[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#70022] [PATCH 0/2] Binary Installation: Add more distros.
|
From: |
pelzflorian (Florian Pelz) |
|
Subject: |
[bug#70022] [PATCH 0/2] Binary Installation: Add more distros. |
|
Date: |
Wed, 27 Mar 2024 17:09:51 +0100 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) |
Hi Denis. This is in principle a great improvement, however note that
recently (4th March or so) a local privilege escalation vulnerability in
guix-daemon was discovered
<https://guix.gnu.org/en/blog/2024/fixed-output-derivation-sandbox-bypass-cve-2024-27297/>
and many distros have not fixed it yet, such as AUR and therefore your
Parabola pcr package or Debian’s long-term releases, which Debian’s guix
packager complained about
<https://security-tracker.debian.org/tracker/CVE-2024-27297>.
Perhaps we should think about how and where we can also instruct users
to upgrade their daemon in a timely manner. This will be different for
guix packages (that configure a vulnerable daemon systemd service) and
for guix-install (where it is enough to follow the guix pull news file,
if the admin actually uses guix pull themself and can see the news).
Otherwise LGTM.
Regards,
Florian