[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: GNOME 3.34 in GNU Guix and security
From: |
Léo Le Bouter |
Subject: |
Re: GNOME 3.34 in GNU Guix and security |
Date: |
Thu, 11 Mar 2021 09:28:22 +0100 |
User-agent: |
Evolution 3.34.2 |
On Thu, 2021-03-11 at 03:18 -0500, Mark H Weaver wrote:
> Hi Léo,
Hello!
> I appreciate your recent work on Guix security. Thank you for that.
Very happy to catch up there as well for my own usage of GNU Guix as
well!
> Can you please substantiate this? What vulnerabilities do you know
> of,
> and what makes you think that we can't address them adequately in the
> usual ways, without "upgrading GNOME to [the] latest"?
I have not yet fully investigated each CVE but there is uncertainty
around gnome-shell, gvfs, librsvg, gdk-pixbuf, pango, cairo, if not
more. You can use 'guix lint -c cve <pkg>' to find out, also look up in
NVD individually in case GNU Guix doesnt find it.
I am always uneasy relying on CVE only for security patches since I
know how much lots of security issues are fixed by developers without
issuing any CVE, so to me the best way of keeping up is to always be on
latest.
> I saw your bug report about our Glib being vulnerable to CVE-2021-
> 27218
> and CVE-2021-27219. Thanks very much for bringing that our
> attention.
>
> I'll backport the fixes to our version of Glib. It will actually be
> quite easy, given that Ubuntu has already published backports of
> the
> fixes for Glib 2.56.4 and 2.64.4, which brackets the version in Guix
> (2.62.6). I just looked at the diffs between those two patch sets,
> and
> the differences are quite slight, apart from line number differences.
I am really happy you are willing to help! I will have to admit that I
am a bit overwhelmed by the amount of work that I have left still.
Léo
signature.asc
Description: This is a digitally signed message part
Re: GNOME 3.34 in GNU Guix and security, Mark H Weaver, 2021/03/11
- Re: GNOME 3.34 in GNU Guix and security,
Léo Le Bouter <=