While this bug has not been present in any release version, the latest commit to git-master has fixed a buffer overflow in floating point printf introduced in this release cycle: https://git.musl-libc.org/cgit/musl/commit/?id=0ccaf0572e9cccda2cced0f7ee659af4c1c6679a

Only archs with IEEE-quad long double seem to be affected, and only when using the %Le, %Lf, or %Lg format specifier with particular combinations of exponent and mantissa value.

If you are using musl from git master, it's recommended either to upgrade to latest or apply the patch from the above commit.

While this bug has not been present in any release version, the latest commit to git-master has fixed a buffer overflow in floating point printf introduced in this release cycle: https://git.musl-libc.org/cgit/musl/commit/?id=0ccaf0572e9cccda2cced0f7ee659af4c1c6679a

Only archs with IEEE-quad long double seem to be affected, and only when using the %Le, %Lf, or %Lg format specifier with particular combinations of exponent and mantissa value.

If you are using musl from git master, it's recommended either to upgrade to latest or apply the patch from the above commit.

Traffic down from about 40 GB/day to about 15 GB/day.

This is still orders of magnitude more than is reasonable for a piece of software whose source tree is about 1 MB compressed and whose entire git repo is about 7.5 MB.

Destroy-the-world-every-time CI is a menace.

With this added block, musl infrastructure network traffic is back to "looking normal" not like concerted scraping. Hopefully it remains this way.

Facebook scraper is back, though they don't seem to have been the bulk ot the excessive load. Apparently they own a whole IPv6 /29. The entire thing is blocked now at the iptables layer.

If anyone working at Facebook is having trouble legitimately using musl infrastructure, please inform your AI scraper department that they're the reason you can't access what you need and that they'll need to cease that activity and agree not to do it again in order to be unblocked.

Situation should be further improved now. Mitigations that seem to have helped:

- Increasing cgit cache size 100x
- Marking cgit git-blame paths disallowed in robots.txt
- Blocking several large IPv4 and v6 blocks that were doing massive parallel scraping spread across the entire block
- 403'ing requests with OpenAI headers

git:// protocol was down for most of the day as unintended fallout of the DDoS clean-up. It should be back to normal now.

@serebit Yes, and it's been reported to the abuse contact address listed in whois data.

Guilty party seems to be Facebook. The attacks on musl infrastructure are coming from an iteration of the space of bits 48..63 under 2a03:2880:f800::/48, and the whole /29 reportedly (per whois data) belongs to Facebook (IE-FACEBOOK-201100822).

The musl libc web & git infrastructure has been receiving heavy levels of DDOS-scale abuse today, probably from LLM crawlers. We're in the process of identifying and blocking the guilty IP blocks.

@memdmp https://social.treehouse.systems/@musl/114665803736009196 😁

@dysfun See: "not comprehensive" 😂

Things #musl libc will never do (broad but not comprehensive):

- Nag you to update.
- Phone home to check it if should nag you to update.
- Tell you a CVE can't be fixed without updating to the latest version.
- Try to force you to switch from glibc to musl.
- Get other software you depend on dependent on musl.
- Rant against "wokeness" or "DEI".
- Integrate "AI" into your libc.
- Give you up.
- Let you down.

Details on progress in this post to the #musl mailing list: https://www.openwall.com/lists/musl/2025/06/11/1

Actual draft code repo is now up too, at https://github.com/richfelker/musl-uca-draft

Update on #musl LC_COLLATE work: NFD code is functional and Unicode test vectors for normalization to NFD all pass.

.rodata 14161 bytes
.text 1089 bytes

🎉

One consequence of the move to Treehouse, which was not planned or intended, is that if Treehouse goes through with plans to defederate Fosstodon on July 1, this account will lose A LOT of followers.

During the migration I saw how many, because, with the instance already being "limited", I had to manually approve each follow request.

If you're following from Fosstodon, don't plan to move, and want to continue following, please express to the admins that you want to see the sort of meaningful changes needed to turn the instance around.

As for the choice of Treehouse Systems, this was the outcome of a long delay trying to find the right place to move to.

What it came down to is that:

- Shared values on safety and moderation: Particularly on the type of situation that led to this move.

- Shared values on the responsibilities of an instance: Not to play games with defederation, ragequitting, etc. and break people's social graphs without adequate notice and chance to move.

- Connection to community: Lots of people and projects using musl are already associated with Treehouse.

This thread by @ariadne on Treehouse's intent to defederate from Fosstodon lays out more details, in more diplomatic terms:

https://social.treehouse.systems/@ariadne/114632131776730666

I (@dalias) have tried my best to engage with the new Fosstodon admin in good faith on what mistakes they're making, only to be met with assertions that their comfort is more important than marginalized folks' safety on their instance. I cannot in good conscience ask folks to maintain a relationship with Fosstodon in order to follow #musl libc updates on the fedi.

@musl@fosstodon.org The immediate cause for this move is that the admin and moderation staff at Fosstodon have proven themselves untrustworthy and unsafe.

Following an incident in which a person on their moderation staff was found to be using moderation privileges specifically and intentionally to harm LGBTQ folks, Fosstodon claimed to have "cleaned house" and committed to change.

The new admin immediately proceeded to recruit mods with the exact same values, and dug in and tone policed when challenged on that.

Fosstodon is proving itself a "nazi bar instance".

Effective immediately, musl libc presence on the fediverse is moving from Fosstodon to Treehouse Systems. Further details on the reasons for the move and choice of Treehouse will follow from the new account, @musl@treehouse.systems.