Source: guix Version: 1.4.0-3 Severity: serious Due to recent security issues exposed in guix, and active development on guix-daemon, it has become difficult to backport security updates:
https://bugs.debian.org/1108318 All previous security updates were possible largely because upstream had not changed much, but that is no longer the case. Guix has not had a release in several years, and the recent security updates are comingled with unrelated changes in the guix-daemon code. Given that there are significant security vulnerabilities, it seems like it would be appropriate, at least for the forseeable future, remove guix from Debian testing, stable, oldstable, oldoldstable, etc. Weather it should be removed from Debian unstable is still an open question... An alternative approach would be to disable guix-daemon and use the "GNU Guix binary" distribution: https://guix.gnu.org/en/download/latest/ Or building guix-daemon with an updated guix (e.g. guix pull), and then configuring the guix-daemon service to use the daemon in provided by "guix pull". I have not yet tested the migration path to either of these alternatives, though I have moderate confidence that it should work... live well, vagrant
signature.asc
Description: PGP signature
