Recent searches
Search options
OpenSSH sshd on musl-based systems is not vulnerable to RCE via CVE-2024-6387 (regreSSHion).
This is because we do not use localtime in log timestamps and do not use dynamic allocation (because it could fail under memory pressure) for printf formatting.
While the sshd bug is UB (AS-unsafe syslog call from signal context), very deliberate decisions we made for other good reasons reduced the potential impact to deadlock taking a lock.
@musl thanks that was what I was looking for!
(plz hire me) @musl common musl w
@musl things like this are why I enjoy using musl
@musl I'll use musl when most software I use doesn't depend on glibc extensions.
@dusnm @musl in @spack we have recently parameterized the choice of libc, currently focused on separate glibc versions but i have been making small fixes for alpine support for a bit and musl libc support is absolutely part of the goal for the parameterized libc. spack is not a distro but i have been pitching it to distros to use as an implementation detail
And then most musl distros also have packages like {argp,fts,obstack,queue,rpmatch}-standalone and libucontext.
Like the vast majority of packages masked for musl in gentoo are binaries and stuff which probably needs some patching: https://gitweb.gentoo.org/repo/gentoo.git/tree/profiles/features/musl/package.mask
@dusnm @lanodan @musl do they only work because they've been linked against glibc, or do they depend on any particulars of glibc? their drivers are usually distributed as a shell script with an embedded zip file, so separating then unzipping the zip may be a way to investigate the dependency. i believe it's usually possible to edit shared lib dependencies to point to musl libc although i may be wrong depending on how they package it. i'm under the impression that the drivers themselves are kernel modules and cannot link against userspace libc, even if their installer requires it for the little curses interface it provides. nvidia tries very hard to make it extremely difficult to use alternative software stacks anyway as it's a cornerstone of the monopoly their investors demand, but musl libc should be one of the least difficult components to swap in
@hipsterelectron @lanodan @musl The fact of the matter, to me at least, is that I won't switch what definitely works for what might eventually work. Not a dig at musl at all, I'm just unwilling to make the effort. Plain and simple. I'm not a systems programmer and I don't pretend to be one. For the most part, I just expect the default configuration to work. My fiddling days are gone.
@dusnm my work is specifically on build/packaging/deploy systems so scientists can do science
@hipsterelectron And I have nothing but respect for people like you. Like I said, not a dig at what other people do. Honestly, I didn't expect my one remark to spawn such a serious discussion. 
@dusnm @musl The point isn't always getting you to use it. Use what works for you. Sometimes the point is proving the benefits of the implementation choices we made and encouraging their adoption. A big motivation of musl has always been motivating glibc to be better, so you win even if you don't use it.