[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: GNOME 3.34 in GNU Guix and security

From: Léo Le Bouter
Subject: Re: GNOME 3.34 in GNU Guix and security
Date: Thu, 11 Mar 2021 09:28:22 +0100
User-agent: Evolution 3.34.2

On Thu, 2021-03-11 at 03:18 -0500, Mark H Weaver wrote:
> Hi Léo,


> I appreciate your recent work on Guix security.  Thank you for that.

Very happy to catch up there as well for my own usage of GNU Guix as

> Can you please substantiate this?  What vulnerabilities do you know
> of,
> and what makes you think that we can't address them adequately in the
> usual ways, without "upgrading GNOME to [the] latest"?

I have not yet fully investigated each CVE but there is uncertainty
around gnome-shell, gvfs, librsvg, gdk-pixbuf, pango, cairo, if not
more. You can use 'guix lint -c cve <pkg>' to find out, also look up in
NVD individually in case GNU Guix doesnt find it.

I am always uneasy relying on CVE only for security patches since I
know how much lots of security issues are fixed by developers without
issuing any CVE, so to me the best way of keeping up is to always be on

> I saw your bug report about our Glib being vulnerable to CVE-2021-
> 27218
> and CVE-2021-27219.  Thanks very much for bringing that our
> attention.
> I'll backport the fixes to our version of Glib.  It will actually be
> quite easy, given that Ubuntu has already published backports of
> the
> fixes for Glib 2.56.4 and 2.64.4, which brackets the version in Guix
> (2.62.6).  I just looked at the diffs between those two patch sets,
> and
> the differences are quite slight, apart from line number differences.

I am really happy you are willing to help! I will have to admit that I
am a bit overwhelmed by the amount of work that I have left still.


Attachment: signature.asc
Description: This is a digitally signed message part

reply via email to

[Prev in Thread] Current Thread [Next in Thread]