On 2024-03-15, Salvatore Bonaccorso wrote: > On Fri, Mar 15, 2024 at 11:22:52AM -0700, Vagrant Cascadian wrote: >> On 2024-03-13, Vagrant Cascadian wrote: >> > On 2024-03-12, Vagrant Cascadian wrote: >> >> On 2024-03-12, Salvatore Bonaccorso wrote: >> > I have now tested an updated 1.4.x package on bookworm and a 1.2.x >> > package on bullseye, and the reproducer (with a small change for 1.2.x) >> > was able to reproduce the problem before upgrading to the patched >> > versions, but not after upgrading to a patched version. >> > >> > I've pushed fixes to various branches; debian/latest (for unstable), >> > debian/bookworm and debian/bullseye: >> > >> > https://salsa.debian.org/debian/guix/ >> >> Attached should be debdiffs for updates for bookworm and bullseye. Let >> me know if I should upload them or if someone from the security team >> will! ... > We had a look, and as per > https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b11b98d89550ce201b0de31401e822c55f4fa2a1 > we think that it does not require a DSA, but a fix in the upcoming > point releases would be good.
Oh my! I am a bit shocked by this honestly ... why is it treated as a minor security issue? I realize Guix is pretty niche in Debian... Nix is perhaps a little more widely used... For anyone with Guix or Nix installed, if I understand correctly, it basically allows arbitrarily replacing the source code for anything that you might build using Guix or Nix. > So can you submit it for the point releases? (make sure to adjust the > target distribution to bullseye respetively bookworm instead of > *-security). I can... although, I would like to make a kind and freindly nudge to reconsider a DSA if at all possible. :) > Thanks a lot for your work! Likewise! live well, vagrant
signature.asc
Description: PGP signature
