On Mon, May 08, 2017 at 03:07:14PM -0400, Kei Kebreau wrote:
> Fixes CVE-2016-{10209,10350} and CVE-2017-5601.
> 
> * gnu/packages/backup.scm (libarchive): Update to 3.3.1.

Thanks!

Can you use a graft instead? Then, the commit message can be like this:

gnu: libarchive: Replace with 3.3.1 [security fixes].

Fixes CVE-2016-{10209,10350}, CVE-2017-5601.

* gnu/packages/backup.scm (libarchive)[replacement]: New field.
(libarchive-3.3.1): New variable.