On Sun, May 09, 2021 at 04:37:39PM +0200, Leo Prikler wrote: > Indeed, the mail they dropped over at guix-devel made it seem as though > not being on 2.3.0 was a security risk already. The ChangeLog does > mention some items worth fuzzing over. In general, all updates are security updates. But we shouldn't / can't update all core packages with grafts just because. Grafting is a kludge that doesn't always work as expected (and the problems are hidden), and it has a high I/O performance cost. So, let's wait for a security advisory.