Hi Guixers, What should we do in the event that we don't have time to quickly fix packages that depend on a package that has an open CVE on it?
For example, I provided gunicorn-next in a recent commit to master which fixes CVE-2024-1135 but I don't have time at the moment to fix the bad gunicorn's dependents* against gunicorn-next. Should we just remove the bad gunicorn and break the packages that depend on it in order to mitigate the risk of CVE-2024-1135? all the best, jgart https://nvd.nist.gov/vuln/detail/CVE-2024-1135 ps Excuse the previous blank email. I pressed send by accident ;() * Building the following 6 packages would ensure 15 dependent packages are rebuilt: python-baltica@1.1.2 python-mailman-hyperkitty@1.2.0 python-falcon-cors@1.1.7 python-funsor@0.4.5 python-matplotlib-documentation@3.8.2 scregseg@0.1.3
