[ambulancechaser]

wouldn't the NDA in a case like this just be about the embargo? If this is the case, what strong argument against an NDA is there given that agreement not to disclose the bug is necessary until a good mitigation strategy is in place?

[walterbell]

In the Spectre case, the 6-month NDA did not result in a good mitigation strategy. A few weeks of public discussion has identified better mitigations for some customers.

[bonzini]

First, it did. Retpolines on pre-Skylake + IBRS on Skylake is pretty good actually. However, it turns out that (as is expected when you add new people to the group which are smart and bring a fresh mind) you might be able to do even better. It's okay, and it's expected. Since these are mitigations, not fixes, incremental improvements are the right thing to do. The "garbage patches" are more than enough for distros that want to provide a mitigation to their users, Linus just doesn't consider them a good idea in the long term. What was not okay is that no one knew who exactly knew what and hence it was not even possible to discuss anything---which is the reason why all these things are being discussed _now_, after the embargo has been lifted. But even if this wasn't the case...

... for Linux distributions the actual embargo time was a little less than two months. That is actually a very small time to do the amount of work that was needed to mitigate Meltdown and Spectre. No Linux distribution was able to ship retpolines on the date the embargo was lifted (heck, only RHEL and SuSE shipped anything for Spectre at all), and the extra week would have bought us nothing. We would have needed to be notified a month or two earlier.

[bonzini]

No, it was also about who you'd discuss the issue with, even if you knew/suspected that they were disclosed.