Hello! OpenSSL 1.0.2g was released today, fixing several serious security vulnerabilities, several of which are referred to as “DROWN” (as has become security-marketing tradition.) This gave a good incentive to fix the “grafting” mechanism described at: https://www.gnu.org/software/guix/manual/html_node/Security-Updates.html The problem was that until now, grafting was not recursive: . This is fixed in c22a132, so we “rushed” to use it in ‘master’ for the OpenSSL upgrade, which is done in caeadfd. So now is the time to find out how well the new implementation scales and to address any limitations. :-) A potentially disturbing thing with the new code is that it starts building/downloading things early, typically before it has written “The following derivations will be built”; see . A limitation of the current implementation is that the replacement package must have exactly the same name and version as the package being replaced. So OpenSSL 1.0.2g shows up as /gnu/store/…-openssl-1.0.2f. The store file name of the old OpenSSL is given by: guix build openssl --no-grafts … and the new one is given by: guix build openssl For example, to verify which OpenSSL(s) your whole profile refers to, you can run: guix gc -R $(readlink -f ~/.guix-profile) | grep openssl and check the store file names that you get (make sure to turn off guix-prettify-mode :-)). Likewise for a GuixSD generation: guix gc -R $(guix system build config.scm) | grep openssl And for running processes: lsof | grep /gnu/store/.*openssl Seems like this tricks could go in the manual under “Security Updates” no? Feedback welcome! Ludo’.