It would be really nice, especially for downstream distributors, if there was a test for CVE-2024-27297. There is working code to test this in the excellent blog post on the subject, which is a likely good starting point! https://guix.gnu.org/en/blog/2024/fixed-output-derivation-sandbox-bypass-cve-2024-27297/ Super extra bonus points if the test is backwards compatible with guix 1.4 and 1.2 :) live well, vagrant