From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms8.migadu.com with LMTPS id eLZ4Fxla/2XHLgEAe85BDQ:P1 (envelope-from ) for ; Sat, 23 Mar 2024 23:39:21 +0100 Received: from aspmx1.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2.migadu.com with LMTPS id eLZ4Fxla/2XHLgEAe85BDQ (envelope-from ) for ; Sat, 23 Mar 2024 23:39:21 +0100 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=debian.org header.s=1.vagrant.user header.b=NqPglLAv; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" ARC-Seal: i=1; s=key1; d=yhetil.org; t=1711233561; a=rsa-sha256; cv=none; b=kgqrfml+icHESA6EDZcuj6Uj1Y9q+eWn4eQ/nGJF+odkNXj4cYS3HX+6tZ+4m2ubkAjFl9 I4mRiqcAN0t7B5MbhWzB0cOaXHtCSBUsPU83eZhh7aSytHE0DcxmM1FqeDYCYXzYIWtw19 ElYU0imxEA1uMFeg/GPy1zFhOHo0tWG7RoOBVlQJWqmWnhyrLkKdmWCQ6kAmGaTXPEzJop +bwHA/nBxXgwK9Nwwvxg244e6/6BNZ8v5PyfMfbKkUO2huwJgFCcMLhUzlh8rTgR303o5c 5XT94JYcCfqlcp+43px8Q92gjf4tx3b2BuQ5Va9KQSOc0fsOYdZqwlZpAHv+IQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=debian.org header.s=1.vagrant.user header.b=NqPglLAv; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1711233561; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=T0+G8TZvCuzhg8cPdleimfiFXHeoLOL8p7gEXohKjOY=; b=JAUK6DNKXxNgs6C2x9ppMZA1qsPgi+0KQaZnjMEY08KDAQllJ/neGc+fUeAdtXybgEpISR m4BIavT73DldQaRqOFvn9+g5YU2/z2PNV7jtx6lIDZKSJTvvrixBg4xBgqpb90PHrI3pKu g6/P9poiutTNfkPy3/KIGc2jZAVTOA1+6ur0y7rDSusg27weJneZ1PGsnM1AZNCB9gdQkN 9c4tJyqoCcaNI6IdgiY2pXRZn5mi+1XYeFemF9Nd20a2hnZ59AwkfkzzzLxmfGMegN+M4F 0rL/CrOtGp6kXIH/Z0JUXusYaVjPKU0UV5NvcijBhD+k3Eg66Z7C2sad4oJFHA== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 22D3C3555C for ; Sat, 23 Mar 2024 23:39:21 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1roA0t-0002lu-64; Sat, 23 Mar 2024 18:38:55 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1roA0r-0002lh-M3 for guix-devel@gnu.org; Sat, 23 Mar 2024 18:38:53 -0400 Received: from cascadia.aikidev.net ([2600:3c01:e000:267:0:a171:de7:c]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1roA0m-0006FD-IY for guix-devel@gnu.org; Sat, 23 Mar 2024 18:38:50 -0400 Received: from localhost (unknown [IPv6:2600:3c01:e000:21:7:77:0:50]) (Authenticated sender: vagrant@cascadia.debian.net) by cascadia.aikidev.net (Postfix) with ESMTPSA id 9F81B1AC16; Sat, 23 Mar 2024 15:38:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=debian.org; s=1.vagrant.user; t=1711233489; bh=BoT+ARL4gMywHMF7TuJ3atVzE26AGTOjlKVSM+Xbb/E=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=NqPglLAvuteArGZ4kxZajUCXyzcG07PDI1p2gPVC/yC80Tv36K502JlzPfEL/X14o 7y63IqWpfhpS7UWLQa5l73T6hr6jE2QUSiIzT5vwiJIBa1i+OHWEYFR9EMsXXOlRVX XrstMtS7YGK54VX8W/mmGaAqte6yCOQdcYs+4eQ5y2y3kMFFVHVinWOIrjUsu8D74N 7ufTmS29Eui6ZZfM5ao9fzB6HHYNyYRZZ3vC4IjrNLw2cqJc/hAfudaTgNg1c9KQXE Wo7Kpl605pMwW6AT0blkJ7yNOND7s49N1TQvLS6ww/o/fCtoR3JtUae0N+RU1kXV0B nj0RasGd4ZbxQ== From: Vagrant Cascadian To: Salvatore Bonaccorso , 1066113@bugs.debian.org Cc: guix-devel@gnu.org, team@security.debian.org Subject: Re: Bug#1066113: guix: CVE-2024-27297 In-Reply-To: <87sf0p63cf.fsf@wireframe> References: <171027393892.3641451.11730504058514510368.reportbug@eldamar.lan> <874jdbvyux.fsf@contorta> <87ttl96605.fsf@wireframe> <171027393892.3641451.11730504058514510368.reportbug@eldamar.lan> <87zfuz5p8j.fsf@wireframe> <87sf0p63cf.fsf@wireframe> Date: Sat, 23 Mar 2024 15:37:50 -0700 Message-ID: <87zfuotw01.fsf@wireframe> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Received-SPF: none client-ip=2600:3c01:e000:267:0:a171:de7:c; envelope-from=vagrant@debian.org; helo=cascadia.aikidev.net X-Spam_score_int: -22 X-Spam_score: -2.3 X-Spam_bar: -- X-Spam_report: (-2.3 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.222, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Spam-Score: -13.05 X-Migadu-Queue-Id: 22D3C3555C X-Migadu-Scanner: mx12.migadu.com X-Migadu-Spam-Score: -13.05 X-TUID: gEtks7JVV3Hd --=-=-= Content-Type: text/plain Control: severity 1066113 serious On 2024-03-16, Vagrant Cascadian wrote: > On 2024-03-15, Salvatore Bonaccorso wrote: >> On Fri, Mar 15, 2024 at 11:22:52AM -0700, Vagrant Cascadian wrote: >>> On 2024-03-13, Vagrant Cascadian wrote: >>> > On 2024-03-12, Vagrant Cascadian wrote: >>> >> On 2024-03-12, Salvatore Bonaccorso wrote: >> We had a look, and as per >> https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b11b98d89550ce201b0de31401e822c55f4fa2a1 >> we think that it does not require a DSA, but a fix in the upcoming >> point releases would be good. > > Oh my! I am a bit shocked by this honestly ... why is it treated as a > minor security issue? > > I realize Guix is pretty niche in Debian... Nix is perhaps a little more > widely used... > > For anyone with Guix or Nix installed, if I understand correctly, it > basically allows arbitrarily replacing the source code for anything that > you might build using Guix or Nix. > > >> So can you submit it for the point releases? (make sure to adjust the >> target distribution to bullseye respetively bookworm instead of >> *-security). > > I can... although, I would like to make a kind and freindly nudge to > reconsider a DSA if at all possible. :) Thinking more on this... I worry that this issue is maybe more serious than the Debian Security Team realizes? If issues like this do not warrant a security update in Debian, I feel the better course of action may be to remove Guix from Debian. I say this reluctantly, with a heavy heart... Marking as serious severity to reflect my opinion as the maintainer. live well, vagrant --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCZf9ZvgAKCRDcUY/If5cW qlCWAP4vNRj4TpT/ZUg290hZO9qgvdDpSa0fFzQjo7mq+ZW+egD/asR8xnPs8t/M P/p4JdydpsuqkpL4rhA/OzbAPR/zSwI= =GaaX -----END PGP SIGNATURE----- --=-=-=--