I don't know what Guix's CI system looks like or how packages are queued for building, but if there is a way to prioritize builds for certain packages, I propose that substitutes for packages like ungoogled-chromium should be built as soon as possible once there is a new version. Other security-critical packages with potentially long build times that come to mind are icecat and linux-libre.
ungoogled-chromium receives frequent security updates, so it is
important for users to keep it up-to-date. However, binary substitutes
for the latest version are usually not available, and it can take a
very long time to build from source, possibly multiple days on low-end
hardware. This might tempt or force some users to put off upgrading
the package and run an older, vulnerable version until a binary
substitute is available or they have a chance to set aside the uptime
needed to build from source.
- bug#43075: Prioritize providing substitutes for ... chaosmonk
- bug#43075: Prioritize providing substitutes... Ludovic Courtès
- bug#43075: Prioritize providing substit... zimoun
- bug#43075: Prioritize providing sub... Bengt Richter
- bug#43075: Prioritize providing sub... Mason Hock
- bug#43075: Prioritize providing sub... Ludovic Courtès
- bug#43075: Prioritize providing... zimoun
- bug#43075: Prioritize prov... Ricardo Wurmus
- bug#43075: Prioritize prov... Leo Famulari
- bug#43075: Prioritize prov... Dr. Arne Babenhauserheide
- bug#43075: Prioritize prov... Ludovic Courtès
