Hi David, There are two high-severity security flaws in spice that are apparently fixed in spice-0.12.8: CVE-2016-0749 and CVE-2016-2150
https://lwn.net/Articles/697698/ https://bugzilla.redhat.com/show_bug.cgi?id=1343135 https://bugzilla.redhat.com/show_bug.cgi?id=1343137 While investigating, I noticed that we're using a "development release" of spice (0.13.x) instead of a "stable release" (0.12.x): http://www.spice-space.org/download.html#stable-release We should probably be using the stable release. What do you think? Anyway, would you be willing to handle this security update, by switching Guix to a version of spice that's not vulnerable? The summary line could end with "[fixes CVE-2016-{0749,2150}]." Thanks for your contributions. Mark
