guix-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: GNOME 3.34 in GNU Guix and security


From: Mark H Weaver
Subject: Re: GNOME 3.34 in GNU Guix and security
Date: Thu, 11 Mar 2021 03:18:17 -0500

Hi Léo,

I appreciate your recent work on Guix security.  Thank you for that.

Léo Le Bouter <lle-bout@zaclys.net> writes:
> I must come to the conclusion that using GNOME 3.34 in GNU Guix right
> now is just straight out insecure. I would advise we either, get rid of
> GNOME, backport all individual security patches (they can be
> numerous..), or upgrade GNOME to latest and keep up over time.

Can you please substantiate this?  What vulnerabilities do you know of,
and what makes you think that we can't address them adequately in the
usual ways, without "upgrading GNOME to [the] latest"?

I saw your bug report about our Glib being vulnerable to CVE-2021-27218
and CVE-2021-27219.  Thanks very much for bringing that our attention.

> I don't think we can afford to spend time backporting security fixes to
> the numerous GNOME packages with CVEs, not with current resources, it
> is time-consuming.

I'll backport the fixes to our version of Glib.  It will actually be
quite easy, given that Ubuntu has already published backports of the
fixes for Glib 2.56.4 and 2.64.4, which brackets the version in Guix
(2.62.6).  I just looked at the diffs between those two patch sets, and
the differences are quite slight, apart from line number differences.

Besides CVE-2021-{27218,27219}, do you know of other known security
issues that would justify your claim that "using GNOME 3.34 in GNU Guix
right now is just straight out insecure"?

     Thanks,
       Mark



reply via email to

[Prev in Thread] Current Thread [Next in Thread]