On Thu, 2021-03-11 at 03:18 -0500, Mark H Weaver wrote:
> Hi Léo,

Hello!

> I appreciate your recent work on Guix security.  Thank you for that.

Very happy to catch up there as well for my own usage of GNU Guix as
well!

> Can you please substantiate this?  What vulnerabilities do you know
> of,
> and what makes you think that we can't address them adequately in the
> usual ways, without "upgrading GNOME to [the] latest"?

I have not yet fully investigated each CVE but there is uncertainty
around gnome-shell, gvfs, librsvg, gdk-pixbuf, pango, cairo, if not
more. You can use 'guix lint -c cve <pkg>' to find out, also look up in
NVD individually in case GNU Guix doesnt find it.

I am always uneasy relying on CVE only for security patches since I
know how much lots of security issues are fixed by developers without
issuing any CVE, so to me the best way of keeping up is to always be on
latest.

> I saw your bug report about our Glib being vulnerable to CVE-2021-
> 27218
> and CVE-2021-27219.  Thanks very much for bringing that our
> attention.
> 
> I'll backport the fixes to our version of Glib.  It will actually be
> quite easy, given that Ubuntu has already published backports of
> the
> fixes for Glib 2.56.4 and 2.64.4, which brackets the version in Guix
> (2.62.6).  I just looked at the diffs between those two patch sets,
> and
> the differences are quite slight, apart from line number differences.

I am really happy you are willing to help! I will have to admit that I
am a bit overwhelmed by the amount of work that I have left still.

Léo