Leo Famulari skriver: > Grafts effectively rewrite binary references in compiled software, so > it's kind of a kludge. The binary interface of the new grafted > replacement must be compatible with the original package, and if it's > not, the problems can be hidden and subtle. > > For that reason, it's important to make the smallest change possible > when grafting, to reduce the chance of breakage. > > So, the question is, does 3.6.16 include only the fix for > CVE-2021-20305? Or does it also include other changes? If the former, we > should instead cherry-pick the CVE bug fix instead of updating. GnuTLS usually mention whether or not an update is ABI-compatible: https://lists.gnupg.org/pipermail/gnutls-help/2021-May/004707.html However it's good practice to verify that with something like 'abidiff' (from the 'libabigail' package). I.e.: abidiff $(guix build gnutls)/lib/libgnutls.so \ $(./pre-inst-env guix build gnutls)/lib/libgnutls.so (this won't work because of multiple outputs, but you get the drill) When there is no change, the graft _should_ be perfectly safe. If there are changes, it becomes a judgement call. The 'abidiff' output is of great assistance in that case. Anyway, just some general notes on grafting. Thanks a lot for looking after security issues Solene.