On Thu, Feb 08, 2018 at 09:04:35AM +0800, Alex Vong wrote:
> I agree with what Leo thought. Since it is up to emacs package authors
> to make sure untrusted input are never sent to webkitgtk, and it is hard
> to garantee that every package does the right thing.

I'd like to clarify myself a bit.

I believe that with some time and effort, someone could find exploitable
bugs in every complex piece of software in Guix.

We shouldn't let this hold us back from enjoying the features of the
software.

However, in cases where the bugs were publicized long ago (webkitgtk
2.4.0 is almost 4 years old; 2.4.11 almost 2 years old) and the bugs are
easily accessible to attackers (webkitgtk renders content from web
pages) we should be more careful.

GnuCash is now the only thing in our tree using this old webkitgtk, and
the GnuCash developers are actively working to make GnuCash use a more
recent version. Other distros have even removed GnuCash or are preparing
to remove it due to this issue, but I think we can wait for a bit
longer.

BTW, there is a bug to discuss related issues at
<https://bugs.gnu.org/26176>.