Liam Hupfer <l...@hpfr.net> writes: > Denis ’GNUtoo’ Carikli <gnu...@cyberdimension.org> writes: > >> If we look at guix packages in various distributions, we have Guix >> 1.4.0, 1.3.0 and 1.2.0[1]. > > In Nixpkgs we gave up and shipped the last commit on master mentioned in > the recent CVE disclosure. It’s visible as ‘1.4.0-unstable-2025-06-24’ > on Repology. > > I too would like to see Guix figure out backporting patches, but in the > meantime, could Vagrant consider this approach for Debian? I know it’s > not aesthetically pleasing but it’s better than security vulnerabilities > OOTB.
+1 As far as I understand, guix has a rolling release model where 'master' is always supposed to work (or?), so basing a Debian package of off 'master' doesn't seem entirely unreasonable. As long as there is some testing (which typically should be done by debian/tests/ and autopkgtest/debci) that the resulting package actually works and is able to update itself to the latest codeberg commits, I don't see any problem just shipping snapshots once in a while. Of course, if Guix ever has a track record of bi-yearly (or even yearly) releases then it may make sense to start package the releases again. /Simon
signature.asc
Description: PGP signature
