On Thu, Feb 09, 2017 at 11:39:42PM +0100, Marius Bakke wrote:
> Kei Kebreau <kei@openmailbox.org> writes:
> 
> > Reviewers, how does this patch look to you?
> 
> AFAIU from CVE-2017-0358, ntfs-3g is only vulnerable when installed
> setuid root, which is not the case on guix.
> 
> FWIW Debian do not carry this patch, but have fixed the CVE according to
> the changelog. So I doubt this patch is necessary.

There have been a couple security-related bugs publicized recently that
are only dangerous when the software is installed setuid root.

Although we don't do that by default, system administrators can do it on
GuixSD. I also think that Guix is valuable as a distribution mechanism
of free source code, and we should fix bugs for that use case.

So, I was thinking that we should fix these bugs unless they require
grafting, and then we should fix them in core-updates.

WDYT?