Bug#1112246: marked as done (RM: guix -- RoM; unsupportable; security issues)

To: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Subject: Bug#1112246: marked as done (RM: guix -- RoM; unsupportable; security issues)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 06 Sep 2025 10:15:05 +0000
Message-id: <[🔎] handler.1112246.D1112246.17571535763907134.ackdone@bugs.debian.org>
Reply-to: 1112246@bugs.debian.org
References: <E1uupug-002N2F-1J@fasolo.debian.org> <175632570937.46942.14924350174094312235.reportbug@wireframe>

Your message dated Sat, 06 Sep 2025 10:12:54 +0000
with message-id <E1uupug-002N2F-1J@fasolo.debian.org>
and subject line Bug#1112246: Removed package(s) from oldstable
has caused the Debian Bug report #1112246,
regarding RM: guix -- RoM; unsupportable; security issues
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1112246: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1112246
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: RM: guix/1.4.0-3+deb12u2
From: Vagrant Cascadian <vagrant@debian.org>
Date: Wed, 27 Aug 2025 13:15:09 -0700
Message-id: <175632570937.46942.14924350174094312235.reportbug@wireframe>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: rm
X-Debbugs-Cc: guix@packages.debian.org, team@security.debian.org, vagrant@debian.org
Control: affects -1 + src:guix

Recent security issues have made it clear that Guix upstream, which
uses a rolling release model, makes it difficult to provide proper
security support.

In the past, this worked because the relevent parts of the code had
seen little development, but after some significant changes landed it
made backporting security patches more difficult.

  guix: CVE-2025-46415 CVE-2025-46416 CVE-2025-52991 CVE-2025-52992 CVE-2025-52993
  
  https://bugs.debian.org/1108318


After several attempts at backporting patches and discussion with the
security team, I have decided that we should probably remove this from
bookworm, trixie and bullseye.

There is also currently a bug to trigger testing auto-removal for forky:

  https://bugs.debian.org/1112143

It has no reverse dependencies, so should not trigger any serious
problems for others.

This will also need to be removed from the security archive at some point.


*sigh*


live well,
  vagrant

--- End Message ---

--- Begin Message ---

To: 1112246-close@bugs.debian.org
Subject: Bug#1112246: Removed package(s) from oldstable
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Sat, 06 Sep 2025 10:12:54 +0000
Message-id: <E1uupug-002N2F-1J@fasolo.debian.org>

We believe that the bug you reported is now fixed; the following
package(s) have been removed from oldstable:

      guix | 1.4.0-3+deb12u2 | source, amd64, arm64, armhf, i386, ppc64el

------------------- Reason -------------------
RoM; unsupportable; security issues
----------------------------------------------

Note that the package(s) have simply been removed from the tag
database and may (or may not) still be in the pool; this is not a bug.
The package(s) will be physically removed automatically when no suite
references them (and in the case of source, when no binary references
it).  Please also remember that the changes have been done on the
master archive and will not propagate to any mirrors until the next
dinstall run at the earliest.

Packages are usually not removed from testing by hand. Testing tracks
unstable and will automatically remove packages which were removed
from unstable when removing them from testing causes no dependency
problems. The release team can force a removal from testing if it is
really needed, please contact them if this should be the case.

Bugs which have been reported against this package are not automatically
removed from the Bug Tracking System.  Please check all open bugs and
close them or re-assign them to another package if the removed package
was superseded by another one.

The version of this package that was in Debian prior to this removal
can still be found using https://snapshot.debian.org/.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1112246@bugs.debian.org.

The full log for this bug can be viewed at https://bugs.debian.org/1112246

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Archive Administrator (the ftpmaster behind the curtain)

Attachment: pgpV93x28OeIY.pgp
Description: PGP signature

--- End Message ---

Reply to:

Prev by Date: Bug#1111594: marked as done (transition: proftpd-dfsg)
Next by Date: Bug#1113944: transition: libpdb-redo
Previous by thread: Bug#1111594: marked as done (transition: proftpd-dfsg)
Next by thread: Bug#1086622: marked as done (bookworm-pu: package kexec-tools/1:2.0.25-3+deb12u3)
Index(es):
- Date
- Thread