unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
From: Vagrant Cascadian <vagrant@debian.org>
To: Salvatore Bonaccorso <carnil@debian.org>, 1066113@bugs.debian.org
Cc: guix-devel@gnu.org, team@security.debian.org
Subject: Re: Bug#1066113: guix: CVE-2024-27297
Date: Sat, 23 Mar 2024 15:37:50 -0700	[thread overview]
Message-ID: <87zfuotw01.fsf@wireframe> (raw)
In-Reply-To: <87sf0p63cf.fsf@wireframe>

[-- Attachment #1: Type: text/plain, Size: 1617 bytes --]

Control: severity 1066113 serious

On 2024-03-16, Vagrant Cascadian wrote:
> On 2024-03-15, Salvatore Bonaccorso wrote:
>> On Fri, Mar 15, 2024 at 11:22:52AM -0700, Vagrant Cascadian wrote:
>>> On 2024-03-13, Vagrant Cascadian wrote:
>>> > On 2024-03-12, Vagrant Cascadian wrote:
>>> >> On 2024-03-12, Salvatore Bonaccorso wrote:
>> We had a look, and as per
>> https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b11b98d89550ce201b0de31401e822c55f4fa2a1
>> we think that it does not require a DSA, but a fix in the upcoming
>> point releases would be good.
>
> Oh my! I am a bit shocked by this honestly ... why is it treated as a
> minor security issue?
>
> I realize Guix is pretty niche in Debian... Nix is perhaps a little more
> widely used...
>
> For anyone with Guix or Nix installed, if I understand correctly, it
> basically allows arbitrarily replacing the source code for anything that
> you might build using Guix or Nix.
>
>
>> So can you submit it for the point releases? (make sure to adjust the
>> target distribution to bullseye respetively bookworm instead of
>> *-security).
>
> I can... although, I would like to make a kind and freindly nudge to
> reconsider a DSA if at all possible. :)

Thinking more on this... I worry that this issue is maybe more serious
than the Debian Security Team realizes?

If issues like this do not warrant a security update in Debian, I feel
the better course of action may be to remove Guix from Debian. I say
this reluctantly, with a heavy heart...

Marking as serious severity to reflect my opinion as the maintainer.


live well,
  vagrant

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

       reply	other threads:[~2024-03-23 22:39 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <171027393892.3641451.11730504058514510368.reportbug@eldamar.lan>
     [not found] ` <874jdbvyux.fsf@contorta>
     [not found]   ` <87ttl96605.fsf@wireframe>
     [not found]     ` <87zfuz5p8j.fsf@wireframe>
     [not found]       ` <ZfSpQroFsnHvqvus@eldamar.lan>
     [not found]         ` <87sf0p63cf.fsf@wireframe>
2024-03-23 22:37           ` Vagrant Cascadian [this message]
2024-03-24 13:23             ` Bug#1066113: guix: CVE-2024-27297 pelzflorian (Florian Pelz)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87zfuotw01.fsf@wireframe \
    --to=vagrant@debian.org \
    --cc=1066113@bugs.debian.org \
    --cc=carnil@debian.org \
    --cc=guix-devel@gnu.org \
    --cc=team@security.debian.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).