I really dislike the term "responsible disclosure" in this context. I might consider it responsible to notify a software vendor about a vulnerability in their software so they have a chance to issue a fix to their customers before the rest of the world finds out. But this situation is different. These vulnerabilities affect everyone, and only a special few were allowed to prepare in advance. That's just preferential disclosure.
> These vulnerabilities affect everyone, and only a special few were allowed to prepare in advance. That's just preferential disclosure.
In this particular case, most of the fix had to be done in the operating system (the new microcode only enabled extra functionality needed by part of the operating system fixes), so it makes sense that operating system developers were allowed (and required) to prepare in advance. The three most relevant operating systems are Windows, OSX, and Linux; for Linux, one of the most important distributors is Red Hat. That gives two of the groups which were notified in advance: hardware (Intel, AMD, ARM) and operating systems (Microsoft, Apple, Red Hat, a few others).
It will be pretty unfortunate if it turns out that the projects that maintain a kernel (FreeBSD, various others) only received notification at Christmas, while various Linux distros (who have to deal with packaging, release, QA but not developing their own kernel patch since that comes from upstream) got a long warning period. It seems that way... Looking forward to reading about how this played out when the dust settles.
There was a post to OpenBSD- tech list telling no BSDs were told anything. And a blog post from Canonical says that the patch will be available 9th January (IIRC).
There is basically no independent upstream (other than a handful of people). Essentially all the kernel developers work for the companies that have distros plus organizations like Intel, Qualcomm, etc. that do a lot of device enablement.
I agree in general. In this particular case, though, a good fraction of the work was done by me and tglx. I'm independent. Tglx is sort of independent.
This is not to diminish the work done upstream by less independent people. Dave Hansen, in particular, is the one who actually got the code to function.
The lay public, aka everyone, isn't considered to be experts in this domain to address the issues. Hence, they disclosed to top tier OS distributions and partners.
It's similar to the Recalls of Takanas airbags in this regard. The manufacturers are informed and they tell us the consumer to bring in our cars. I'm not qualified to replace an explosive airbag, even though I drive a car daily as a lay person.
There are other OSes and affected companies beyond the ones who were chosen to receive advance warning.
Imagine how it would work out in your airbag analogy if only Toyota and GM knew, and they withheld information for months while they worked on their own fixes, meanwhile the public remains in danger and other automakers have no chance to implement their own recall plans.
Can you mention which OS didn't get early enough warning? I'm sure there is some niche ones which may miss out but they are usually not the target of hacking either. And many of the derivative Linux distributions don't do active kernel development and just compile the stock kernel or derive from Red Hat, Ubuntu or others. The more people that are informed early, the more likely it will leak out early.
