How about applying the security fixes on top of 1.5.0, and releasing that as 
1.5.1?

Le 11 juillet 2026 11:54:37 GMT+02:00, "pelzflorian (Florian Pelz)" 
<[email protected]> a écrit :
>Sébastien Gendre <[email protected]> writes:
>
>> For the methods listed here: https://guix.gnu.org/en/download/
>> They will all provide the version 1.5.0 of Guix and Guix System, so
>> probably the vulnerable version of Guix-daemon ?
>
>Indeed so, 1.5.0 is vulnerable, https://guix.gnu.org/download/ provides
>the last release, currently vulnerable 1.5.0.
>
>
>> For the methods listed here: https://guix.gnu.org/en/download/latest/
>> Do they provide all the fixed version of Guix-daemon ?
>
>Continuous Integration, at the time of writing, last built Guix System
>and Guix binary on June 16.  I believe this is still vulnerable.
>
>
>>
>> For the method suggested on the manual, there is a bash script to
>> download: https://guix.gnu.org/guix-install.sh
>> After executing it, does the user get the fixed version of Guix-daemon ?
>
>This script currently downloads from
>GNU_URL="https://ftpmirror.gnu.org/gnu/guix/";, which can only be
>vulnerable 1.5.0 at the time of writing, despite the GNU bash script
>itself is updated more often.
>
>>
>> I probably forget other method of installation. But if you get
>> information about it, don't hesitate to share it.
>
>There was discussion of offering some more recent Guix archive bundle at
>https://codeberg.org/guix/artwork/pulls/61
>but it did not happen AFAIK.
>
>Regards,
>Florian
>

Reply via email to