1. 21
  1.  

  2. 6

    This is just gold:

    Under the new patch, Linux listed all x86-compatible chips as vulnerable, including AMD processors. Since the patch tended to slow down the processor, AMD wasn’t thrilled about being included. The day after Christmas, AMD engineer Tom Lendacky sent an email to the public Linux kernel listserve explaining exactly why AMD chips didn’t need a patch.

    “The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault,” Lendacky wrote.

    A very interesting article. Would be more interesting to know the details behind the above gaffe — did the AMD engineer break his NDA, or did he come up with the root cause behind the patch independently?

    TBH, regarding discussions on public listserve, it seems really weird that these kinds of things wouldn’t be done behind closed doors — just because the software is OSS, doesn’t mean that every single change has to be thoroughly explained on the public mailing lists, like Verge seems to suggest. In the BSD world, for example, internal developer-only (i.e., committer-only) mailing lists do exist, which, for better or worse, make it easy to not unneccessarily publicise such changes, whilst still gettting the exposure and feedback from the developer community.

    1. 16

      When you know a secret for too long, you forget what’s supposed to be secret and what’s not. Also, when too many people know, you forget who knows and doesn’t. You forget when it’s secret and when it’s public. When the secret topic is half secret and half public, you forget precisely what’s secret and what’s not. Etc., etc.

      Governments, with 100 years of practice, screw this up. Amateurs are doomed.

      1. 5

        I seem to be in the minority that thinks this is a bad precedent. Google’s Project Zero found a critical bug, then kept it secret from developers for seven months. That gave them a gigantic advantage.

        1. 2

          I’m right there with you.

          This should really be an eye opener to everybody about just how much control large corporations have, and exactly who’s best interests they’re looking out for.