back to article Use Debian? Want Intel's latest CPU patch? Small print sparks big problem

At least one Linux distribution is withholding security patches that mitigate the latest round of Intel CPU design flaws – due to a problematic license clash. Specifically, the patch is Chipzilla's processor microcode update emitted this month to stop malware stealing sensitive data from memory by exploiting the L1 Terminal …

Silver badge
Pint

Well Done...

El Reg has dropped Debian a line to find out if Intel's response deals with its licensing concerns. Holschuh

Wot! No 'reached out'? /s /sic.

Well done El Reg for using 'dropped Debian a line'. Have one of these on me

69
0
Silver badge
Stop

Re: Well Done...

"dropped a line"??? So their fishing.

What's wrong with "contacted"? Or "asked"?

5
10
Silver badge

Re: Well Done...

Whenever I see 'reached out' I always imaging some beggar on a street corner with their hand out asking for spare change, or perhaps someone hankering to be prosecuted for inappropriate touching!

22
0
Silver badge

Re: What's wrong with "contacted"?

Not part of NewSpeak any more.

Marketing has rewritten the dictionary, and all those stuffy words that have worked and had meaning for the past 200 years are gone, to be replaced by iWords that are nice and shiny and make marketers look smart and professional.

Emphasis on "look".

28
0

Re: What's wrong with "contacted"?

Emphasis on "lookvisualisation".

FTFY

17
0
Bronze badge
Pint

Re: What's wrong with "contacted"?

Emphasis on "look visualisation optics".

FTFFY

(No, I'm not being serious. I've just noticed the trend, that's all. I come from an era when optics meant the plural of a spirit measure/dispenser behind a bar.)

17
0
Silver badge

Re: Well Done...

"Whenever I see 'reach[ed] out' I always..."

...wonder where this fixation for quoting The Four Tops has come from.

11
0
Silver badge
WTF?

Does Windows patch the microcode this way?

If not, why not?

If so, all CPU's?

1
0
Silver badge
Headmaster

Re: Well Done...

What's wrong with "they're" ?

7
0

Re: Does Windows patch the microcode this way?

To set your mind at ease for latest MS OS releases:

https://support.microsoft.com/en-ph/help/4093836/summary-of-intel-microcode-updates

0
0
Bronze badge

Re: What's wrong with "contacted"?

Or "pinged"?

2
0
Silver badge
Go

Re: What's wrong with "contacted"?

replaced by iWords that are nice and shiny and make marketers look smart and professional.

Those words don't make anyone look smart or professional. The use of misunderstood US "sports" jargon and management speak to replace perfectly good words just makes people look silly.

Whenever I get messages containing this rubbish, my automatic reaction is to wonder how this could be put better. In meetings, I act as if they have been rephrased. For example, instead of "step up to the plate", I may say "volunteer" if that is what they actually mean.

Has someone made a dictionary of this newspaeak? I have certainly seen people playing BS Bingo.

2
0
Headmaster

Re: Well Done...

David, I miss "they're". It has eclat.

0
0
Silver badge

Section 3

You will not, and will not allow any third party to ... (v) publish or provide any Software benchmark or comparison test results.

I can see why Debian aren't happy, seeing as without new instructions made available by microcode updates, some of the mitigations incur a significant performance hit.

68
2
Anonymous Coward

Re: Section 3

>some of the mitigations incur a significant performance hit.

Indeed, the performance benchmarks over at Phoronix make for grim reading. Coming soon on Phoronix expect benchmarks with all of the patches applied vs no patches.

48
1

This post has been deleted by its author

Silver badge

Re: Section 3

There may be a reason for that: namely, benchmark tests are often propaganda and spin. Nevertheless, it should be obvious that a clause like that can only make things worse.

Perhaps governments could pick up on that. Declaring such clauses unenforceable would have limited effect, but banning the sale of goods with such onerous restrictions - or requiring such sales to be approved by a licensing authority through an onerous process including public consultation - would surely cause vendors to stop and think what's reasonable.

10
2
Silver badge

Re: Section 3

There may be a reason for that: namely, benchmark tests are often propaganda and spin

At uni, a fellow student had the project to assess all the (then) current CPU/Computer benchmarks. The conclusion? They're all a meaningless indication of processor speed.

3
3
Silver badge
Facepalm

Re: Section 3

Debian is shooting themselves in the foot by not at least putting the update into the 'non-free' package distribution...

what, is Stallman behind this or something? Sounds like something he'd do/say...

/me imagines a bunch of hippies at a Santa Cruz beach wearing peace sign necklaces, love beads, psychadelic tie-dyed shirts, beaded headbands, and carrying protest signs worthy of the Laugh-In wall, talking like Tommy Chong and complaining that "Intel isn't giving us what we want, man!"

Debian, and every other distro depending on you: GET A CLUE! Just put the package into 'non-free' and be DONE with it!!!

icon, because, *FACEPALM*

2
28
Silver badge

Re: Section 3

"Debian is shooting themselves in the foot by not at least putting the update into the 'non-free' package distribution..."

Placing this in the non-free collection would not mitigate the problem. The non-free collection is for packages that are not open source. The problem with this update isn't whether or not it's open source, it's about unacceptable licensing terms.

13
1
Anonymous Coward

Re: Section 3

Plus surely if it’s a patch for a problem in the product, there should be “something” to stop the manufacturer from adding new T&Cs?

2
0

Re: Section 3

"You will not, and will not allow any third party to ... (v) publish or provide any Software benchmark or comparison test results."

I'll do what I want with my computer thanks

13
0

Re: Section 3

Nice idea, but more governmental regulation will just result in (a) more costs and bureaucracy, to be passed on to us, the customers, and (b) more governmental corruption with more civil servants and politicians in the pocket of businesses with money.

Having the private sector effectively block vendor-created problems and excesses like this one, where possible, does seem to work better overall (less bureaucracy, less cost, less corruption) than getting the government to do it.

Admittedly, Debian isn't perfect in this regard but they've done us all a favour here that I would not have trusted any government to do.

3
0
Silver badge

I imagine they could ship it in “Non-free”.

(Edit: maybe not; the restriction is on distribution, and for example the operators of all the Debian mirrors cannot be said to have agreed to those terms.)

20
0
Silver badge

Perhaps a typo, perhaps a pun

"fetching and stalling".. accurate, but perhaps not the original intent.

24
0
Silver badge

Re: Perhaps a typo, perhaps a pun

maybe they meant felching?

9
0
Silver badge
WTF?

Nasty

I'm not surprised debian balked. That's out and out censorship :(

I was surprised the others accepted it... at first, but then again not so much.

42
2

Re: Nasty

It's nasty choice to make. Where I live, the contract is most certainly void, which means I have no good reason to forego the patch. Still, I have a lot of respect for the way Debian sticks to their guns.

59
1
Silver badge

Re: Nasty

"I was surprised the others accepted it"

They either didn't read it or decided it wasn't enforceable.

9
0
Silver badge

I'm fine with that

I don't want Intel's patches anyway. I'll be migrating away from Intel CPUs over the next few years. In the meantime, I'll mitigate the risk in other ways.

18
3
Silver badge

Re: I'm fine with that

Sadly pretty much every modern CPU has been hit with bugs like these...

I'm holding off replacing my system until it appears that the bugs are fixed in hardware too. I suspect it's going to be a long wait.

11
0

Re: I'm fine with that

At the moment it is looking like you will be waiting for at least AMD Zen 2 then.

Which is slated for 2019 at the earliest.

2
0
Silver badge
Joke

Re: I'm fine with that

I don't believe the fairly recent MegaProcessor suffers from these recent CPU issues. Maybe you could start there?

1
0
Silver badge

Re: I'm fine with that

At the moment it is looking like you will be waiting for at least AMD Zen 2 then.

Which is slated for 2019 at the earliest.

That's kind of what I'm thinking. I think I'll just change the discs as they're getting on a bit. Hopefully the rumours are true about the forthcoming SSD price crash :)

2
0
Silver badge

Re: I'm fine with that

"Sadly pretty much every modern CPU has been hit with bugs like these..."

Yes, but there are CPUs that don't engage in speculative execution, so those are attractive. I'd prefer to have a faster CPU, of course, but I'm not as concerned that my CPU is as fast as it can possibly be as I am that my hardware is as free of security problems as possible.

2
2
Bronze badge
Happy

Re: I'm fine with that

IBM's POWER9 chips are right here right now, no Spectre vulnerability and certainly no licensing agreements like the Intel one seeing as IBM releases everything for the POWER9 chips under a straight MIT / GPL license.

It won't run Windows, but let's face it: if you're running Windows you don't really care about the terms this license agreement (hint: you've already either accepted them by proxy in the Windows EULA somewhere).

4
1
Anonymous Coward

Re: I'm fine with that

"IBM's POWER9 chips are right here right now, no Spectre vulnerability and certainly no licensing agreements like the Intel one seeing as IBM releases everything for the POWER9 chips under a straight MIT / GPL license."

Great! How much for a basic desktop configuration? Can I get it in NUC size?

What POWER laptops are available?

3
0
Bronze badge

Re: I'm fine with that

Looks like $2,099 USD for a desktop:

https://twitter.com/RaptorCompSys/status/1029195940874342400

For NUC form factor, maybe ARM would be a better choice? There are Rockchip parts that might fit the bill there.

As POWER9 is just coming into the desktop space this year, I wouldn't expect laptops for a little while yet. I don't have a good answer for laptops, they're hard to do right and Microsoft / Apple / Google seem to dominate that market.

3
0
Joke

Re: I'm fine with that

... but maybe the MegaProcessor could do with a bit of a speed upgrade?

1
0
Silver badge
Linux

Re: I'm fine with that

IBM's POWER9 chips are right here right now, no Spectre vulnerability and certainly no licensing agreements like the Intel one seeing as IBM releases everything for the POWER9 chips under a straight MIT / GPL license.

It appears that Power 9 is vulnerable too eg Redhat info on the bugs

3
0
Bronze badge

Re: I'm fine with that

Looking around it seems POWER9 was not shipped with the vulnerable features turned on. The one area where the this becomes a bit questionable is the kernel mitigation for their version of Meltdown., but the chips never shipped with vulnerability to Spectre from what I can tell.

1
0
Bronze badge

It wouldn't be Linux if it wasn't inconsistent and interminable bickering over licensing terms and conditions.

14
81
Silver badge

"It wouldn't be Linux if it wasn't inconsistent and interminable bickering over licensing terms and conditions."

We FOSS folk take this stuff seriously because we can. It must be awful just having to put up with whatever rapacious T&Cs proprietary S/W vendors impose. But perhaps you're used to having to bend over.

110
2
Silver badge

This isn't that, though. This is Debian simply deciding that the license Intel is requiring is too onerous, and they don't agree to it. That's hardly bickering, that's rejecting a bad deal.

91
1
Silver badge

"This isn't that, though. This is Debian simply deciding that the license Intel is requiring is too onerous, and they don't agree to it. That's hardly bickering, that's rejecting a bad deal."

You're expecting a Mac/Windows fan boi to be clever enough to read the EULA though, when all they've ever done with them is click 'Accept'.

29
7
Silver badge
Gimp

Windows users have learnt the hard way,

that it doesn't matter what you click - you still get windows 10 installed.......

46
2

Take it

"We FOSS folk take this stuff seriously because we can."

Sounds like you're the one bending over. Most people don't care because we have actual things to worry about based outside in the real world.

4
28
Silver badge

Re: Take it

"Sounds like you're the one bending over. Most people don't care because we have actual things to worry about based outside in the real world."

Most people don't care because:

a) They're thick, or

b) They're ignorant

Neither of which is a better way to be than being concerned about what you agree to. But if you don't mind reading stuff before agreeing to it, thanks for gifting me your house. I'll be ensure to enjoy it, along with your wife. You didn't read the contract, but you agreed to it. Sorry bud x

13
4
Silver badge

I was talking about Debian's decision making, not Mac or Windows or even individual users. Every person or company gets to decide for themselves what license terms are acceptable to them, or to just accept any license terms without reading them, if they wish.

2
0

Re: Take it

I'm aware of these Spectre based exploits and have a good understanding of how they're executed. Fact is, I use a lot of Windows only programs. I ain't got time to mess around with Linux and wine. Like I said I've got other things to worry about out here in the real world. Also, fortunately in my country there's certain laws which protect us from stood clauses in contacts because nobody bloggers to read them.

3
6

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018