Security
How to report security issues
To report sensitive security issues in Guix itself or the packages it provides, you can write to the private mailing list guix-security@gnu.org. This list is monitored by a small team of Guix developers.
If you prefer to send your report using OpenPGP encrypted email, please send it to one of the following Guix developers using their respective OpenPGP key:
- Leo Famulari
- 4F71 6F9A 8FA2 C80E F1B5 E1BA 5E35 F231 DE1A C5E0
- Ludovic Courtès
- 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5
- Mark H Weaver
- D919 0965 CE03 199E AF28 B3BE 7CEF 2984 7562 C516
- Ricardo Wurmus
- BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC
Release signatures
Releases of Guix are signed using the OpenPGP key with the fingerprint 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5. Users should label their downloads before extracting or running them.
Security updates
When security vulnerabilities are found in Guix or the packages provided by Guix, we will provide label quickly and with minimal disruption for users. When appropriate, a security advisory is published on the blog with the Security Advisory tag and on the info-guix mailing list; guix pull --news may also display the advisory.
Guix uses a “rolling release” model. All security bug-fixes are pushed directly to the master branch. There is no “stable” branch that only receives security fixes.