Re: Intel Microcode

["Peter Müller" <peter.mueller@link38.eu>]

[-- Attachment #1: Type: text/plain, Size: 3858 bytes --]

Hello,

> Hi,
>> [snip]
>>
>>> It looks like we have to rollback the microcode update. Intel has
>>> changed the licensing terms in such a way that we won't be able (and no
>>> third party either) to provide any performance benchmarks.
>>>
>>> So if someone says on the forum that IPFire is "a little bit slower
>>> since the last update", that would violate that license.
>>
>> That's a VERY broad reading of the license. What you describe is a 
>> subjective opinion of the performance of one installation from someone 
>> not associated with the project, as opposed to the project itself 
>> posting controlled performance benchmarks with before-and-after numbers.
> 
> That didn't come from me, but Debian and Gentoo:
> 
> * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906158
> * https://bugs.gentoo.org/664134
> 
> RedHat and SuSE seem to be shipping the new microcode. Not sure if they
> saw the change of the license.
> 
> There is also a number of articles in the German news (at least) who
> share this opinion:
> 
> * https://www.golem.de/news/side-channel-angriffe-intel-untersagt-benchmarks-und-haertet-naechste-generation-1808-136151.html
Heise has published one, too:
https://www.heise.de/newsticker/meldung/Aerger-ueber-Intels-Lizenzbedingungen-fuer-Sicherheits-Updates-4144515.html

It says there: Intel announces to publish a changed version of the license
soon. Seems like the current version was copied from a NDA template, as
confidentiality is one of the listed aspects - which does not make any sense
at all in a public document.

However, as Michael mentioned, it illustrates the problem we all have with
Intel: Technical mistakes with security impact happen - they must not happen,
but unfortunately they do. A "normal" vendor would publish updates and a
security advisory as soon as possible, keep customers and partners up
to date, and maybe apologises for the problem.

They company did none of those in time. And it does not look like they are
going to do so in future. Of course, that's exactly the problem with all
major IT companies, there is no need to name them here. But if you do not
like your ISP, there is an alternative. If you do not like an operating
system, choose another. But nobody can afford to stop using nearly all
modern computer hardware from one day to another - not speaking about the
poor diversity situation on the market.

And so, trustworthy hardware remains a dream - at least for those users who
care (or have to care) about security. It is wretched, absolutely wretched.
> 
>> [snip]
>>
>>> Basically, it isn't an option to ship this. Other distributions think
>>> the same.
>>
>> I see the desire to err on the side of caution, plus the desire to put 
>> pressure on Intel to modify the license, but I'd argue it's overkill.
> 
> It is just ridiculous from my angle. Their primary sales argument is to
> be on top of the list of each benchmark out there. They probably forgot
> about that.
> 
> But this is more about a slight change to hide that they messed up
> *massively* here and a very bad attempt to cover it up. Now they got a
> proper Streisand going. Well done Intel.
> 
> I am so fed up with spending so much of my time trying to fix something
> that they got wrong and don't even own up to it. They are a shit
> company.
ACK.
> 
> *Goes and punches a wall now*
"Wo sich sicherheitsmäßig alles in der Scheiße suhlt und stinkt zum
Gottserbarmen..." (Sorry for the German swearwords, I do not have an
English translation at hand. Feeling with Michael here...)

Best regards,
Peter Müller
> 
> -Michael-- 
Microsoft DNS service terminates abnormally when it recieves a response
to a DNS query that was never made.  Fix Information: Run your DNS
service on a different platform.
		-- bugtraq


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]