On Linux you can just ignore the intel-ucode package (or whatever it's called) and not update your CPU microcode. BUT, I think they also have mitigations in the kernel, so you would have to not update your kernel, or somehow remove the patches.

The CPU microcode updates are also delivered through motherboard firmware updates, so you'd have to avoid those too. But some of the microcode updates permit more efficient mitigations, so unless you can completely avoid software updates with mitigations, you might actually want some of the microcode updates.

For most of the mitigations there are kernel parameters to disable them if you wish to do so

In Linux you can disable mitigations with kernel parameters.

Agreed, I think the nuance here is that in compsci terms "speculative" tends to mean "ok, so I can prove that architecturally that this is 100% possible. I simply lack (either) the labor hours needed to write code (or) the hardware/money resources to get this in place" within the bounds of infosec these types of proofs are taken very seriously on the principle of "if I figured this out with my shitty home lab people with serious resources can't be far behind" additionally responsible disclosure in this space generally means that originators of vulns usually get an undisclosed first shot at fixing problems like this and they only get published wide in this way when the fix is so serious and will require so much time that companies disclose them to avoid being held legally responsible for fraud at some later date.

To be clear, this isn’t that type of speculative but rather https://en.m.wikipedia.org/wiki/Speculative_execution

Don't apply updates. For desktop computers the risk is practically non-existent. Servers and VPSs are the ones taking the hit.

I think this is bad advice, yes there is a performance hit but chances are any eventual malware (which lets be honest if it doesn't already exist is being written as we speak) that exploits these vulns will in its execution probably impact your system with a negative performance hit.

The "don't apply the updates" argument in security is basically philosophically comparable to the antivax movement

> The "don't apply the updates" argument in security is basically philosophically comparable to the antivax movement

As long as you also apply the quarantine principle when relevant. And herd immunity, both applied backwards:

Quarantine for when you run code that's under your control, like an HPC cluster; the biggest dangers from these vulnerabilities are when you're running completely random code supplied by others, JavaScript in browsers for normal users, and the multi-tenant systems of cloud providers.

Herd size matters because the bigger the herd, the larger the number of potentially vulnerable systems. IBM mainframe chips are vulnerable to Meltdown and Spectre, but there aren't hardly as many of them as x86 systems. Although the payoff of compromising them is likely to be disproportionately high.

I still want the fixes for actual vulnerabilities though.