Things #musl libc will never do (broad but not comprehensive):
- Nag you to update.
- Phone home to check it if should nag you to update.
- Tell you a CVE can't be fixed without updating to the latest version.
- Try to force you to switch from glibc to musl.
- Get other software you depend on dependent on musl.
- Rant against "wokeness" or "DEI".
- Integrate "AI" into your libc.
- Give you up.
- Let you down.
Addendum to "things #musl libc will never do":
- Request your age, date of birth, or proof of identity or attempt to report it to applications.
musl 1.2.6 is now available.
For details see the release announcement on the mailing list: https://www.openwall.com/lists/musl/2026/03/20/1
Source link: https://musl.libc.org/releases/musl-1.2.6.tar.gz
Detailed WHATSNEW: https://git.musl-libc.org/cgit/musl/tree/WHATSNEW?id=v1.2.6#n2444
The public key fingerprint for #musl release signatures is:
8364 8929 0BB6 B70F 99FF DA05 56BC DB59 3020 450F
Republishing this here now for the first time since our move to Treehouse, to follow a past practice for redundancy of sources of trust.
While this bug has not been present in any release version, the latest commit to git-master has fixed a buffer overflow in floating point printf introduced in this release cycle: https://git.musl-libc.org/cgit/musl/commit/?id=0ccaf0572e9cccda2cced0f7ee659af4c1c6679a
Only archs with IEEE-quad long double seem to be affected, and only when using the %Le, %Lf, or %Lg format specifier with particular combinations of exponent and mantissa value.
If you are using musl from git master, it's recommended either to upgrade to latest or apply the patch from the above commit.
While this bug has not been present in any release version, the latest commit to git-master has fixed a buffer overflow in floating point printf introduced in this release cycle: https://git.musl-libc.org/cgit/musl/commit/?id=0ccaf0572e9cccda2cced0f7ee659af4c1c6679a
Only archs with IEEE-quad long double seem to be affected, and only when using the %Le, %Lf, or %Lg format specifier with particular combinations of exponent and mantissa value.
If you are using musl from git master, it's recommended either to upgrade to latest or apply the patch from the above commit.
Traffic down from about 40 GB/day to about 15 GB/day.
This is still orders of magnitude more than is reasonable for a piece of software whose source tree is about 1 MB compressed and whose entire git repo is about 7.5 MB.
Destroy-the-world-every-time CI is a menace.
Facebook scraper is back, though they don't seem to have been the bulk ot the excessive load. Apparently they own a whole IPv6 /29. The entire thing is blocked now at the iptables layer.
If anyone working at Facebook is having trouble legitimately using musl infrastructure, please inform your AI scraper department that they're the reason you can't access what you need and that they'll need to cease that activity and agree not to do it again in order to be unblocked.
Situation should be further improved now. Mitigations that seem to have helped:
- Increasing cgit cache size 100x
- Marking cgit git-blame paths disallowed in robots.txt
- Blocking several large IPv4 and v6 blocks that were doing massive parallel scraping spread across the entire block
- 403'ing requests with OpenAI headers