One interesting piece of information from this post is that Intel notified Ubuntu about the issue on November 9. Project Zero notified Intel on June 1, so it took over 5 months before they passed it on to Ubuntu (and even longer for the other vendors).
That seems like an extremely long time to me, when it (I assume) was pretty obvious that it was going to require OS changes to mitigate.
Why would Ubuntu need to be notified? Fixes for this are going to be at the Linux Kernel level or (at most) Debian upstream. Canonical shouldn't need to do anything?
If some fixes can be applied via microcode, then the distros will have to be provided the updated microcode. The kernel (mostly) does not handle CPU microcode distribution.
>To address the issue, updates to the Ubuntu kernel and processor microcode will be needed. These updates will be announced in future Ubuntu Security Notices once they are available.
> The original coordinated disclosure date was planned for January 9 and we have been driving toward that date to release fixes. Due to the early disclosure, we are trying to accelerate the release, but we don't yet have an earlier ETA when the updates will be released.
People started figuring out some details about the vulnerability from various public sources (Linux kernel development, previously published security research), and it was getting a lot of media/internet attention.
> We are posting before an originally coordinated disclosure date of January 9, 2018 because of existing public reports and growing speculation in the press and security research community about the issue, which raises the risk of exploitation.
That seems like an extremely long time to me, when it (I assume) was pretty obvious that it was going to require OS changes to mitigate.