> >> Is there a way we can blacklist known bad versions?
>
> I'm not sure what you mean, but I don't think so.
For beginning, what about adding a short comment:
diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index 5de17b6b51..fd5ab7ba00 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -493,6 +493,8 @@ (define-public pbzip2
(define-public xz
(package
(name "xz")
+;;; Be reminded of the xz/liblzma backdoor in the versions 5.6.0 and 5.6.1!
+;;; See https://www.openwall.com/lists/oss-security/2024/03/29/4
(version "5.2.8")
(source (origin
(method url-fetch)
as a single commit, with an appropriate commit message. That's a bang
for pretty much no money.
> The main danger is in guix time-machine to the past
Good point. So then a little note here, too:
diff --git a/doc/guix.texi b/doc/guix.texi
index 69a904473c..60909adf5f 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -5012,10 +5012,13 @@ Invoking guix time-machine
@quotation Note
The history of Guix is immutable and @command{guix time-machine}
provides the exact same software as they are in a specific Guix
-revision. Naturally, no security fixes are provided for old versions
-of Guix or its channels. A careless use of @command{guix time-machine}
-opens the door to security vulnerabilities. @xref{Invoking guix pull,
-@option{--allow-downgrades}}.
+revision. Naturally, no security fixes are provided for old versions of
+Guix or its channels. A careless use of @command{guix time-machine}
+opens the door to security vulnerabilities, or potentially even
+backdoors. (Do you remember the
+@uref{https://www.openwall.com/lists/oss-security/2024/03/29/4, backdoor
+in upstream xz/liblzma leading to ssh server compromise}?)
+@xref{Invoking guix pull, @option{--allow-downgrades}}.
@end quotation
Cheers Bost
