Ludovic Courtès writes: > There’s one issue left though: > > $ ./pre-inst-env guix lint upx > gnu/packages/compression.scm:2179:2: upx@3.94: probably vulnerable to CVE-2017-15056, CVE-2017-16869 > > Could you check whether patches are available for these? Better be safe > than sorry! Indeed they are. They are not on the master branch though, only devel I think. So what's the protocol here? Shall we cherry-pick the fixing commits or get latest devel? -- Pierre Neidhardt The day advanced as if to light some work of mine; it was morning, and lo! now it is evening, and nothing memorable is accomplished. -- H.D. Thoreau