Notices by kaniini (kaniini@mastodon.dereferenced.org), page 29

god alpine's builders are so much slower with this PTI stuff

@wilbr i wonder what the Walton Foundation has to say about today's Sam's Club layoffs

http://www.businessinsider.com/walmart-suddenly-closes-sams-club-stores-2018-1

@chosafine

Owl City always seemed very saccharine to me

@Elizafox

Snow is cancelled.

@Elizafox new challenge: get licensed in all 50 states, rack up as many points as you can

finally, the embargo on this issue was not helpful, as we have seen with the rushed KAISER backport, it just lead to bad solutions in the LTS branches making them no longer usable.

the only usable branch with a mitigation is the current stable or mainline.

there will be more discussion tomorrow about the exact nature of any future plans/collaborations concerning grsecurity, but right now grsecurity is going to be 100% out.

notes from the #alpinelinux core team about meltdown/spectre (basically reiterating what i said earlier with a rationale discussion): http://lists.alpinelinux.org/alpine-devel/6022.html

@feld

that's why we waited to see how the backports played out before just pushing things in a hurry.

when you hurry to "fix" things, most of the time you just make them worse.

from what we have seen, having KAISER is worse than not having it, because it exposes the kernel stack during context switches. if that's not useful for rooting a box, i don't know what is...

this is why we decided to wait and see what happens with the backports by the way.

it was well worth waiting, because we basically are making the right decision.

also, fuck embargos.

#alpinelinux will drop linux-hardened because KPTI is not easily adjusted for PaX (by us anyway).

linux-vanilla will be upgraded to 4.14.13 which is non-LTS, but has a proper KPTI implementation instead of KAISER (which is hanging on several people's systems)

the linux-hardened -> linux-vanilla transition will be done in 3.5/3.6/3.7 as well, all to linux kernel 4.14.13, after some vetting is done in edge.

whether linux-{grsec,hardened} is removed in entirety from the releases is still being decided.

upgrading to linux-vanilla 4.14.13 when it hits the release repos is strongly encouraged, given the severity of the meltdown and spectre bugs

I explain in more detail here: https://go-review.googlesource.com/c/go/+/86541#message-71f1fc110da19b4813bd2b1a5a1c5eb1d95f87a3

If you're writing a compiler and working with .pc files, you should really use libpkgconf.

This is why libpkgconf exists.

Programming languages and compilers should NOT be parsing untrusted input (such as the output from pkgconf).

Instead, compilers should verify the fragment list generated by libpkgconf and use that to reassemble the shell fragments after verifying they are sane.

Again, this is the whole point of why libpkgconf is a thing.

By the way this is actually a security bug, but exploitation is left to the audience.

I broke Go. I don't feel bad. They should have understood that "POSIX shell fragments" means "POSIX shell fragments," not "\ is used to escape spaces".

https://go-review.googlesource.com/c/go/+/86541

@rotatingskull powered by Intel(r)

@rotatingskull but... but... the car...?

@rotatingskull

I for one am a great supporter of her "America is getting a free car" proposal