Message ID | cover.1711495227.git.GNUtoo@cyberdimension.org |
---|---|
Headers | show |
Series | Binary Installation: Add more distros. | expand |
Hi Denis. This is in principle a great improvement, however note that recently (4th March or so) a local privilege escalation vulnerability in guix-daemon was discovered <https://guix.gnu.org/en/blog/2024/fixed-output-derivation-sandbox-bypass-cve-2024-27297/> and many distros have not fixed it yet, such as AUR and therefore your Parabola pcr package or Debian’s long-term releases, which Debian’s guix packager complained about <https://security-tracker.debian.org/tracker/CVE-2024-27297>. Perhaps we should think about how and where we can also instruct users to upgrade their daemon in a timely manner. This will be different for guix packages (that configure a vulnerable daemon systemd service) and for guix-install (where it is enough to follow the guix pull news file, if the admin actually uses guix pull themself and can see the news). Otherwise LGTM. Regards, Florian