Removing Guix from Debian [LWN subscriber-only content]
As a rule, if a package is shipped with a Debian release, users can count on it being available, and updated, for the entire life of the release. If package foo is included in the stable release—currently Debian 13 ("trixie")—a user can reasonably expect that it will continue to be available with security backports as long as that release is supported, though it may not be included in Debian 14 ("forky"). However, it is likely that the Guix package manager will soon be removed from the repositories for Debian 13 and Debian 12 ("bookworm", also called oldstable).
Debian has the Advanced Package Tool (APT) for package management, of course, but Guix offers a different approach and can be used in conjunction with other distribution package managers. Guix is inspired by Nix's functional package management; it offers transactional upgrades and rollbacks, package management for unprivileged users, and more. Unlike Nix, its packages are defined using the Guile implementation of the Scheme programming language. There is also a GNU Guix distribution as well; LWN covered both NixOS and Guix in February 2024, and looked at Nix alternative Lix in July 2024.
On June 24, the Guix project disclosed several security vulnerabilities that affected the guix-daemon , which is a program that is used to build software and access the store where successful builds are kept. Two of the vulnerabilities, CVE-2025-46415 and CVE-2025-46416, would allow a local user to gain the privileges of any build users, manipulate build output, as well as gain the privileges of the daemon user. The vulnerabilities also impacted Nix and Lix package managers.
No AI slop, all substance: subscribe to LWN today LWN has always been about quality over quantity; we need your help to continue publishing in-depth, reader-focused articles about Linux and the free-software community. Please subscribe today to support our work and keep LWN on the air; we are offering a free one-month trial subscription to get you started.
The disclosure blog post gave instructions on how to mitigate the vulnerabilities by updating guix-daemon using the " guix pull " command, but the project did not make a new Guix release. The last actual release from the project was version 1.4.0, which was announced in December 2022. The Guix project has a rolling-release model, with sporadic releases, and does not maintain stable branches with security updates. This may not pose a problem for users getting Guix directly from the project, but it poses some obstacles for inclusion in other Linux distributions.
Debian package
Salvatore Bonaccorso filed a bug against Debian's guix package on June 25 to report the vulnerabilities. Vagrant Cascadian, the maintainer of the package, replied on July 15, and said that the fixes for the security vulnerabilities had been " commingled with a lot of other upstream changes ", and it would be " trickier than in the past " to try to backport the fixes without the other changes in Guix. He said he had just managed to " get something to compile " with the security fixes applied, using a backport repository maintained by Denis 'GNUtoo' Carikli.
Carikli had brought up the difficulty of backporting Guix fixes on the guix-devel mailing list on July 8. Various distributions had Guix versions 1.2.0, 1.3.0, and 1.4.0, with Debian shipping 1.2.0 and 1.4.0 and used as the upstream for other distributions' packages:
But the Debian package maintainer has the almost impossible task to backport all the security fixes without a community nor help behind [maintaining it] and as things are going, this will probably lead to the Debian guix package being removed with cascading effect for the other distributions.
... continue reading