Post AjV9itraXmqVo6RPAe by dusnm@fosstodon.org
 (DIR) More posts by dusnm@fosstodon.org
 (DIR) Post #AjUWVasFwCiQw6PwcC by musl@fosstodon.org
       2024-07-01T14:52:00Z
       
       2 likes, 3 repeats
       
       OpenSSH sshd on musl-based systems is not vulnerable to RCE via CVE-2024-6387 (regreSSHion).This is because we do not use localtime in log timestamps and do not use dynamic allocation (because it could fail under memory pressure) for printf formatting.While the sshd bug is UB (AS-unsafe syslog call from signal context), very deliberate decisions we made for other good reasons reduced the potential impact to deadlock taking a lock.
       
 (DIR) Post #AjV9itraXmqVo6RPAe by dusnm@fosstodon.org
       2024-07-01T21:16:22Z
       
       0 likes, 0 repeats
       
       @musl I'll use musl when most software I use doesn't depend on glibc extensions.
       
 (DIR) Post #AjV9iuzQM8hxIh7B1U by lanodan@queer.hacktivis.me
       2024-07-01T23:11:45.623290Z
       
       1 likes, 0 repeats
       
       @dusnm @musl What kind of extensions? Most of the common stuff is in musl, similarly to what one would expect on say a BSD.And then most musl distros also have packages like {argp,fts,obstack,queue,rpmatch}-standalone and libucontext.Like the vast majority of packages masked for musl in gentoo are binaries and stuff which probably needs some patching: https://gitweb.gentoo.org/repo/gentoo.git/tree/profiles/features/musl/package.mask
       
 (DIR) Post #AjWIU0QMxgJ8YcdsRs by dusnm@fosstodon.org
       2024-07-02T08:27:06Z
       
       1 likes, 0 repeats
       
       @hipsterelectron @lanodan @musl The fact of the matter, to me at least, is that I won't switch what definitely works for what might eventually work. Not a dig at musl at all, I'm just unwilling to make the effort. Plain and simple. I'm not a systems programmer and I don't pretend to be one. For the most part, I just expect the default configuration to work. My fiddling days are gone.
       
 (DIR) Post #AjYqymDRcjbEE2MQnA by dalias@hachyderm.io
       2024-07-02T03:09:03Z
       
       1 likes, 0 repeats
       
       @dusnm @musl The point isn't always getting you to use it. Use what works for you. Sometimes the point is proving the benefits of the implementation choices we made and encouraging their adoption. A big motivation of musl has always been motivating glibc to be better, so you win even if you don't use it.