Selfhosted

38707 readers

677 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago

MODERATORS

[email protected]

189

AMD won't patch all chips affected by severe data theft vulnerability — Ryzen 3000, 2000, and 1000 will not get patched for 'Sinkclose' (www.tomshardware.com)

submitted 1 month ago by [email protected] to c/[email protected]

46 comments fedilink hide all child comments

Here we are - 3600 which was still under manufacture 2-3 years ago are not get patched. Shame on you AMD, if it is true.

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 83 points 1 month ago (3 children)

That's so stupid, also because they have fixes for Zen and Zen 2 based Epyc CPUs available.

Intel vs. AMD isn't "bad guys" vs. "good guys". Either company will take every opportunity to screw their customers over. Sure, "don't buy Intel" holds true for 13th and 14th gen Core CPUs specifically, but other than that it's more of a pick your poison.

[–] [email protected] 26 points 1 month ago (2 children)

Tangent: If we started buying risc-v systems we might get to a point where they can actually compete.

[–] [email protected] 13 points 1 month ago (1 children)

That's still far away from us as a consumer standpoint, but I'm eagerly waiting for a time when I could buy a RISC V laptop with atleast midrange computing capabalities

[–] [email protected] 3 points 1 month ago (1 children)

I‘m more on the builder/tinkerer side so I‘m pretty much in starting position with risc-v now. But yes, its going to be some time before any of it is user ready as a pc.

[–] [email protected] 4 points 1 month ago

Framework has a laptop in progress if you're interested

[–] [email protected] 2 points 1 month ago

Jeff Geerling had a video recently about the state of RISC V for desktop. https://youtu.be/YxtFctEsHy0?si=SUQBiepSeOne8-2u

[–] [email protected] 2 points 1 month ago

“Both sides”

“Vote third party!”

Wtf seriously this isn’t the same thing remotely but the arguments used are.

[+] [email protected] -26 points 1 month ago (1 children)

How is AMD "screwing us over"? Surely they aren't doing this on purpose? That seems very cynical.

[–] [email protected] 44 points 1 month ago* (last edited 1 month ago) (1 children)

They are 100% not patching old chips intentionally by not allocating resources to it. It's a conscious choice made by the company, it is very much "on purpose".

[–] [email protected] 0 points 1 month ago (3 children)

That's not what I was referring to. I was referring to the act of "adding vulnerabilities". Surely they aren't doing that on purpose. And surely they would add fixes for it if it was economically viable? It's a matter of goodwill and reputation, right?

I don't know, I just don't think it's AMD's business model to "screw over" their customers. I just don't.

[–] [email protected] 18 points 1 month ago (1 children)

What I mean by that is that they will take a huge disservice to their customers over a slight financial inconvenience (packaging and validating an existing fix for different CPU series with the same architecture).

I don't classify fixing critical vulnerabilities from products as recent as the last decade as "goodwill", that's just what I'd expect to receive as a customer: a working product with no known vulnerabilities left open. I could've bought a Ryzen 3000 CPU (maybe as part of cheap office PCs or whatever) a few days ago, only to now know they have this severe vulnerability with the label WONTFIX on it. And even if I bought it 5 years ago: a fix exists, port it over!

I know some people say it's not that critical of a bug because an attacker needs kernel access, but it's a convenient part of a vulnerability chain for an attacker that once exploited is almost impossible to detect and remove.

[–] [email protected] 9 points 1 month ago (1 children)

No they are just choosing not to roll out the fix to a known issue, which is screwing customers over on purpose (to increase profits). It's not a matter of goodwill, they sold a product that then turned out to have a massive security flaw, and now they don't want to fix even though they absolutely could.

[–] [email protected] -3 points 1 month ago (1 children)

I'm guessing it's a balance between old products, effort, severity, etc. As we've learned, this is only an issue for an already infected system. 🤷‍♂️

[–] [email protected] 2 points 1 month ago* (last edited 1 month ago)

Ryzen 3000 series CPUs are still sold as new, I even bought one six months ago, they're no where near being classified as "old", they're hardly 5 years old. And this is not only an issue for already infected systems because uninfected systems will intentionally be left vulnerable.

[–] [email protected] 3 points 1 month ago

No, but those vulnerabilities where there when you bought it.

Would a car have a defect that was shown 5 years later, then the manufacturer would have to recall it or offer a repair program and or money in exchange.

Since everything is proprietary you cannot even fix things like this by yourself. The manufacturer needs to be held liable.