The month opened with Meltdown and Spectre, the speculative-execution flaws that turned a clever CPU optimisation into a way to read memory you've no business reading. Both arrived with the full kit: a logo, a tidy website, a catchy name. We've been doing this since Heartbleed, and I still can't decide whether the branding helps or just makes my manager forward me the press release instead of the advisory.
The branding does one useful thing, mind. It gets the non-technical people to take it seriously, which means the patching budget appears without a three-week argument. That's not nothing. But it also flattens a genuinely subtle pair of bugs into "the scary one with the ghost picture", and Spectre in particular is not the kind of thing you patch once and forget. It's a class of attack, not a single hole.
For me the real story this past few weeks hasn't been the science, it's the grind. KPTI landed in the kernels, the microcode updates dribbled out from the vendors, some of them got pulled again for causing reboots, and every box in the fleet needed touching. The performance hit is real and it's workload-dependent, so "how much slower are we now" became an actual measurement exercise rather than a shrug.
What stays with me is the reminder that the abstractions we lean on are leaky all the way down. We trust that a process can't read another's memory because the hardware says so, and here was the hardware saying "well, mostly". A logo can't fix that. A patch cycle that never quite ends is the price, and it's the price whether or not the bug came with a website.