On 2025-06-25, Salvatore Bonaccorso wrote:
CVE-2025-46415[0], CVE-2025-46416[1], CVE-2025-52991[2],
CVE-2025-52992[3], CVE-2025-52993[4].
The upstream patchset to fix this is comingled with a lot of other
upstream changes, but there is some work and discussion about
backporting the needed fixes:
https://lists.gnu.org/archive/html/guix-devel/2025-07/msg00098.html
But the comingling with other changes makes this trickier than in the past.
I've just managed for the first time to get something to compile at all
with the security fixes applied:
https://codeberg.org/GNUtoo/guix-security-fixes/commits/branch/guix-1.4.0-2025-security-fixes
But that also includes all the other unrelated changes, although it
fails a few new tests now...
Guix is basically a rolling release model, and up till recently, there
had been little active development on the affected parts other than
security fixes, so previous security fixes were a bit more reasonable to
apply, even across pretty old versions... but here we are right now.
Curiously, those "unrelated" changes are actually to allow running
guix-daemon as an unprivledged user, which has obvious security
benefits! ... Just not appropriate for Debian's typical security update
model.
I am not sure about the future of Guix in Debian at this point, but if
we can actually get a few people working together on backporting the
security fixes (either officially or unofficially), obviously that will
help!
live well,
vagrant
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCaHa31wAKCRDcUY/If5cW qpotAQChQyOjEZt//ufmimpUaqdX/dVdsWSzWBCsChrUx5iYWgEA+ZL9K8/zcEYv KbkUwX7VvhhTIBKFDSkYXnIZAbwCNQ4=
=OQqq
-----END PGP SIGNATURE-----
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)