I don't sign them (in general), but my employer has agreements and I like my job enough to accept that secrecy and embargoes are on occasion a necessary evil.
In this case, however, it was handled horribly. During the embargo period, we kept telling Intel and AMD what they were doing wrong, and they wouldn't listen (or alternatively, they made clear enough that they wouldn't listen that we didn't even try). But really there's little more than I can do than hope that the next time they listen to us.
It is reasonable to avoid disclosure of security issues till the bugs have been patched. Absolute principles mean nothing in the context of flawed realities.
wouldn't the NDA in a case like this just be about the embargo? If this is the case, what strong argument against an NDA is there given that agreement not to disclose the bug is necessary until a good mitigation strategy is in place?
In the Spectre case, the 6-month NDA did not result in a good mitigation strategy. A few weeks of public discussion has identified better mitigations for some customers.
First, it did. Retpolines on pre-Skylake + IBRS on Skylake is pretty good actually. However, it turns out that (as is expected when you add new people to the group which are smart and bring a fresh mind) you might be able to do even better. It's okay, and it's expected. Since these are mitigations, not fixes, incremental improvements are the right thing to do. The "garbage patches" are more than enough for distros that want to provide a mitigation to their users, Linus just doesn't consider them a good idea in the long term. What was not okay is that no one knew who exactly knew what and hence it was not even possible to discuss anything---which is the reason why all these things are being discussed _now_, after the embargo has been lifted. But even if this wasn't the case...
... for Linux distributions the actual embargo time was a little less than two months. That is actually a very small time to do the amount of work that was needed to mitigate Meltdown and Spectre. No Linux distribution was able to ship retpolines on the date the embargo was lifted (heck, only RHEL and SuSE shipped anything for Spectre at all), and the extra week would have bought us nothing. We would have needed to be notified a month or two earlier.
In this case, however, it was handled horribly. During the embargo period, we kept telling Intel and AMD what they were doing wrong, and they wouldn't listen (or alternatively, they made clear enough that they wouldn't listen that we didn't even try). But really there's little more than I can do than hope that the next time they listen to us.