Sébastien Gendre <[email protected]> writes:

> For the methods listed here: https://guix.gnu.org/en/download/
> They will all provide the version 1.5.0 of Guix and Guix System, so
> probably the vulnerable version of Guix-daemon ?

Indeed so, 1.5.0 is vulnerable, https://guix.gnu.org/download/ provides
the last release, currently vulnerable 1.5.0.


> For the methods listed here: https://guix.gnu.org/en/download/latest/
> Do they provide all the fixed version of Guix-daemon ?

Continuous Integration, at the time of writing, last built Guix System
and Guix binary on June 16.  I believe this is still vulnerable.


>
> For the method suggested on the manual, there is a bash script to
> download: https://guix.gnu.org/guix-install.sh
> After executing it, does the user get the fixed version of Guix-daemon ?

This script currently downloads from
GNU_URL="https://ftpmirror.gnu.org/gnu/guix/";, which can only be
vulnerable 1.5.0 at the time of writing, despite the GNU bash script
itself is updated more often.

>
> I probably forget other method of installation. But if you get
> information about it, don't hesitate to share it.

There was discussion of offering some more recent Guix archive bundle at
https://codeberg.org/guix/artwork/pulls/61
but it did not happen AFAIK.

Regards,
Florian

Reply via email to