guile 3.0.11

To: debian-scheme@lists.debian.org, Rob Browning <rlb@defaultvalue.org>
Subject: guile 3.0.11
From: Simon Josefsson <simon@josefsson.org>
Date: Tue, 02 Dec 2025 10:38:36 +0100
Message-id: <[🔎] 87v7ip6x5v.fsf@josefsson.org>

Guile 3.0.11 is out and getting that into Debian would be great!

Isn't some static content from the compiler embedded into binary *.go
files?  I wonder if we shouldn't be taggging guile packages with

Static-Built-Using:
 ${misc:Static-Built-Using},

and somehow get the guile package version into that field somehow.

The argument would be that if there is a security problem in the guile
compiler that leads to it generating vulnerable code in the pre-compiled
*.go files, the Debian security team would need to patch 'guile-3.0' to
fix the bug, and then recompile all packages that embed the buggy code
into its binaries.  This is normally tracked using Static-Built-Using.

Does anyone know about Guile internals to tell if this is a valid
concern or not?  I don't know the *.go guile file format.

Thoughts?

/Simon

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: guile 3.0.11
  - From: Gwen Weinholt <weinholt@debian.org>

Prev by Date: Re: Team maintain Guile/Guix-related packages under debian-scheme?
Next by Date: Re: guile 3.0.11
Previous by thread: Re: Team maintain Guile/Guix-related packages under debian-scheme?
Next by thread: Re: guile 3.0.11
Index(es):
- Date
- Thread