I was just explained the other day on Hacker News how CPU microcode gets delivered with the Kernel. That it gets installed automatically on every boot. Why is it a separate package (which it turns out I don't have).
Well it is a separate package because it is fundamentally independent of the kernel. For example, your Debian system might want to use a different kernel like GNU's Hurd, kFreeBSD, or NetBSD, so by keeping those packages separate, they can easily be used interchangeably. Also if you are on an AMD system, you wouldn't want Intel microcode, but you might still want the same Linux kernel.
Also another big issue issue is the Intel microcode is proprietary, so separating it from the kernel means that user could selectively pick and choose if wants to have a totally free system, which would mean not loading microcode updates with a libre kernel. This is done for instance with Parabola and Trisquel distros, which is needed to obtain FSF's totally free certification.
Does this mean that my Ubuntu installation runs stock Intel microcode? It means I actually have to know about this, and then go out of my way and know how to install it? Or should it be installed by default on Ubuntu? Because the package called `intel-microcode` isn't installed for me now.
Debian removes binary blobs from the kernel, putting them into separate microcode and firmware packages in non-free instead.
Intel places restrictions against reverse engineering the microcode, as well as it not being in the prefered original source. Both of these violate the Debian Free Software Guidelines, and thus it can only be in non-free at best.
I thought you need the microcode to boot. How can you function in a non-free OS? And I guess non-free people will have these bugs now?
Also, I have basic Ubuntu. I'm running `apt list --installed` and I don't have the microcode package in the list. Does that command not list dependencies, or am I just missing it?
The CPU has a built-in baseline microcode that it uses on every boot (runtime microcode updates are not persistent), OSes don't need to necessarily update it, but they can.
then follow the "releasenote".