Hello,

On 2024-03-29 13:39:59 -0700, Felix Lechner via Development of GNU Guix and the GNU System distribution. wrote:
> > Is there a way we can blacklist known bad versions?
>
> Having said all that, I am not sure Guix is affected.
>
> On my systems, the 'detect.sh' script shows no referece to liblzma in
> sshd.  Everyone, please send additional reports.

If nothing else, our xz is at 5.2.8.  I think the question was if there is a way
to blacklist specific known tarball to ensure no-one updates to it by accident.

(I do not believe Guix would be vulnerable even when built from the malicious
tarball, but that is a separate issue.)

Have a nice day,
Tomas

--
There are only two hard things in Computer Science:
cache invalidation, naming things and off-by-one errors.