Denis ’GNUtoo’ Carikli <gnu...@cyberdimension.org> writes: > If we look at guix packages in various distributions, we have Guix > 1.4.0, 1.3.0 and 1.2.0[1].
In Nixpkgs we gave up and shipped the last commit on master mentioned in the recent CVE disclosure. It’s visible as ‘1.4.0-unstable-2025-06-24’ on Repology. I too would like to see Guix figure out backporting patches, but in the meantime, could Vagrant consider this approach for Debian? I know it’s not aesthetically pleasing but it’s better than security vulnerabilities OOTB. Hopefully GCD005 getting approved will help the situation in future as well (though it doesn’t address the backporting issue). Also: is <https://guix.gnu.org/en/download/> currently advertising vulnerable release artifacts? I guess we’re relying on the first pull to take place with trusted users and trusted channels, then. —Liam
