Marius Bakke writes: > Kei Kebreau writes: > >> Marius Bakke writes: >> >>> Leo Famulari writes: >>> >>>> On Thu, Feb 09, 2017 at 11:39:42PM +0100, Marius Bakke wrote: >>>>> Kei Kebreau writes: >>>>> >>>>> > Reviewers, how does this patch look to you? >>>>> >>>>> AFAIU from CVE-2017-0358, ntfs-3g is only vulnerable when installed >>>>> setuid root, which is not the case on guix. >>>>> >>>>> FWIW Debian do not carry this patch, but have fixed the CVE according to >>>>> the changelog. So I doubt this patch is necessary. >>>> >>>> There have been a couple security-related bugs publicized recently that >>>> are only dangerous when the software is installed setuid root. >>>> >>>> Although we don't do that by default, system administrators can do it on >>>> GuixSD. I also think that Guix is valuable as a distribution mechanism >>>> of free source code, and we should fix bugs for that use case. >>>> >>>> So, I was thinking that we should fix these bugs unless they require >>>> grafting, and then we should fix them in core-updates. >>>> >>>> WDYT? >>> >>> That does make a lot of sense. Reading up on execl(3), it looks like >>> this patch does the right thing and can't hurt even when not setuid. >>> >>> Mind=changed! :P >> >> Are we all agreed on pushing this change? > > I agree with Leo that we should try to cover for all use cases of > software from Guix, so this change LGTM. Great! Pushed as 1a82ba660e88e731841882523084e5d878267b53.