How about applying the security fixes on top of 1.5.0, and releasing that as 1.5.1?
Le 11 juillet 2026 11:54:37 GMT+02:00, "pelzflorian (Florian Pelz)" <[email protected]> a écrit : >Sébastien Gendre <[email protected]> writes: > >> For the methods listed here: https://guix.gnu.org/en/download/ >> They will all provide the version 1.5.0 of Guix and Guix System, so >> probably the vulnerable version of Guix-daemon ? > >Indeed so, 1.5.0 is vulnerable, https://guix.gnu.org/download/ provides >the last release, currently vulnerable 1.5.0. > > >> For the methods listed here: https://guix.gnu.org/en/download/latest/ >> Do they provide all the fixed version of Guix-daemon ? > >Continuous Integration, at the time of writing, last built Guix System >and Guix binary on June 16. I believe this is still vulnerable. > > >> >> For the method suggested on the manual, there is a bash script to >> download: https://guix.gnu.org/guix-install.sh >> After executing it, does the user get the fixed version of Guix-daemon ? > >This script currently downloads from >GNU_URL="https://ftpmirror.gnu.org/gnu/guix/", which can only be >vulnerable 1.5.0 at the time of writing, despite the GNU bash script >itself is updated more often. > >> >> I probably forget other method of installation. But if you get >> information about it, don't hesitate to share it. > >There was discussion of offering some more recent Guix archive bundle at >https://codeberg.org/guix/artwork/pulls/61 >but it did not happen AFAIK. > >Regards, >Florian >
