[adjkant]

I think for a bug this big it is pretty understandable. So far, it seems clear the actions of all involved were in a good spirit of responsible disclosure.

[HugoDaniel]

Except if you are into *BSD. In that case you might want to label it "selective disclosure" instead of "responsible disclosure".

[Xylakant]

Well, since some of the BSD folks publicly stated that they’d ignore any embargo, that seems like a pretty predictable consequence. And in this case I understand that it took a while to develop workable mitigations. Immediate disclosure might have caused great harm.

[JdeBP]

Tarring all of the BSDs with the same brush is wrong, both in general and here specifically. There's also the matter of both Matthew Dillon and Theo de Raadt discussing this topic months or even years before Google Project Zero made its discovery.

* https://news.ycombinator.com/item?id=16086047

* https://news.ycombinator.com/item?id=16074531

* https://news.ycombinator.com/item?id=16075744

Moreover, the OpenBSD people have made some remarks about how it was commentaries in Linux patches and discussions on LWN that actually let the cat out of the bag this time.

* http://pythonsweetness.tumblr.com/post/169166980422/the-myst... (https://news.ycombinator.com/item?id=16046636)

* https://news.ycombinator.com/item?id=16084404

[inferiorhuman]

> Tarring all of the BSDs with the same brush is wrong, both in general and here specifically.

Is that actually being done? The FreeBSD team got notified (late), the DragonFlyBSD, OpenBSD, NetBSD teams did not get notified. Matt, of course, seems to have a patch already.

[tptacek]

The bugs Theo was talking about were unrelated to these ones.

[JdeBP]

I did point to https://news.ycombinator.com/item?id=16074531 . However, it is also wrong to err in the other direction as you have and to say that they were unrelated. Others have already made this point in https://news.ycombinator.com/item?id=16075744 , which I also pointed to.

[loeg]

Theo de Raadt (OpenBSD BDFL) does not represent FreeBSD in any way. FreeBSD's policy is to work with embargoes.

[blablabla123]

Yeah, if you're not using Linux/Windows/macOS, this sucks. I wonder what happens next. Either alternative OSs for Desktops/Servers will become less popular or people are moving away from Intel chips. Obviously Intel CEO's betted on the latter - stocks are a representation of the future value of a company.

Last year I was already hoping that ARM Chromebooks would become more popular but in reality you cannot find them in any retail store.

[pyvpx]

probably because Intel doesn't look too fondly at companies who make ARM motherboards.

I believe it's high time the long history of anticompetitive actions by Intel end, and their near/effective monopoly in major market segments be regulated.

[tptacek]

Re: "responsible disclosure": https://news.ycombinator.com/item?id=9945686

Just something to keep in mind, not something we need to litigate on this thread.

[ehPReth]

Hmm, wasn't there that Microsoft Windows(?) bug that they derestricted before the patch was out? Memory escapes me at the moment. I thought it somewhat cemented/promoted their adherence to 90 days regardless of patch availability.

[runesoerensen]

Perhaps you're thinking of this bug report https://bugs.chromium.org/p/project-zero/issues/detail?id=11...

Project Zero evaluated and relaxed their disclosure policy after that incident as described here https://googleprojectzero.blogspot.com/2015/02/feedback-and-...

[ehPReth]

Ah yes.

I see there's some extensions there (maximum of 14 days) but this bug would have probably been covered under "As always, we reserve the right to bring deadlines forwards or backwards based on extreme circumstances."

Thanks!

[vardump]

One could also consider Microsoft leaking Meltdown here:

https://twitter.com/aionescu/status/930412525111296000

[Rondom]

Last time I checked, Alexandru Ionescu was not a Microsoft employee.

[JdeBP]

See https://news.ycombinator.com/item?id=16087060 .