Hello! Guile 2.0.13 fixes a couple of security issues:
https://lists.gnu.org/archive/html/guile-user/2016-10/msg00010.html CVE-2016-8606 can be serious (remote code execution), but developers using Guile can readily work around it; see the description at: https://lists.gnu.org/archive/html/guile-user/2016-10/msg00007.html In particular, Geiser already uses Unix-domain sockets to talk to Guile, which means we’re safe here. CVE-2016-8605 is about the possibility of creating files with insecure permissions in multithreaded programs. Apart from our own grafting code (the infamous <http://bugs.gnu.org/22954>), this is probably a rare situation. So, what do we do? Given that core-updates with Guile 2.0.12 is on its way and that master is still at 2.0.11, I’d suggest to leave master as-is and focus on core-updates. There we have 2 options: 1. Changing ‘guile-2.0/fixed’ to 2.0.13, but 1,310 packages depend on it. 2. Grafting 2.0.13, which is doable since 2.0.12 and .13 have the same ABI. I have a preference for #2. Thoughts? Ludo’.
