but not really why you use a distribution

if you want that gcc just install it - or webstack is built with -mindirect-branch=thunk since thursday (we maintain httpd/apr/php/mysql at our own for a decade now)

@cesarb Yes, it was built with gcc-7.2.1-7, and no there should not be a build dependency on it. The patches for retpoline support were added to our 4.14.13 update, but the compiler was not available in koji. As a result, that kernel offered " Minimal generic ASM retpoline" mitigations. Still better than nothing. Building with an updated gcc changed that to "Full generic retpoline". As there is no runtime dependency for this change, it seems more benefit to get the improved mitigation out to users. The gcc builds are in koji and you are welcome to install them.