Hi Maxime, Maxime Devos writes: > Leo Famulari schreef op vr 05-11-2021 om 12:23 [-0400]: >> For use of tar by Guix users, we could add a new package 'tar-1.34' >> and arrange so that `guix install tar` selects it instead of >> tar@1.32, and so that whatever tar is provided by default on Guix >> System [1] is tar-1.34. > > I don't think this is sufficient, because some packages keep > references to 'tar', e.g. 'hdup'. A solution would be registering > the updated tar as a replacement of the somewhat vulnerable tar: I think this is the better approach. Leo's analysis is correct, but there are a few problems: (1) I guess that most Guix users don't install 'tar' manually, but rather depend on the fact that 'tar' is included in %base-packages, which references 'tar' by its variable name. (2) Even for users who explicitly ask for 'tar', if they reference it by its variable name, they would still get the vulnerable version. That includes users (such as myself) who manage their profiles declaratively, i.e. using "guix package --manifest". (3) As Maxime pointed out, it's possible that some packages might retain a reference to 'tar' to be used at runtime. However, someone would need to test to make sure that after grafting 'tar', they can successfully rebuild their system and boot into it. Hopefully the code in 'commencement' deals properly with a grafted 'tar', but that should be checked. I won't be able to work on this today, so hopefully someone else can take care of it. Otherwise, I'll do it tomorrow. Thanks! Mark -- Disinformation flourishes because many people care deeply about injustice but very few check the facts. Ask me about .