nmeum

nmeum, 3 days ago to random

This bogus CVE assignment is getting out of hand. Someone keeps requesting CVEs for the most mundane issues in BusyBox which then creates a support burden on the Alpine end because security scanners start complaining about them, and we need to deal with those complaints somehow. Feels like a lot of time is wasted for nothing really.

nmeum, 1 month ago to haskell

Here is a preprint of fun paper that I've been working on which investigates the utilization of formal descriptions of instruction semantics to perform symbolic binary-level program analysis: https://doi.org/10.48550/arXiv.2404.04132

It includes a prototype implementation in Haskell which performs symbolic execution of RISC-V binary code without requiring the transformation to an intermediate representation (like LLVM IR).

#Haskell #RISCV

nmeum, 1 month ago to haskell

The latest and greatest GHC version (9.8.2) is now available in the Alpine Linux Edge repositories and will be included in the upcoming 3.20 stable release.

#AlpineLinux #Haskell

nmeum, 3 months ago to random

Go 1.22 has landed in Alpine Linux Edge. Took a bit longer than usual due to an upstream bug causing build failures on our armv7 builders: https://github.com/golang/go/issues/65601

#AlpineLinux

nmeum, 4 months ago to golang

TIL: The Go repository includes a compiled version of BoringSSL as a binary blob https://github.com/golang/go/blob/master/src/crypto/internal/boring/syso/goboringcrypto_linux_amd64.syso

#GoLang

nmeum, 5 months ago to rust

Daily reminder that most Linux distros are badly equipped to manage dependencies of Rust/Go and similar statically linked languages. For example, Alpine build scripts just invoke the package manager of these languages. Therefore, Alpine is entirely unaware of the vendored dependencies. This has security implications, e.g. to fix the SSH Terrapin issue it's difficult to even identify packages vendoring vulnerable SSH library versions.

Is there a good fix for this?

#Rust #GoLang #AlpineLinux