back to article Use Debian? Want Intel's latest CPU patch? Small print sparks big problem

At least one Linux distribution is withholding security patches that mitigate the latest round of Intel CPU design flaws – due to a problematic license clash. Specifically, the patch is Chipzilla's processor microcode update emitted this month to stop malware stealing sensitive data from memory by exploiting the L1 Terminal …

  1. Steve Davies 3 Silver badge
    Pint

    Well Done...

    El Reg has dropped Debian a line to find out if Intel's response deals with its licensing concerns. Holschuh

    Wot! No 'reached out'? /s /sic.

    Well done El Reg for using 'dropped Debian a line'. Have one of these on me

    1. Anonymous Coward Silver badge
      Stop

      Re: Well Done...

      "dropped a line"??? So their fishing.

      What's wrong with "contacted"? Or "asked"?

      1. Boothy

        Re: Well Done...

        Whenever I see 'reached out' I always imaging some beggar on a street corner with their hand out asking for spare change, or perhaps someone hankering to be prosecuted for inappropriate touching!

        1. Anonymous Coward
          Anonymous Coward

          Re: Well Done...

          "Whenever I see 'reach[ed] out' I always..."

          ...wonder where this fixation for quoting The Four Tops has come from.

      2. Pascal Monett Silver badge

        Re: What's wrong with "contacted"?

        Not part of NewSpeak any more.

        Marketing has rewritten the dictionary, and all those stuffy words that have worked and had meaning for the past 200 years are gone, to be replaced by iWords that are nice and shiny and make marketers look smart and professional.

        Emphasis on "look".

        1. David Lewis 2

          Re: What's wrong with "contacted"?

          Emphasis on "lookvisualisation".

          FTFY

          1. Norman Nescio Silver badge
            Pint

            Re: What's wrong with "contacted"?

            Emphasis on "look visualisation optics".

            FTFFY

            (No, I'm not being serious. I've just noticed the trend, that's all. I come from an era when optics meant the plural of a spirit measure/dispenser behind a bar.)

        2. Spanners Silver badge
          Go

          Re: What's wrong with "contacted"?

          replaced by iWords that are nice and shiny and make marketers look smart and professional.

          Those words don't make anyone look smart or professional. The use of misunderstood US "sports" jargon and management speak to replace perfectly good words just makes people look silly.

          Whenever I get messages containing this rubbish, my automatic reaction is to wonder how this could be put better. In meetings, I act as if they have been rephrased. For example, instead of "step up to the plate", I may say "volunteer" if that is what they actually mean.

          Has someone made a dictionary of this newspaeak? I have certainly seen people playing BS Bingo.

      3. David Nash Silver badge
        Headmaster

        Re: Well Done...

        What's wrong with "they're" ?

        1. wayward4now
          Headmaster

          Re: Well Done...

          David, I miss "they're". It has eclat.

      4. dbtx Bronze badge

        Re: What's wrong with "contacted"?

        Or "pinged"?

    2. The Man Who Fell To Earth Silver badge
      WTF?

      Does Windows patch the microcode this way?

      If not, why not?

      If so, all CPU's?

      1. theblackhand

        Re: Does Windows patch the microcode this way?

        To set your mind at ease for latest MS OS releases:

        https://support.microsoft.com/en-ph/help/4093836/summary-of-intel-microcode-updates

  2. Alan J. Wylie

    Section 3

    You will not, and will not allow any third party to ... (v) publish or provide any Software benchmark or comparison test results.

    I can see why Debian aren't happy, seeing as without new instructions made available by microcode updates, some of the mitigations incur a significant performance hit.

    1. Anonymous Coward
      Anonymous Coward

      Re: Section 3

      >some of the mitigations incur a significant performance hit.

      Indeed, the performance benchmarks over at Phoronix make for grim reading. Coming soon on Phoronix expect benchmarks with all of the patches applied vs no patches.

      1. This post has been deleted by its author

    2. Nick Kew Silver badge

      Re: Section 3

      There may be a reason for that: namely, benchmark tests are often propaganda and spin. Nevertheless, it should be obvious that a clause like that can only make things worse.

      Perhaps governments could pick up on that. Declaring such clauses unenforceable would have limited effect, but banning the sale of goods with such onerous restrictions - or requiring such sales to be approved by a licensing authority through an onerous process including public consultation - would surely cause vendors to stop and think what's reasonable.

      1. A Non e-mouse Silver badge

        Re: Section 3

        There may be a reason for that: namely, benchmark tests are often propaganda and spin

        At uni, a fellow student had the project to assess all the (then) current CPU/Computer benchmarks. The conclusion? They're all a meaningless indication of processor speed.

      2. Anonymous Coward
        Anonymous Coward

        Re: Section 3

        Plus surely if it’s a patch for a problem in the product, there should be “something” to stop the manufacturer from adding new T&Cs?

      3. MRS1

        Re: Section 3

        Nice idea, but more governmental regulation will just result in (a) more costs and bureaucracy, to be passed on to us, the customers, and (b) more governmental corruption with more civil servants and politicians in the pocket of businesses with money.

        Having the private sector effectively block vendor-created problems and excesses like this one, where possible, does seem to work better overall (less bureaucracy, less cost, less corruption) than getting the government to do it.

        Admittedly, Debian isn't perfect in this regard but they've done us all a favour here that I would not have trusted any government to do.

    3. bombastic bob Silver badge
      Facepalm

      Re: Section 3

      Debian is shooting themselves in the foot by not at least putting the update into the 'non-free' package distribution...

      what, is Stallman behind this or something? Sounds like something he'd do/say...

      /me imagines a bunch of hippies at a Santa Cruz beach wearing peace sign necklaces, love beads, psychadelic tie-dyed shirts, beaded headbands, and carrying protest signs worthy of the Laugh-In wall, talking like Tommy Chong and complaining that "Intel isn't giving us what we want, man!"

      Debian, and every other distro depending on you: GET A CLUE! Just put the package into 'non-free' and be DONE with it!!!

      icon, because, *FACEPALM*

      1. JohnFen Silver badge

        Re: Section 3

        "Debian is shooting themselves in the foot by not at least putting the update into the 'non-free' package distribution..."

        Placing this in the non-free collection would not mitigate the problem. The non-free collection is for packages that are not open source. The problem with this update isn't whether or not it's open source, it's about unacceptable licensing terms.

    4. Alan Mac

      Re: Section 3

      "You will not, and will not allow any third party to ... (v) publish or provide any Software benchmark or comparison test results."

      I'll do what I want with my computer thanks

  3. Phil Endecott Silver badge

    I imagine they could ship it in “Non-free”.

    (Edit: maybe not; the restriction is on distribution, and for example the operators of all the Debian mirrors cannot be said to have agreed to those terms.)

  4. EveryTime Silver badge

    Perhaps a typo, perhaps a pun

    "fetching and stalling".. accurate, but perhaps not the original intent.

    1. eldakka Silver badge

      Re: Perhaps a typo, perhaps a pun

      maybe they meant felching?

  5. Will Godfrey Silver badge
    WTF?

    Nasty

    I'm not surprised debian balked. That's out and out censorship :(

    I was surprised the others accepted it... at first, but then again not so much.

    1. Anonymous Coward
      Anonymous Coward

      Re: Nasty

      It's nasty choice to make. Where I live, the contract is most certainly void, which means I have no good reason to forego the patch. Still, I have a lot of respect for the way Debian sticks to their guns.

    2. Alan Brown Silver badge

      Re: Nasty

      "I was surprised the others accepted it"

      They either didn't read it or decided it wasn't enforceable.

  6. JohnFen Silver badge

    I'm fine with that

    I don't want Intel's patches anyway. I'll be migrating away from Intel CPUs over the next few years. In the meantime, I'll mitigate the risk in other ways.

    1. Korev Silver badge

      Re: I'm fine with that

      Sadly pretty much every modern CPU has been hit with bugs like these...

      I'm holding off replacing my system until it appears that the bugs are fixed in hardware too. I suspect it's going to be a long wait.

      1. Skoorb

        Re: I'm fine with that

        At the moment it is looking like you will be waiting for at least AMD Zen 2 then.

        Which is slated for 2019 at the earliest.

        1. Korev Silver badge

          Re: I'm fine with that

          At the moment it is looking like you will be waiting for at least AMD Zen 2 then.

          Which is slated for 2019 at the earliest.

          That's kind of what I'm thinking. I think I'll just change the discs as they're getting on a bit. Hopefully the rumours are true about the forthcoming SSD price crash :)

        2. whitepines Silver badge
          Happy

          Re: I'm fine with that

          IBM's POWER9 chips are right here right now, no Spectre vulnerability and certainly no licensing agreements like the Intel one seeing as IBM releases everything for the POWER9 chips under a straight MIT / GPL license.

          It won't run Windows, but let's face it: if you're running Windows you don't really care about the terms this license agreement (hint: you've already either accepted them by proxy in the Windows EULA somewhere).

          1. Anonymous Coward
            Anonymous Coward

            Re: I'm fine with that

            "IBM's POWER9 chips are right here right now, no Spectre vulnerability and certainly no licensing agreements like the Intel one seeing as IBM releases everything for the POWER9 chips under a straight MIT / GPL license."

            Great! How much for a basic desktop configuration? Can I get it in NUC size?

            What POWER laptops are available?

            1. whitepines Silver badge

              Re: I'm fine with that

              Looks like $2,099 USD for a desktop:

              https://twitter.com/RaptorCompSys/status/1029195940874342400

              For NUC form factor, maybe ARM would be a better choice? There are Rockchip parts that might fit the bill there.

              As POWER9 is just coming into the desktop space this year, I wouldn't expect laptops for a little while yet. I don't have a good answer for laptops, they're hard to do right and Microsoft / Apple / Google seem to dominate that market.

          2. Korev Silver badge
            Linux

            Re: I'm fine with that

            IBM's POWER9 chips are right here right now, no Spectre vulnerability and certainly no licensing agreements like the Intel one seeing as IBM releases everything for the POWER9 chips under a straight MIT / GPL license.

            It appears that Power 9 is vulnerable too eg Redhat info on the bugs

            1. whitepines Silver badge

              Re: I'm fine with that

              Looking around it seems POWER9 was not shipped with the vulnerable features turned on. The one area where the this becomes a bit questionable is the kernel mitigation for their version of Meltdown., but the chips never shipped with vulnerability to Spectre from what I can tell.

      2. JohnFen Silver badge

        Re: I'm fine with that

        "Sadly pretty much every modern CPU has been hit with bugs like these..."

        Yes, but there are CPUs that don't engage in speculative execution, so those are attractive. I'd prefer to have a faster CPU, of course, but I'm not as concerned that my CPU is as fast as it can possibly be as I am that my hardware is as free of security problems as possible.

    2. A Non e-mouse Silver badge
      Joke

      Re: I'm fine with that

      I don't believe the fairly recent MegaProcessor suffers from these recent CPU issues. Maybe you could start there?

      1. Basil Fernie
        Joke

        Re: I'm fine with that

        ... but maybe the MegaProcessor could do with a bit of a speed upgrade?

  7. Ian Johnston Silver badge

    It wouldn't be Linux if it wasn't inconsistent and interminable bickering over licensing terms and conditions.

    1. Doctor Syntax Silver badge

      "It wouldn't be Linux if it wasn't inconsistent and interminable bickering over licensing terms and conditions."

      We FOSS folk take this stuff seriously because we can. It must be awful just having to put up with whatever rapacious T&Cs proprietary S/W vendors impose. But perhaps you're used to having to bend over.

      1. Sonic531

        Take it

        "We FOSS folk take this stuff seriously because we can."

        Sounds like you're the one bending over. Most people don't care because we have actual things to worry about based outside in the real world.

        1. wolfetone Silver badge

          Re: Take it

          "Sounds like you're the one bending over. Most people don't care because we have actual things to worry about based outside in the real world."

          Most people don't care because:

          a) They're thick, or

          b) They're ignorant

          Neither of which is a better way to be than being concerned about what you agree to. But if you don't mind reading stuff before agreeing to it, thanks for gifting me your house. I'll be ensure to enjoy it, along with your wife. You didn't read the contract, but you agreed to it. Sorry bud x

          1. Sonic531

            Re: Take it

            I'm aware of these Spectre based exploits and have a good understanding of how they're executed. Fact is, I use a lot of Windows only programs. I ain't got time to mess around with Linux and wine. Like I said I've got other things to worry about out here in the real world. Also, fortunately in my country there's certain laws which protect us from stood clauses in contacts because nobody bloggers to read them.

            1. Doctor Syntax Silver badge

              Re: Take it

              "Like I said I've got other things to worry about out here in the real world."

              Go and read the W10 privacy clause. As you're obviously not used to reading this sort of thing I'll give you big hint. Pay attention to what's missing, what they don't exclude themselves from taking.

              "The data we collect can include the following:"

              Notice it says "include". It doesn't say it's the complete list.

              "Credentials. Passwords, password hints and similar security information used for authentication and account access. "

              "Payment data. Data to process payments, such as your payment instrument number (such as a credit card number) and the security code associated with your payment instrument."

              Compare that with something a little further down the list::

              "Interactions. Data about your use of Microsoft products."

              Do you notice something different between the first two and the third? The third has a restriction to Microsoft products. Do you see such restrictions in the first two?

              Your real world includes Windows. Does your country's laws actually prevent Microsoft's "telemetry" from seeing stuff you might not want it to see and that you weren't "bloggered" to read about?

              Frankly, I doubt you have much idea about the real world.

          2. Killfalcon Silver badge

            Re: Take it

            You missed c) lazy.

            I mean, that's my excuse. I just want my internet/Steam box to make the pretty lights happen, I'm just gonna click "accept" and assume it'll probably never come back to bite me.

            Probably.

            1. JohnFen Silver badge

              Re: Take it

              I think that counts as B) Ignorant. An intentional ignorance, but ignorance nonetheless.

        2. JohnFen Silver badge

          Re: Take it

          "Sounds like you're the one bending over."

          So, refusing to accept a license that you find objectionable counts as "bending over" in your world? Sounds a bit opposite-land to me.

        3. Basil Fernie

          Re: Take it

          So alter your "real wprld" by giving it an Attitude Altering Slap In The Face:

          Wipe Windows 10 and replace it with a righteous OS, like Debian

          Or keep worrying about how the "real world" is kicking YOU around.

          One small step for mankind, one great leap for you.

        4. Doctor Syntax Silver badge

          Re: Take it

          "Most people don't care because we have actual things to worry about based outside in the real world."

          As far as I'm concerned the real world includes all sorts of legal issues. Perhaps that's because a good chunk of my career was concerned with the courts. I had to be able to stand over, in the witness box, what I wrote and signed. Another substantial part was as a freelancer so again, contract terms were important to me. You might have lead a more sheltered life which has hidden these aspects of reality from you.

    2. JohnFen Silver badge

      This isn't that, though. This is Debian simply deciding that the license Intel is requiring is too onerous, and they don't agree to it. That's hardly bickering, that's rejecting a bad deal.

      1. wolfetone Silver badge

        "This isn't that, though. This is Debian simply deciding that the license Intel is requiring is too onerous, and they don't agree to it. That's hardly bickering, that's rejecting a bad deal."

        You're expecting a Mac/Windows fan boi to be clever enough to read the EULA though, when all they've ever done with them is click 'Accept'.

        1. Fading Silver badge
          Gimp

          Windows users have learnt the hard way,

          that it doesn't matter what you click - you still get windows 10 installed.......

        2. JohnFen Silver badge

          I was talking about Debian's decision making, not Mac or Windows or even individual users. Every person or company gets to decide for themselves what license terms are acceptable to them, or to just accept any license terms without reading them, if they wish.

  8. Alister Silver badge

    Holschuh was not entirely clear why the license is a problem.

    Maybe you should go back to him pointing out Section 3 sub-section (v) and ask him to explain why users should not highlight the likely performance impact of the code?

    1. Anonymous Coward
      Anonymous Coward

      Holschuh cannot be serious. In the EU these terms could even be void, same for the Netherlands. I'm not a legal person, so I could be mistaken. In my opinion it violates my constitutional rights and buyer's rights. Doing benchmarks and publishing them is journalism and as such a matter of free speech.

      1. Anonymous Coward
        Anonymous Coward

        > Doing benchmarks and publishing them is journalism and as such a matter of free speech.

        While many a layperson would agree with you, Oracle and Microsoft have been prohibiting benchmarks of their database software for many years unless you get their permission, up front in writing first.

        eg You're not getting permission unless the benchmark is favourable

        1. T. F. M. Reader Silver badge

          Oracle and Microsoft have been prohibiting benchmarks of their database software for many years...

          So did VMware, as I recall - for quite a few years while the overhead of full virtualization led to inferior performance compared to native HW or paravirtualized machines. That was before Intel and AMD added HW support for virtualization (i.e. before, say, 2006). Today (with HW support) the overhead is not significant, and I believe the "no benchmark publishing" clause is no longer there (but I have not checked recently).

          The industry is rather used to this. I am not very surprised that the likes of Red Hat and SuSE behave pragmatically and thus don't have a problem, or that Debian have.

          1. JohnFen Silver badge

            "I am not very surprised that the likes of Red Hat and SuSE behave pragmatically and thus don't have a problem, or that Debian have."

            Me neither. This is one of the big reasons why I avoid Red Hat and Suse, but embrace Debian.

      2. Fred Dibnah Silver badge

        You’re not a geography person either. The Netherlands is in the EU :-)

        1. Dave559

          The Netherlands

          But not all of the Kingdom of the Netherlands is in geographic Europe, and I’m not sure whether all EU law necessarily fully applies in all parts…

          (I love the quirkiness of politico-historical geography!)

          1. chroot

            Re: The Netherlands

            The country known as the Netherlands is part of the Kingdom of the Netherlands. The whole of the Netherlands is in the EU.

        2. Loyal Commenter Silver badge

          You’re not a geography person either. The Netherlands is in the EU :-)

          There is, however, a distinction between the remit of the court of the ECHR (not strictly and EU institution) over matters of human rights (freedom of expression under Article 10), the ECJ (as the highest court of arbitration in the EU) over matters of EU regulations, and the courts of the Netherlands, over national law in that country (for example there may be national laws that govern freedom of the press).

          As noted by another poster above, not all territories of the Netherlands are necessarily within the EU, such as the Netherlands Antilles. One would presume that they are still subject to the laws of the Netherlands, as a sovereign nation (note to europhobes - the EU doesn't remove a country's sovereignty despite what various shouty gammon-faced men on BBC Question Time would have you believe).

      3. Aodhhan Bronze badge

        You obviously aren't trained in legal matters.

        Businesses also have constitutional rights. A business has the right to not do something, and you have the right not to support this business for their decision. Nobody has a monopoly creating a forced action. Everyone can go elsewhere and make a number of choices.

        This being said, both the EULA and Debian's lack of action is not against GDPR or anyone's constitutional rights in any country in Europe.

        1. Loyal Commenter Silver badge

          This being said, both the EULA and Debian's lack of action is not against GDPR or anyone's constitutional rights in any country in Europe.

          How can you say that with any certainty? It may well be that something in that EULA does contravene someone's constitutional rights in a European country (or elsewhere for that matter), but since no test case has been brought (that you or I know of), there has been no legal precedent to make that section of the EULA invalid. That's very different from the whole thing being legally watertight.

          IANAL, and you are clearly not one either.

        2. JohnFen Silver badge

          "Nobody has a monopoly creating a forced action. Everyone can go elsewhere and make a number of choices."

          Tell that to lots of broadband users in the US who can choose between exactly one company for their service.

        3. Chronos Silver badge

          In this very specific case, you're ignoring the fact that this is mitigation of a flaw in the workmanship of a product that was sold already, i.e. you really don't have any choice but to use the microcode, especially if it creeps in via a firmware update. This licence change is highly unlikely to be binding on people who already owned Intel chippery before the flaw came to light. I don't know of any jurisdiction in the EU that allows such unilateral contract changes.

          IANAL, YMMV etc.

      4. Remy Redert

        EULAs in general are unenforceable in the Netherlands, since our courts decided that they don't meet the requirements for a contract.

        That is to say, pretty much all EULAs are not shown prior to purchase and they are never negotiated or biased in favour of the customer.

  9. jonathan keith
    Devil

    Weasel

    "In a statement to The Register, Imad Sousou, corporate vice president and general manager of the Intel Open Source Technology Center, said it's "not true" that Debian can't distribute the microcode package."

    Technically, he's absolutely correct in his assertion. Of course, what he's specifically NOT addressing is the fact that Debian *won't* distribute the package.

    1. JohnFen Silver badge

      Re: Weasel

      Yes, this is a great example of how it's possible to lie without uttering a factually incorrect statement.

    2. Doctor Syntax Silver badge

      Re: Weasel

      "Of course, what he's specifically NOT addressing is the fact that Debian *won't* distribute the package."

      And addressing why they won't is very strictly off-limits.

  10. Anonymous Coward
    Anonymous Coward

    Shrug

    I admire that Debian takes principled stands. As a humble admin, though, sometimes their battles feel like watching the United Atheist Alliance fighting with the Unified Atheist League while I just want to play on the Wii.

    1. Long John Brass Silver badge
      Trollface

      Re: Shrug

      Personally I support the Atheist Alliance League.

      1. Jamie Jones Silver badge

        Re: Shrug

        heretic!

      2. Tromos

        Re: Shrug

        You should set aside your differences and unite to combat the real enemy - the people's atheist front!

        1. Korev Silver badge
          Windows

          Re: Shrug

          The problem is that he's not the Messiah, he's a very naughty boy

        2. fedoraman

          Re: Shrug

          Splitter!

          1. DJV Silver badge

            Re: Shrug

            I think this thread has now hit the unwritten El Reg rule that "if it goes on long enough it is imperative that someone must include at least one Monty Python/Douglas Adams/Terry Pratchett/Airplane* reference."

            (* Delete as applicable - actually no, don't delete - just include all of them)

            1. Citizen99

              Re: Shrug

              "I think this thread has now hit the unwritten El Reg rule that "if it goes on long enough it is imperative that someone must include at least one Monty Python/Douglas Adams/Terry Pratchett/Airplane* reference." "

              Shirley not !

            2. bombastic bob Silver badge
              Trollface

              Re: Shrug

              Shirley you jest!

              I'd rather listen to vogon poetry than watch Debian do the 'silly walk' like that.

              1. Citizen99

                Re: Shrug

                " I'd rather listen to vogon poetry than watch Debian do the 'silly walk' like that. "

                It's poetry, Jim but not as we know it.

      3. onefang Silver badge

        Re: Shrug

        Alternatively - Allied Atheists Association assuredly, and alliteratively.

  11. Updraft102 Silver badge

    What if we were talking about cars, not chips?

    So would it be okay if a carmaker released a car that had a serious safety flaw, so much so that they had to offer (yet another) recall.. but then they told the owners of those cars they could only have the fix if they signed a contract restricting some of their previously-held rights, or whatever else the carmaker wanted?

    Should owners of the defective cars have to concede anything at all to get their products fixed?

    Intel is using their own crappy design as a hammer to force people to agree to terms that are not in their favor. How is it that all of these design flaws keep ending up benefitting the company that produced them?

    1. Alistair Silver badge
      Coat

      @Updradt102:

      Well, sadly, your example is already reality, if one owns a VolksWagen with a TDI MKV engine.

      1. Killfalcon Silver badge
        IT Angle

        @Alistair

        Is this to do with that emissions scam they were running?

  12. Bibbit

    Bless you.

    You dropped a line without reaching out. The world is getting better! Joy!

    1. DuncanLarge Silver badge

      Re: Bless you.

      In my workplace, we say "touch base".

      I really hate that horrible term. Didnt anyone ever think it sounds a bit pervy to touch base with a stranger?

  13. Will Godfrey Silver badge
    Coat

    .. and another thing

    Whenever I see "reaching out" my subconscious interprets it as "retching"

    1. Anonymous Coward
      Anonymous Coward

      Re: .. and another thing

      Or, possibly worse, “reaching around”...

  14. jms222

    Throw the license in the bin

    I am no legal beagle but to me it's very simple. The microcode is necessary to make the device you have already bought work better. It can't be resold and can only be used on a specific device.

    So assuming you want that and do due dilligence just use it and get on with life.

    I'd like to hear an opinion from somebody qualified but don't think it has any weight.

    1. Jamie Jones Silver badge

      Re: Throw the license in the bin

      "The microcode is necessary to make the device you have already bought work better."

      Even worse, the microcode update is necessary to make the device you have already bought work properly!

    2. Anonymous Coward
      Anonymous Coward

      @JMS222 - Re: Throw the license in the bin

      Erm, did you try asking Intel lawyers for an opinion on this matter ? I hope they're qualified enough for your taste and at the end you may tell them you don't give a damn on their opinion.

      Please go get another cup of coffee and this time make sure it is stronger!

  15. Norman Nescio Silver badge

    DeWitt clause

    The benchmark prohibition clause is also known as the "DeWitt Clause", after David DeWitt, an academic who got on the wrong side of Larry Ellison of Oracle.

    Putting "DeWitt Clause" into the Internet search engine of your choice will give links to the full history, and some discussion around the reasons for and against.

    Properly executed benchmarks can be very informative, but it is remarkably difficult to do benchmarks that all parties concerned will agree to have been properly executed. Losers can usually find nits to pick, as anyone who has been involved with benchmarking in any serious way will attest.

    1. Registered Register Registrant

      Re: DeWitt clause

      Very interesting. But 3(v) is a blanket clause, in that it prohibits the reporting of any benchmark results, including the fairest test of all: an Intel CPU benchmarked against itself, with and without microcode/firmware patches installed. Surely the DeWitt case only extended the right of a licensor to limit benchmark reporting and did not protect clauses like Intel's that proscribe benchmark reporting entirely.

      To do so would be problematic. Intel's contract, for instance, makes no warranty that their CPU instruction set is fit for any purpose whatsoever - let alone warrant that operating the CPU with their patch will not impede CPU performance. If all of Intel's EULA terms were enforceable and every CPU manufacturer had similar terms, then no consumer could make an informed CPU purchase.

    2. JohnFen Silver badge

      Re: DeWitt clause

      "Properly executed benchmarks can be very informative, but it is remarkably difficult to do benchmarks that all parties concerned will agree to have been properly executed. "

      Absolutely true. However, that fact should not in any way impact people's rights to perform benchmarks and publicize the results, even if those benchmarks are flawed.

  16. Christian Berger Silver badge

    There should be limits on the limitations of software licenses...

    ... particulary when said software can _only_ be used with hardware you have previously bought.

    I mean it's not like some other company is going to build a microcode compatible CPU without Intel suing them into the ground.

    1. Loyal Commenter Silver badge

      Re: There should be limits on the limitations of software licenses...

      I mean it's not like some other company is going to build a microcode compatible CPU without Intel suing them into the ground.

      ...and if they did, one would be hopeful that they wouldn't build the same flaws into it that this microcode update explicitly addresses, rendering the copyright on the microcode moot.

  17. Rich 2

    Groan...

    These companies really needs to get over their over-inflated worth of themselves.

    As has already been pointed out, what the hell are you going to do with Intel processor microcode except use it to program an Intel processor?

    Jeeeeez

    1. GrumpenKraut Silver badge
      Joke

      Re: Groan...

      > ...what the hell are you going to do with Intel processor microcode except use it to program an Intel processor?

      I used it on my moped. Now it's super duper fast! Sadly, it also leaks.

      1. Alistair Silver badge
        Windows

        Re: Groan...

        @GrumpenKraut:

        So, now the Copyright infringement folks can follow your trail and hunt you down!

    2. Alistair Silver badge
      Coat

      Re: Groan...

      @Rich2:

      Ask wallstreet about "over inflated worth". You might be surprised about the perspective of over inflated.

      1. JohnFen Silver badge

        Re: Groan...

        I would never trust a Wall Street type to be able to judge the value of a company. Their only yardstick is profitability, but there are so many other relevant factors that need to be included.

  18. Cynic_999 Silver badge

    What to do?

    Should we install updated microcode that will with 100% certainly cause a significant hit to the performance of our computer, or should we live with a bug that has a miniscule but finite probability of being exploited in a way that would cause us any harm?

    1. GreenReaper
      Trollface

      Re: What to do?

      How can you be so certain when nobody's allowed to benchmark it?

  19. phord

    "fetching and stalling" should be "fetching and installing".

    "Fetching and stalling" sounds like what you do on Windows updates.

  20. Claptrap314 Silver badge

    Finally

    After seven months of defending Intel on this thread for decisions which were reasonable at the time, we get a clear case of Intel being Intel. **** Intel. **** their marketing team and their lawyers. This ******** behavior is precisely why the industry has carried AMD on their backs for decades. ******* **** ******** **** ***************.

    There. I feel much better now.

    1. whitepines Silver badge
      Coat

      Re: Finally

      As I've pointed out here a few times, AMD's no saint either. They only exist because Intel allows them to exist, and they have picked up some very nasty habits from Intel over the years, from signed black-box firmware binaries (PSP) to disabling features semi-arbitrarily to increase profit (overclocking on server parts, ECC on consumer parts). Two sides of the same coin from my perspective.

      Icon, 'cause it might be chilly on the streets outside the cozy x86 world....

      1. Chronos Silver badge
        Mushroom

        Re: Finally

        Cozy? Perhaps. Mined in a random pattern? Damned right.

        I just hope RISC-V isn't just another good idea poorly executed, if you'll pardon the pun.

        Icon -> I trod on an IME. Give me your bayonet, Jones.

  21. onefang Silver badge

    "Also, the patches are picked up during the usual monthly routine of fetching and stalling operating system software updates."

    Others have pointed out the "stalling" typo, I'm taking umbrage with the "usual monthly routine" bit. Since this article is specific to Debian, I'll point out that Debian doesn't do monthly update releases. They release updates when the updates are ready. Personally I do weekly updates on my Linux based systems, though I also check daily to see if there's anything in urgent need of an update.

  22. dwheeler

    This is a DeWitt clause, and DeWitt clauses should be illegal

    Contract and license clauses that forbid benchmark publication (unless the vendor likes them) are often called DeWitt clauses. The clause was originally created to squelch database research being performed by Dr. David DeWitt. These should be illegal everywhere, but Oracle (their original creator) rigorously enforces them. These clauses harm society by making it impossible to publish truthful information about software.

  23. Nick Kew Silver badge
    Pint

    Brilliant response

    From a Debian team member on his blog.

  24. eldergeek

    Seems a bit SNL...

    All that scary stuff and then "never mind" at the end. You're a credit to Gilda Radner. :)

    1. diodesign (Written by Reg staff) Silver badge

      Re: Seems a bit SNL...

      Well, the original article made Intel rewrite its license - it wasn't quite "never mind" for a day or so.

      C.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019