Well Done...
El Reg has dropped Debian a line to find out if Intel's response deals with its licensing concerns. Holschuh
Wot! No 'reached out'? /s /sic.
Well done El Reg for using 'dropped Debian a line'. Have one of these on me
At least one Linux distribution is withholding security patches that mitigate the latest round of Intel CPU design flaws – due to a problematic license clash. Specifically, the patch is Chipzilla's processor microcode update emitted this month to stop malware stealing sensitive data from memory by exploiting the L1 Terminal …
Not part of NewSpeak any more.
Marketing has rewritten the dictionary, and all those stuffy words that have worked and had meaning for the past 200 years are gone, to be replaced by iWords that are nice and shiny and make marketers look smart and professional.
Emphasis on "look".
Emphasis on "look visualisation optics".
FTFFY
(No, I'm not being serious. I've just noticed the trend, that's all. I come from an era when optics meant the plural of a spirit measure/dispenser behind a bar.)
replaced by iWords that are nice and shiny and make marketers look smart and professional.
Those words don't make anyone look smart or professional. The use of misunderstood US "sports" jargon and management speak to replace perfectly good words just makes people look silly.
Whenever I get messages containing this rubbish, my automatic reaction is to wonder how this could be put better. In meetings, I act as if they have been rephrased. For example, instead of "step up to the plate", I may say "volunteer" if that is what they actually mean.
Has someone made a dictionary of this newspaeak? I have certainly seen people playing BS Bingo.
You will not, and will not allow any third party to ... (v) publish or provide any Software benchmark or comparison test results.
I can see why Debian aren't happy, seeing as without new instructions made available by microcode updates, some of the mitigations incur a significant performance hit.
This post has been deleted by its author
There may be a reason for that: namely, benchmark tests are often propaganda and spin. Nevertheless, it should be obvious that a clause like that can only make things worse.
Perhaps governments could pick up on that. Declaring such clauses unenforceable would have limited effect, but banning the sale of goods with such onerous restrictions - or requiring such sales to be approved by a licensing authority through an onerous process including public consultation - would surely cause vendors to stop and think what's reasonable.
Nice idea, but more governmental regulation will just result in (a) more costs and bureaucracy, to be passed on to us, the customers, and (b) more governmental corruption with more civil servants and politicians in the pocket of businesses with money.
Having the private sector effectively block vendor-created problems and excesses like this one, where possible, does seem to work better overall (less bureaucracy, less cost, less corruption) than getting the government to do it.
Admittedly, Debian isn't perfect in this regard but they've done us all a favour here that I would not have trusted any government to do.
Debian is shooting themselves in the foot by not at least putting the update into the 'non-free' package distribution...
what, is Stallman behind this or something? Sounds like something he'd do/say...
/me imagines a bunch of hippies at a Santa Cruz beach wearing peace sign necklaces, love beads, psychadelic tie-dyed shirts, beaded headbands, and carrying protest signs worthy of the Laugh-In wall, talking like Tommy Chong and complaining that "Intel isn't giving us what we want, man!"
Debian, and every other distro depending on you: GET A CLUE! Just put the package into 'non-free' and be DONE with it!!!
icon, because, *FACEPALM*
"Debian is shooting themselves in the foot by not at least putting the update into the 'non-free' package distribution..."
Placing this in the non-free collection would not mitigate the problem. The non-free collection is for packages that are not open source. The problem with this update isn't whether or not it's open source, it's about unacceptable licensing terms.
At the moment it is looking like you will be waiting for at least AMD Zen 2 then.
Which is slated for 2019 at the earliest.
That's kind of what I'm thinking. I think I'll just change the discs as they're getting on a bit. Hopefully the rumours are true about the forthcoming SSD price crash :)
IBM's POWER9 chips are right here right now, no Spectre vulnerability and certainly no licensing agreements like the Intel one seeing as IBM releases everything for the POWER9 chips under a straight MIT / GPL license.
It won't run Windows, but let's face it: if you're running Windows you don't really care about the terms this license agreement (hint: you've already either accepted them by proxy in the Windows EULA somewhere).
"IBM's POWER9 chips are right here right now, no Spectre vulnerability and certainly no licensing agreements like the Intel one seeing as IBM releases everything for the POWER9 chips under a straight MIT / GPL license."
Great! How much for a basic desktop configuration? Can I get it in NUC size?
What POWER laptops are available?
Looks like $2,099 USD for a desktop:
https://twitter.com/RaptorCompSys/status/1029195940874342400
For NUC form factor, maybe ARM would be a better choice? There are Rockchip parts that might fit the bill there.
As POWER9 is just coming into the desktop space this year, I wouldn't expect laptops for a little while yet. I don't have a good answer for laptops, they're hard to do right and Microsoft / Apple / Google seem to dominate that market.
IBM's POWER9 chips are right here right now, no Spectre vulnerability and certainly no licensing agreements like the Intel one seeing as IBM releases everything for the POWER9 chips under a straight MIT / GPL license.
It appears that Power 9 is vulnerable too eg Redhat info on the bugs
Looking around it seems POWER9 was not shipped with the vulnerable features turned on. The one area where the this becomes a bit questionable is the kernel mitigation for their version of Meltdown., but the chips never shipped with vulnerability to Spectre from what I can tell.
"Sadly pretty much every modern CPU has been hit with bugs like these..."
Yes, but there are CPUs that don't engage in speculative execution, so those are attractive. I'd prefer to have a faster CPU, of course, but I'm not as concerned that my CPU is as fast as it can possibly be as I am that my hardware is as free of security problems as possible.
I don't believe the fairly recent MegaProcessor suffers from these recent CPU issues. Maybe you could start there?
"It wouldn't be Linux if it wasn't inconsistent and interminable bickering over licensing terms and conditions."
We FOSS folk take this stuff seriously because we can. It must be awful just having to put up with whatever rapacious T&Cs proprietary S/W vendors impose. But perhaps you're used to having to bend over.
"Sounds like you're the one bending over. Most people don't care because we have actual things to worry about based outside in the real world."
Most people don't care because:
a) They're thick, or
b) They're ignorant
Neither of which is a better way to be than being concerned about what you agree to. But if you don't mind reading stuff before agreeing to it, thanks for gifting me your house. I'll be ensure to enjoy it, along with your wife. You didn't read the contract, but you agreed to it. Sorry bud x
I'm aware of these Spectre based exploits and have a good understanding of how they're executed. Fact is, I use a lot of Windows only programs. I ain't got time to mess around with Linux and wine. Like I said I've got other things to worry about out here in the real world. Also, fortunately in my country there's certain laws which protect us from stood clauses in contacts because nobody bloggers to read them.
"Like I said I've got other things to worry about out here in the real world."
Go and read the W10 privacy clause. As you're obviously not used to reading this sort of thing I'll give you big hint. Pay attention to what's missing, what they don't exclude themselves from taking.
"The data we collect can include the following:"
Notice it says "include". It doesn't say it's the complete list.
"Credentials. Passwords, password hints and similar security information used for authentication and account access. "
"Payment data. Data to process payments, such as your payment instrument number (such as a credit card number) and the security code associated with your payment instrument."
Compare that with something a little further down the list::
"Interactions. Data about your use of Microsoft products."
Do you notice something different between the first two and the third? The third has a restriction to Microsoft products. Do you see such restrictions in the first two?
Your real world includes Windows. Does your country's laws actually prevent Microsoft's "telemetry" from seeing stuff you might not want it to see and that you weren't "bloggered" to read about?
Frankly, I doubt you have much idea about the real world.
"Most people don't care because we have actual things to worry about based outside in the real world."
As far as I'm concerned the real world includes all sorts of legal issues. Perhaps that's because a good chunk of my career was concerned with the courts. I had to be able to stand over, in the witness box, what I wrote and signed. Another substantial part was as a freelancer so again, contract terms were important to me. You might have lead a more sheltered life which has hidden these aspects of reality from you.
"This isn't that, though. This is Debian simply deciding that the license Intel is requiring is too onerous, and they don't agree to it. That's hardly bickering, that's rejecting a bad deal."
You're expecting a Mac/Windows fan boi to be clever enough to read the EULA though, when all they've ever done with them is click 'Accept'.
Holschuh cannot be serious. In the EU these terms could even be void, same for the Netherlands. I'm not a legal person, so I could be mistaken. In my opinion it violates my constitutional rights and buyer's rights. Doing benchmarks and publishing them is journalism and as such a matter of free speech.
> Doing benchmarks and publishing them is journalism and as such a matter of free speech.
While many a layperson would agree with you, Oracle and Microsoft have been prohibiting benchmarks of their database software for many years unless you get their permission, up front in writing first.
eg You're not getting permission unless the benchmark is favourable
Oracle and Microsoft have been prohibiting benchmarks of their database software for many years...
So did VMware, as I recall - for quite a few years while the overhead of full virtualization led to inferior performance compared to native HW or paravirtualized machines. That was before Intel and AMD added HW support for virtualization (i.e. before, say, 2006). Today (with HW support) the overhead is not significant, and I believe the "no benchmark publishing" clause is no longer there (but I have not checked recently).
The industry is rather used to this. I am not very surprised that the likes of Red Hat and SuSE behave pragmatically and thus don't have a problem, or that Debian have.
You’re not a geography person either. The Netherlands is in the EU :-)
There is, however, a distinction between the remit of the court of the ECHR (not strictly and EU institution) over matters of human rights (freedom of expression under Article 10), the ECJ (as the highest court of arbitration in the EU) over matters of EU regulations, and the courts of the Netherlands, over national law in that country (for example there may be national laws that govern freedom of the press).
As noted by another poster above, not all territories of the Netherlands are necessarily within the EU, such as the Netherlands Antilles. One would presume that they are still subject to the laws of the Netherlands, as a sovereign nation (note to europhobes - the EU doesn't remove a country's sovereignty despite what various shouty gammon-faced men on BBC Question Time would have you believe).
You obviously aren't trained in legal matters.
Businesses also have constitutional rights. A business has the right to not do something, and you have the right not to support this business for their decision. Nobody has a monopoly creating a forced action. Everyone can go elsewhere and make a number of choices.
This being said, both the EULA and Debian's lack of action is not against GDPR or anyone's constitutional rights in any country in Europe.
This being said, both the EULA and Debian's lack of action is not against GDPR or anyone's constitutional rights in any country in Europe.
How can you say that with any certainty? It may well be that something in that EULA does contravene someone's constitutional rights in a European country (or elsewhere for that matter), but since no test case has been brought (that you or I know of), there has been no legal precedent to make that section of the EULA invalid. That's very different from the whole thing being legally watertight.
IANAL, and you are clearly not one either.
In this very specific case, you're ignoring the fact that this is mitigation of a flaw in the workmanship of a product that was sold already, i.e. you really don't have any choice but to use the microcode, especially if it creeps in via a firmware update. This licence change is highly unlikely to be binding on people who already owned Intel chippery before the flaw came to light. I don't know of any jurisdiction in the EU that allows such unilateral contract changes.
IANAL, YMMV etc.
"In a statement to The Register, Imad Sousou, corporate vice president and general manager of the Intel Open Source Technology Center, said it's "not true" that Debian can't distribute the microcode package."
Technically, he's absolutely correct in his assertion. Of course, what he's specifically NOT addressing is the fact that Debian *won't* distribute the package.
I think this thread has now hit the unwritten El Reg rule that "if it goes on long enough it is imperative that someone must include at least one Monty Python/Douglas Adams/Terry Pratchett/Airplane* reference."
(* Delete as applicable - actually no, don't delete - just include all of them)
What if we were talking about cars, not chips?
So would it be okay if a carmaker released a car that had a serious safety flaw, so much so that they had to offer (yet another) recall.. but then they told the owners of those cars they could only have the fix if they signed a contract restricting some of their previously-held rights, or whatever else the carmaker wanted?
Should owners of the defective cars have to concede anything at all to get their products fixed?
Intel is using their own crappy design as a hammer to force people to agree to terms that are not in their favor. How is it that all of these design flaws keep ending up benefitting the company that produced them?
I am no legal beagle but to me it's very simple. The microcode is necessary to make the device you have already bought work better. It can't be resold and can only be used on a specific device.
So assuming you want that and do due dilligence just use it and get on with life.
I'd like to hear an opinion from somebody qualified but don't think it has any weight.
Erm, did you try asking Intel lawyers for an opinion on this matter ? I hope they're qualified enough for your taste and at the end you may tell them you don't give a damn on their opinion.
Please go get another cup of coffee and this time make sure it is stronger!
The benchmark prohibition clause is also known as the "DeWitt Clause", after David DeWitt, an academic who got on the wrong side of Larry Ellison of Oracle.
Putting "DeWitt Clause" into the Internet search engine of your choice will give links to the full history, and some discussion around the reasons for and against.
Properly executed benchmarks can be very informative, but it is remarkably difficult to do benchmarks that all parties concerned will agree to have been properly executed. Losers can usually find nits to pick, as anyone who has been involved with benchmarking in any serious way will attest.
Very interesting. But 3(v) is a blanket clause, in that it prohibits the reporting of any benchmark results, including the fairest test of all: an Intel CPU benchmarked against itself, with and without microcode/firmware patches installed. Surely the DeWitt case only extended the right of a licensor to limit benchmark reporting and did not protect clauses like Intel's that proscribe benchmark reporting entirely.
To do so would be problematic. Intel's contract, for instance, makes no warranty that their CPU instruction set is fit for any purpose whatsoever - let alone warrant that operating the CPU with their patch will not impede CPU performance. If all of Intel's EULA terms were enforceable and every CPU manufacturer had similar terms, then no consumer could make an informed CPU purchase.
"Properly executed benchmarks can be very informative, but it is remarkably difficult to do benchmarks that all parties concerned will agree to have been properly executed. "
Absolutely true. However, that fact should not in any way impact people's rights to perform benchmarks and publicize the results, even if those benchmarks are flawed.
I mean it's not like some other company is going to build a microcode compatible CPU without Intel suing them into the ground.
...and if they did, one would be hopeful that they wouldn't build the same flaws into it that this microcode update explicitly addresses, rendering the copyright on the microcode moot.
After seven months of defending Intel on this thread for decisions which were reasonable at the time, we get a clear case of Intel being Intel. **** Intel. **** their marketing team and their lawyers. This ******** behavior is precisely why the industry has carried AMD on their backs for decades. ******* **** ******** **** ***************.
There. I feel much better now.
As I've pointed out here a few times, AMD's no saint either. They only exist because Intel allows them to exist, and they have picked up some very nasty habits from Intel over the years, from signed black-box firmware binaries (PSP) to disabling features semi-arbitrarily to increase profit (overclocking on server parts, ECC on consumer parts). Two sides of the same coin from my perspective.
Icon, 'cause it might be chilly on the streets outside the cozy x86 world....
"Also, the patches are picked up during the usual monthly routine of fetching and stalling operating system software updates."
Others have pointed out the "stalling" typo, I'm taking umbrage with the "usual monthly routine" bit. Since this article is specific to Debian, I'll point out that Debian doesn't do monthly update releases. They release updates when the updates are ready. Personally I do weekly updates on my Linux based systems, though I also check daily to see if there's anything in urgent need of an update.
Contract and license clauses that forbid benchmark publication (unless the vendor likes them) are often called DeWitt clauses. The clause was originally created to squelch database research being performed by Dr. David DeWitt. These should be illegal everywhere, but Oracle (their original creator) rigorously enforces them. These clauses harm society by making it impossible to publish truthful information about software.
From a Debian team member on his blog.