Hi João.

On distribution other than Guix System, the upgrade of the guix-daemon
is done by a `guix pull` with the root account then a restart of the
guix-daemon. To avoid being subject to the vulnerability during this
upgrade, you can add `--no-substitutes` to the pull command. But it will
take some times, as it will build Guix and its dependencies from sources.

This will give you:

sudo --login guix pull --no-substitutes
sudo systemctl restart guix-daemon.service


In hope it help.

Best regards

-------
Gendre Sébastien



João Augusto <[email protected]> writes:

> Hi all, just read the thread.
>
> As I recently installed the system on top of a Debian distribution and ran 
> `guix pull` and then `guix upgrade`. Would that fix the vulnerabilities, 
> since we are using the latest commit?
>
> Also, maybe would be good to just include a heads-up in the installation 
> guide, at least until the next release?
>
> Sorry if this is somewhat a dumb idea or question, I'm pretty new to the 
> system.
>
>
>
>
> João Augusto
>
> -------- Original Message --------
> On Saturday, 07/11/26 at 10:55 Tomas Volf <[email protected]> wrote:
> Sébastien Gendre <[email protected]> writes:
>
>> Thank you for your reply.
>>
>> Do you know if using `guix time-machine' from a fixed version of
>> Guix-daemon could bring back the vulnerability during the time of the
>> transaction ?
>
> I am pretty sure that should not be possible.  All the fixes were in
> guix-daemon, and that is being managed by shepherd or some other service
> manager.  guix-time-machine controls the Guix version used, but it still
> speak to the same guix-daemon instance as you would without the time
> travel.
>
> At least that is how I understand it.
>
> Tomas

Attachment: signature.asc
Description: PGP signature

Reply via email to