On Wed, Jul 17, 2024 at 09:21:53PM +0000, jgart wrote: > > I'm not sure I understand the question. Gunicorn-next contains the CVE > > > > fix, but gunicorn does not? Is that correct? > > Yep, that is correct. gunicorn does not contain the fix and gunicorn-next > does contain the fix.
Okay. Is there a reason to create gunicorn-next rather than updating gunicorn? We can't simply remove gunicorn without also removing the packages that depend on it, or making it so that those packages do not depend on it. Otherwise, Guix will not build, and we won't have successfully mitigated the vulnerability for our users.
