
Ask HN: Delay buying new devices due to Meltdown/Spectre CPU bug? - m3nu
Is it advisable to put off any device purchases until this issue is fixed in a new generation of CPUs? So in 1-2 years?
======
quantummkv
Unless you are building a server, it does not matter. Your GPU handles a lot
of desktop heavy workloads such as gaming. If you are building servers or a
machine for CPU intensive tasks such as compiling chromium every hour, then
you might want to look at AMD. The major performance hits are caused by
meltdown patches that do not affect AMD. And the amount of cores they give
certainly help in these workloads.

Fixing these bugs at CPU level will require changes in architectures. Such
sweeping changes won't come for years. Intel has not made such a overhaul in
years and AMD just made one.

~~~
javitury
> Unless you are building a server, it does not matter

The average HN user is not the typical desktop/laptop user. I bet we use
virtual machines, compilers, technologies like nvme, databases
(postgres/mysql)... more often than the typical desktop/laptop user.

~~~
quantummkv
Yes, we do. But I doubt anyone is using them for production workloads.
Development workloads don't continuously push cpu to 100% or even 70% for
large periods of time. Development workloads don't make 1000 req/sec on
postgres. No one has 10 vm's running at a time on a desktop.

These perf issues will only affect the server and cloud providers or some edge
cases on the desktop. Everyone else can just apply the patches and go to work.

~~~
discreteevent
You are probably right although C++ compilation can use a fair bit of
processor, especially with parallel compilation (e.g. Qt jom). Not sure how
frequent system calls are though.

~~~
kasabali
C/C++ compilations typically read and write a zillion different tiny files and
even if they happen totally in memory buffer they'll still do a hell a lot of
system calls.

------
keldaris
There's no point in waiting. Neither Intel nor AMD will significantly adjust
their roadmaps due to these issues simply because they don't realistically
have the flexibility to do so.

Evaluate your threat model in the context of Meltdown/Spectre and opt in or
out of the mitigations accordingly. There are relatively few cases where the
workload is both significantly affected by the mitigations and vulnerable to
these attacks (Xen paravirtualization would be the prototypical example).
Personally, I opt out of page table isolation, KASLR and any retpoline-style
mitigations on my desktop systems and compute servers for performance reasons.
Make sure you understand the implications of these choices if you go that way,
though.

~~~
kikoreis
Do you have actual facts to back up your first paragraph? If it's just an
informed opinion, mine is: if you can, you should definitely wait before
buying new server parts.

~~~
alltakendamned
You underestimate how long it takes to "patch" hardware. Having an opinion
does not make it an informed one.

Read the following thread:
[https://twitter.com/securelyfitz/status/949370010652196864](https://twitter.com/securelyfitz/status/949370010652196864)

~~~
XzetaU8
"Come 2019 and 2020, other products in the pipeline will have more involved
fixes that again improve performance over the software and quick fixes. The
solution everyone wants is a full fix with no performance impact. I can't
imagine that coming any sooner than 2021"

------
Pilfer
The Meltdown and Spectre attacks require code execution on your local machine.
You can avoid both the Meltdown and Spectre attacks by not downloading and
running untrusted software.

The Javascript attack vector for Spectre will be patched by browser vendors.

If you operate safe computing practices it is unlikely you will be hit by
either the Meltdown or Spectre attacks.

~~~
mkagenius
> The Javascript attack vector for Spectre will be patched by browser vendors

Not just limited to browsers though. Content may be injected via other
sources. Its difficult to get an exhaustive list of such application. But here
is an example of iMessage : [https://threatpost.com/inside-the-latest-apple-
imessage-bug/...](https://threatpost.com/inside-the-latest-apple-imessage-
bug/117337/)

~~~
Pilfer
iMessage uses the WebKit rendering engine to run Javascript. The WebKit engine
will be patched by its vendor Apple.

~~~
et-al
Ugh.. when Apple introduced apps and stickers into iMessage, I knew it could
be a vector for attacks.

Too bad Apple doesn't give users the option to have only "text-only" messages.

~~~
dogma1138
It does it’s called using SMS.

------
simcop2387
I still bought. Even if there are changes to the systems in the future to
address them at a lower level, it'll be at least one generation away probably
two. The timelines on designing new CPUs are multi-year beasts because of the
complexity, and with the next generation happening "soon" I doubt a redesign
could be feasible for them. So your looking at what I'd guess is a year or so
for any movement.

------
foxhop
Delay or upgrade by purchasing used hardware. I often buy my gear 3-4 years
old from Ebay, it lets me upgrade without the sticker shock. This assumes you
don't need the latest and greatest. I do this with laptops and server gear.

This is similar to purchasing used cars, you can steadily upgrade with much
less capital and therefore each purchase holds much less risk. Also it's much
better for the environment.

~~~
teej
Buying old or used hardware from 3-4 years ago does not protect you from
Spectre/Meltdown.

~~~
foxhop
I never said it does. Buying new hardware today does not protect you from
Spectre/Meltdown either, the new hardware shipping for the next year at least
(and the stuff currently on the shelf) does not protect you.

I suggested delaying a new purchase until the CPUs are fixed (who knows how
long that will take) or upgrade by purchasing used to get a bump in
performance regardless of the hardware flaw (which will still require software
mitigation and thus have performance degradation).

Most hardware worth using right now has the hardware flaw so you might as well
upgrade (for performance) by purchasing used.

------
taurath
At scale or for personal use?

If at scale, you probably don’t have an option because you need it now.

If for personal use, we don’t know what the fix would look like, or whether
there would be a perf hit. If you can hold off for a few years sure do it, but
it’s not a huge part of the equation now.

How long will this device last you? If less than 2 years buy now.

Honestly very few reasons to wait. Everyone has this problem. The only thing I
might wait for is clarification of the attack surface area of spectre since
that can’t be patched but it seems like it’s difficult to pull off in most
cases.

------
vemv
I'll refrain from buying an iMac Pro (which was on my roadmap) until the
situation is fully clarified.

I mean how frustrated would one feel if it turned out that one spent _that_
amount of money in a computer that should be replaced asap?

------
mhkool
I would wait a month or so to get all information about this topic and
evaluate it. As of now, it seems that AMD has an immediate fix that does not
impact performance while Intel's immediate fix has a large performance impact.
I do not understand why most people want to stick with Intel...

------
chrisper
I just got an 8700k last week. I was thinking about returning it and go with
Amd instead. The truth is, I do not do many tasks on my home computer where
the CPU is going to be at >50% at all times.

The other truth is, that Intel CPUs are just faster than Amd Cpus (now with a
few exceptions, but for general use that still applies).

I'd say if you are talking about a large quantity purchase, you should maybe
wait or look for alternatives. Other than that it should not make much
difference for us "normal folks."

Another truth is that there is / was so much misinformation out there.

Finally, I wonder if there are going to be any optimizations to these fixes in
the future?

~~~
danieldk
The cynic in me is amazed how people complain about a loss of 0-30% in
performance on the desktop (depending on the workload), but are completely
happy to replace native applications by Electron applications and/or web
applications. Of course, these may be disjoint sets of people.

I think when it comes to most desktop workloads, the security issues are far
more interesting and serious. And while Meltdown only affects Intel CPUs,
Spectre affects all (?) out-of-order CPUs and there may be more/more effictive
attacks in the future. So every fast, modern CPU is pretty much in the same
boat and it will take some time for the dust to settle.

So, I would just stick with the Intel CPU. You can vote with your wallet once
one vendor decides to axe ME/PSP and/or properly mitigates Spectre-type
attacks ;).

~~~
anarazel
> The cynic in me is amazed how people complain about a loss of 0-30% in
> performance on the desktop (depending on the workload), but are completely
> happy to replace native applications by Electron applications and/or web
> applications. Of course, these may be disjoint sets of people

I think this largely due to faulty bottleneck analysis. I'm not hugely slowed
down overall if the switch to a chat application is 50ms slower, even if I may
notice it. If the tests I need to run at various stages of the development
process are slowed down by 30% however, that might actually be noticeable for
development pace. More likely to context switch to something else / get out of
flow.

~~~
danieldk
Thank you for this comment, it is very insightful.

It's also interesting how perception of these bottlenecks differs. I wouldn't
care much if tests are running 30% slower, I run them in the background from
my editor anyway. I usually tidy up stuff in the meanwhile or git stage some
lines (which needs to be done anyway). However, if an editor has a higher
latency than I am used to, it drives me crazy.

~~~
anarazel
> It's also interesting how perception of these bottlenecks differs. I
> wouldn't care much if tests are running 30% slower, I run them in the
> background from my editor anyway. I usually tidy up stuff in the meanwhile
> or git stage some lines (which needs to be done anyway).

Heh. I do that too, but I'm anxious enough that I rerun tests after finalizing
the commit. I'll still use the time for the tests to finish to do another read
through the commit, but especially when pushing to many supported branches at
the same time, tests still take longer (work on a pg, which has 5 years of
supported back branches...).

> However, if an editor has a higher latency than I am used to, it drives me
> crazy.

Oh yea, but I wouldn't use a web based editor, ever ;). The point I was trying
to make was less about something as central as an editor - where I spent a lot
of my time, fighting for first place besides terminals - but more around
secondary non-critical path stuff like IM.

------
donatj
I was putting serious consideration into an iMac Pro but this has at the least
made me stop to consider the options.

I write and run a ton of multithreaded data processing scripts and really feel
this is going to be a world of hurt for me.

My last fully speced iMac has lasted me eight years, so I might just wait it
out and perhaps pick up something far cheaper in the meantime.

------
dawnerd
I mean if you’re building a pc from scratch you could just factor in some
overclocking to make up some of the performance loss I’d imagine. In the
future we probably just won’t see the advertised speeds of chips increasing
much IF the performance impact is as big as people are saying.

------
VoodooJuJu
I would put off hardware purchases, but for a different reason - crypto
miners. As I was researching parts to buy for a new rig, I realized that just
a few weeks ago, some GPU models were about half the price they currently are.
Apparently, something recently happened with Bitcoin and/or other
cryptocurrencies that caused a spike in mining interest.

------
DeepYogurt
Buy the machine you need when you need it. If you don't need a new machine
right now then yes delay that purchase.

------
vbezhenar
If you want Intel and can wait, I would wait. They should fix Meltdown bug and
it'll increate performance significantly in some edge cases. I think they'll
release such processor in 2018. Spectre won't be fixed for a long time, so it
should not affect purchase decisions.

~~~
vardump
2018 sounds a bit early. I'd say we'll be lucky to see engineering samples in
2019, generic availability in 2020.

------
Hckr254
If you upgrade your web browser, firmware (if not an apple or microsoft
device), and OS you should be more than fine. There's not much else you can do
now anyway, so just upgrade devices based on what features you want in a new
device.

