It sounds an awful lot like “you’re responsible for catching our screw-ups” and it’s a bit rich to tell people to do proper testing while the project itself failed to do so before letting this land.
To be vulnerable, you need to build on a non-vulnerable machine which passes the built in tests, then you need to deploy to a vulnerable one and finally you have to not verify that the deployment works.
I agree about the chain, but it’s incredible easy for this to happen with how most things are distributed as binary packages. Most folks won’t be running the test suites on the end system.
Wouldn’t building on non-vulnerable system also compile the bibary with non-vulnerable instructions? Does a non AVX512 system really build an executable that calls AVX512?
It sounds an awful lot like “you’re responsible for catching our screw-ups” and it’s a bit rich to tell people to do proper testing while the project itself failed to do so before letting this land.