Login

Recent searches

No recent searches

Search options

Only available when logged in.
fosstodon.org is one of the many independent Mastodon servers you can use to participate in the fediverse.
Fosstodon is an invite only Mastodon instance that is open to those who are interested in technology; particularly free & open source software. If you wish to join, contact us for an invite.

Administered by:

Server stats:

10K
active users

fosstodon.org: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.6

Public
musl libc

OpenSSH sshd on musl-based systems is not vulnerable to RCE via CVE-2024-6387 (regreSSHion).

This is because we do not use localtime in log timestamps and do not use dynamic allocation (because it could fail under memory pressure) for printf formatting.

While the sshd bug is UB (AS-unsafe syslog call from signal context), very deliberate decisions we made for other good reasons reduced the potential impact to deadlock taking a lock.

Public
Dušan Mitrović

@musl I'll use musl when most software I use doesn't depend on glibc extensions.

Public
Haelwenn /элвэн/ :triskell:
@dusnm @musl What kind of extensions? Most of the common stuff is in musl, similarly to what one would expect on say a BSD.

And then most musl distros also have packages like {argp,fts,obstack,queue,rpmatch}-standalone and libucontext.

Like the vast majority of packages masked for musl in gentoo are binaries and stuff which probably needs some patching: https://gitweb.gentoo.org/repo/gentoo.git/tree/profiles/features/musl/package.mask
gitweb.gentoo.orgpackage.mask « musl « features « profiles - repo/gentoo.git - Official Gentoo ebuild repositoryBrowse the Gentoo Git repositories
Public
Dušan Mitrović

@lanodan @musl Most notably, NVIDIA drivers only work on glibc systems.

Public
d@nny mc²

@dusnm @lanodan @musl do they only work because they've been linked against glibc, or do they depend on any particulars of glibc? their drivers are usually distributed as a shell script with an embedded zip file, so separating then unzipping the zip may be a way to investigate the dependency. i believe it's usually possible to edit shared lib dependencies to point to musl libc although i may be wrong depending on how they package it. i'm under the impression that the drivers themselves are kernel modules and cannot link against userspace libc, even if their installer requires it for the little curses interface it provides. nvidia tries very hard to make it extremely difficult to use alternative software stacks anyway as it's a cornerstone of the monopoly their investors demand, but musl libc should be one of the least difficult components to swap in

Public
Dušan Mitrović

@hipsterelectron @lanodan @musl The fact of the matter, to me at least, is that I won't switch what definitely works for what might eventually work. Not a dig at musl at all, I'm just unwilling to make the effort. Plain and simple. I'm not a systems programmer and I don't pretend to be one. For the most part, I just expect the default configuration to work. My fiddling days are gone.

Public
d@nny mc²

@dusnm my work is specifically on build/packaging/deploy systems so scientists can do science

Dušan Mitrović

@hipsterelectron And I have nothing but respect for people like you. Like I said, not a dig at what other people do. Honestly, I didn't expect my one remark to spawn such a serious discussion. 😅

Jul 02, 2024, 11:32 AM·Public
0boosts·1favorite
ExploreLive feeds
About