What's good today? I need a distraction.
@ajroach42 I've been lurking in Freenode #gentoo-hardened, #musl, #libressl, and ##linux-hardened just trying to soak in the knowledge about security and mitigation techniques.
@uranther Anything worth knowing come out of it?
@ajroach42 glibc and the software that depends on it rely on a lot of undefined, non-standard, and undocumented behavior.
I think we knew this already but it can be painful to get into the grit of it when trying to provide #POSIX standards conformance in #musl.
Also, #LibreSSL had (has?) some strange 'alternative' behavior that would do sketchy entropy collection instead of returning an error when /dev/urandom is not available.
@uranther IIRC, that SSL problem has been mitigated??? Dunno, I don't spend enough time in security right now.
glibc honestly scares me though.
@ajroach42 That article was from 2015 so I think it's been mended since then. It just surprised me because I thought the OpenBSD wizards were infallible. 🙂
@ajroach42 Oops - 2014: https://www.agwa.name/blog/post/libressls_prng_is_unsafe_on_linux
Also learned about the sad #netsec state of NTP: https://blog.hboeck.de/archives/890-In-Search-of-a-Secure-Time-Source.html & https://lwn.net/Articles/713901/
