[davidlt]

IIUC, a limited number of people from kernel community knew about this and NDAs didn't exactly allow all the parties work together. The first solutions/mitigations exist (might not be nice), but now embargo is lifter and the communities (incl. companies) can work on better solutions together.

[jasonkostempski]

I would hope people from the Linux and BSD kernel communities arent signing NDAs. I would expect them to refuse on principal. Do they not?

[bonzini]

I don't sign them (in general), but my employer has agreements and I like my job enough to accept that secrecy and embargoes are on occasion a necessary evil.

In this case, however, it was handled horribly. During the embargo period, we kept telling Intel and AMD what they were doing wrong, and they wouldn't listen (or alternatively, they made clear enough that they wouldn't listen that we didn't even try). But really there's little more than I can do than hope that the next time they listen to us.

[chris_wot]

If only one of them had listened, it might have been an impetus to stick with that manufacturer.

[ksk]

It is reasonable to avoid disclosure of security issues till the bugs have been patched. Absolute principles mean nothing in the context of flawed realities.

[ambulancechaser]

wouldn't the NDA in a case like this just be about the embargo? If this is the case, what strong argument against an NDA is there given that agreement not to disclose the bug is necessary until a good mitigation strategy is in place?

[walterbell]

In the Spectre case, the 6-month NDA did not result in a good mitigation strategy. A few weeks of public discussion has identified better mitigations for some customers.

[bonzini]

First, it did. Retpolines on pre-Skylake + IBRS on Skylake is pretty good actually. However, it turns out that (as is expected when you add new people to the group which are smart and bring a fresh mind) you might be able to do even better. It's okay, and it's expected. Since these are mitigations, not fixes, incremental improvements are the right thing to do. The "garbage patches" are more than enough for distros that want to provide a mitigation to their users, Linus just doesn't consider them a good idea in the long term. What was not okay is that no one knew who exactly knew what and hence it was not even possible to discuss anything---which is the reason why all these things are being discussed _now_, after the embargo has been lifted. But even if this wasn't the case...

... for Linux distributions the actual embargo time was a little less than two months. That is actually a very small time to do the amount of work that was needed to mitigate Meltdown and Spectre. No Linux distribution was able to ship retpolines on the date the embargo was lifted (heck, only RHEL and SuSE shipped anything for Spectre at all), and the extra week would have bought us nothing. We would have needed to be notified a month or two earlier.

[bonzini]

No, it was also about who you'd discuss the issue with, even if you knew/suspected that they were disclosed.