Today I submitted the version 6 of the patch series for the Algol 68 GCC Front-End: https://gcc.gnu.org/pipermail/gcc-patches/2025-November/701589.html Since last submission we have added a modules system based on the Modules and Separate Compilation Facility designed by Charles Lindsey and Hendrik Boom and released by the IFIP Working Group 2.1 Standing Subcommittee on ALGOL 68 Support. To our knowledge, this is the first time the modules facility ever gets implemented. This is the deal: Jose E. Marchesi (50): a68: top-level misc files a68: build system a68: build system (regenerated files) a68: documentation a68: command-line options a68: DWARF language codes a68: darwin specific support a68: powerpc specific support a68: gcc/algol68 misc files a68: ga68 compiler driver a68: a681 compiler proper a68: unicode support routines a68: front-end diagnostics a68: modules exports a68: modules imports a68: parser: entry point a68: parser: AST nodes attributes/types a68: parser: scanner a68: parser: keyword tables management a68: parser: top-down parser a68: parser: parenthesis checker a68: parser: bottom-up parser a68: parser: syntax check for declarers a68: parser: standard prelude definitions a68: parser: parsing of modes a68: parser: symbol table management a68: parser: static scope checker a68: parser: debug facilities a68: parser: extraction of tags from phrases a68: parser: dynamic stack usage in serial clauses a68: parser: pragmats infrastructure a68: low: lowering entry point and misc handlers a68: low: plain values a68: low: stowed values a68: low: standard prelude a68: low: clauses and declarations a68: low: runtime a68: low: builtins a68: low: ranges a68: low: units and coercions a68: low: modes a68: libga68: sources, spec and misc files a68: libga68: build system a68: libga68: build system (generated files) a68: testsuite: infrastructure a68: testsuite: execution tests 1/2 a68: testsuite: execution tests 2/2 a68: testsuite: compilation tests a68: testsuite: revised MC Algol 68 test set a68: testsuite: mcgt tests

We are happy to announce the release of GNU Taler v1.1.

## We're on our way It's been a month since we started the fundraising campaign to Sustain and Strengthen Guix. So far **we've raised €6562** which is around 40% of our €15000 annual goal. If you'd like to support the project's fundraiser there's still time, pop over to the donate page now! DONATE NOW There have been a range of donations, both one-off and recurring. A few people have made large one-off donations, one of over €2150!There have been a couple between €500-€250 and a few more in the €100 range. These are big contributions to our goal, so I want to thank those individuals for helping out so generously. Just over 100 people (115 right now) have stepped forward to become **recurring supporters** , pledging a monthly amount to help the project. This is key because it means the project knows there's a regular stream of donations that can pay for the shared resources that we all use. There's been great support with a few people donating €30-€50 a month which is fantastic, the rest at the €10-€15 a month - and one person managed to use the recurring button multiple times to get precisely the amount they wanted to donate monthly! The result is that Open Collective estimates €657.50 a month of recurring donations, and Stripe estimates €720 a month of recurring donations. This is significant because if each person is able to continue giving monthly then annually we'd estimate around €16500 of donations. The maths is simple, the impact significant - a recurring donation of €10 a month is worth €120 a year, that's why **recurring donations make such a difference!** Of course, people's situations change and they may stop supporting Guix - we've had a couple of cancellations already. So in terms of the actual money we've received we're at ~40% of the €15000 target which I think is pretty good! **Thanks to everyone who's supported Guix by donating, you're making a difference and we really appreciate it!** If you haven't done it yet, and would like to jump in to support the project then now's a great time! A recurring donation is ideal, but we appreciate any support you can give and every donation gets us a bit closer! DONATE NOW ## Spreading the word Guix is a global community of people, we've had donations from so many places. Where ever you are, it's amazing to think of so many people enjoying, supporting and contributing to Guix. As we're distributed all over the globe we don't have that many ways to keep people informed about the project. I'm sure there are many Guix users who don't know the project needs support. You can help spread the word that Guix is running a fundraiser by talking about it and using this badge. Put it on your social media, your web site or your Git forge account! Thanks to Luis Felipe for creating it. ## What's next The next few weeks will tell us how many people are able to donate to Guix and the annual budget the project has so that it's sustainable.Then we'll be able plan where we can sustain Guix and where we can do new things to strengthen the project. My goal is for the next blog post is to provide an update on both our fundraising campaign and how we're using the donations that we've received.

Today we're launching a fundraising campaign to **sustain and strengthen** GNU Guix. Guix is completely independent from any company or institution, we rely on the support of our community to fund the project. If you can, **please help sustain Guix by making a donation**. DONATE NOW ## Why we need your support Like many Free Software projects we need financial support because running a project is expensive. We incur costs for development infrastructure, facilitating developer collaboration and supporting the community around the project. As a package manager and GNU/Linux distribution Guix has some unique needs. As the distribution grows and becomes more popular our costs also grow. Each package that's added to the distribution increases the number of builds. And, as more people use Guix the cost of delivering those packages also grows. ## Sustain Guix To be sustainable we need to match our expenses with our incoming donations. This gives the project certainty that there won't be a sudden funding shortfall. Currently, shortfalls happen. Even recently individual volunteers have had to step in and fund services from their own pockets. That's risky and unsustainable, so we're aiming for stable financial foundations. To achieve that goal we need €15,000 (roughly $17,500) of donations a year. This would pay for the current infrastructure and project expenses. To be sustainable **recurring donations** are critical because they provide a regular stream of income that can pay for the ongoing shared resources that we all use. For example, to have a better build farm we'd need more hosting and bandwidth which is a recurring cost. So is the goal achievable? Well, it's definitely a big goal. But, it's only €1,250 a month - so if **125 people contribute €10 a month** that would get us to the target and make all the difference! ## Strengthen Guix We would love to do more, and if there's support from the community then we will. There's lots more we could do! If there's more funding then we'll be able **strengthen Guix** by expanding the infrastructure, investing more to support the project and promote Guix. With more support we'd be able to do things like: * Improve the overall resilience of our infrastructure so that services are more reliable. * Do more to increase the substitute infrastructure's bandwith and distribution. * Tell more people about Guix by attending events, organising user sprints and conferences. ## Donate Now to Sustain Guix Now's the time where we ask for your help. Please donate to sustain and strengthen Guix. You can donate through either the FSF or the Guix Foundation using a variety of payment methods. If you haven't heard of the Guix Foundation it's an EU-based non-profit that's dedicated to supporting the development and promotion of GNU Guix. It's a members-driven association, so by becoming a member you'll be supporting Guix and will have a voice in it's activities. Every donations helps, **Recurring donations** are ideal, but we appreciate any support you can give. Every donation gets us a step closer to being sustainable. DONATE NOW Thank you for your support!

Join the FSF and friends on Friday, October 3 from 12:00 to 15:00 EDT (16:00 to 19:00 UTC) to help improve the Free Software Directory.

Join the FSF and friends on Friday, September 26 from 12:00 to 15:00 EDT (16:00 to 19:00 UTC) to help improve the Free Software Directory.

Join the FSF and friends on Friday, October 3 from 12:00 to 15:00 EDT (16:00 to 19:00 UTC) to help improve the Free Software Directory.

BOSTON, Massachusetts, USA (Friday, September 19, 2025) -- The Free Software Foundation (FSF) announced a job opportunity for a motivated and talented program manager.

# libgnunetchat 0.6.0 released We are pleased to announce the release of libgnunetchat 0.6.0. This is a minor new release bringing compatibility with the major changes in latest GNUnet release 0.25.0. A few API updates and fixes are included. Additionally the messaging client applications using libgnunetchat got updated to stay compatible. This release will also require the GNUnet services from version 0.25.0 or later because of that. #### Download links * libgnunetchat-0.6.0.tar.gz * libgnunetchat-0.6.0.tar.gz.sig The GPG key used to sign is: 3D11063C10F98D14BD24D1470B0998EF86F59B6A Note that due to mirror synchronization, not all links may be functional early after the release. For direct access try http://ftp.gnu.org/gnu/gnunet/ #### Noteworthy changes in 0.6.0 * Fixes issues regarding group creation, leaving chats and invitations * Improving latency by reducing message graph complexity caused by automated event handling A detailed list of changes can be found in the ChangeLog . ## Messenger-GTK 0.11.0 This minor release will add private chats to write notes to yourself and minor changes in the user interface. But mostly the release is intended to reflect changes in libgnunetchat 0.6.0. #### Download links * messenger-gtk-0.11.0.tar.gz * messenger-gtk-0.11.0.tar.gz.sig Keep in mind the application is still in development. So there may still be major bugs keeping you from getting a reliable connection. But if you encounter such issue, feel free to consult our bug tracker at bugs.gnunet.org . A detailed list of changes can be found in the ChangeLog . ## messenger-cli 0.4.0 This release will add changes to be compatible with libgnunetchat 0.6.0 and it will add some text prompts in dialogs to improve overall usability. * messenger-cli-0.4.0.tar.gz * messenger-cli-0.4.0.tar.gz.sig A detailed list of changes can be found in the ChangeLog .

o Fix potential sensor reading miscalculation on systems where a char is defined as unsigned (such as ARM) vs signed (such as x86). o Fix gcc15 compilation errors. https://ftp.gnu.o ... pmi-1.6.16.tar.gz

A security issue has been identified in `guix-daemon`, which allows for a local user to gain the privileges of any of the build users and subsequently use this to manipulate the output of any build. In the case of the rootless daemon, this also means gaining the privileges of `guix-daemon`. All systems are affected, whether or not `guix-daemon` is running with root privileges. You are strongly advised to **upgrade your daemon** now (see instructions below). The only requirements to exploit this are the ability to create and build an arbitrary derivation that has `builtin:download` as its builder, and to execute a setuid program on the system in question. As such, this represents an increased risk primarily to multi-user systems, but also more generally to any system in which untrusted code may be able to access guix-daemon's socket, which is usually located at `/var/guix/daemon-socket/socket`. # Vulnerability `guix-daemon` currently supports two so-called _built-in builders_ for derivations: `builtin:download` and `builtin:git-download`. Their primary utility is currently to circumvent bootstrapping challenges in code-downloading derivations (that is, "how does one get the programs that are used to download programs?") by using "host-side" programs for this purpose. In particular, `download` and `git-download` are currently implemented in the `(guix scripts perform-download)` module, which can be run as a standalone program using `guix perform-download`. At the time that perform-download was written, it was believed to be sufficient for security purposes to ensure that it was run by a build user, and so one of the user-supplied values (the file named by the derivation's `content-addressed-mirrors` environment variable) was read and evaluated as arbitrary Guile code. This suffices to protect a regular user from an untrusted derivation they may be building, since all processes owned by the build user will be killed at the end of the build, before any other build can be run that uses the same build user. It does not suffice, however, to protect the daemon's build users – and by extension the integrity of the daemon's builds – from a regular user. In particular, a `content-addressed-mirrors` file can be written to create a setuid program that allows a regular user to gain the privileges of the build user that runs it even after the build has ended. This is similar in impact to CVE-2025-46416, though using a somewhat different mechanism. # Mitigation This security issue has been fixed by 3 commits (`2a33354`, `f607aaa`, and `9202921`) as part of pull request #2419. Users should make sure they have upgraded to commit `1618ca7` or any later commit to be protected from this vulnerability. Upgrade instructions are in the following section. The fix was accomplished by changing `(guix scripts perform-download)` to evaluate the `content-addressed-mirrors` file in a Guile isolated environment, as well as verifying that this file and the others that `perform-download` reads is neither outside of the store nor a symbolic link to a file outside of the store, so that this cannot be used to cause arbitrary files (such as `/proc/PID/fd/N`) to be read. Measures were also taken to ensure that calls to `read` never cause code to be evaluated. A test for the presence of this vulnerability is available at the end of this post. One can run this code with: guix repl -- content-addressed-mirrors-vuln-check.scm This will output whether the current `guix-daemon` being used is vulnerable or not. If it is _not_ vulnerable, the last line will contain `guix-daemon is not vulnerable` and `guix repl` will exit with status code 0, otherwise the last line will contain `guix-daemon is VULNERABLE` and `guix repl` will exit with status code 1. # Upgrading Due to the severity of this security advisory, **we strongly recommend all users to upgrade`guix-daemon` immediately**. **For Guix System** , the procedure is to reconfigure the system after a `guix pull`, either restarting `guix-daemon` or rebooting. For example: guix pull sudo guix system reconfigure /run/current-system/configuration.scm sudo herd restart guix-daemon where `/run/current-system/configuration.scm` is the current system configuration but could, of course, be replaced by a system configuration file of a user's choice. **For Guix on another distribution** , one needs to `guix pull` with `sudo`, as the `guix-daemon` runs as root, and restart the `guix-daemon` service, as documented. For example, on a system using systemd to manage services, run: sudo --login guix pull sudo systemctl restart guix-daemon.service Note that for users with their distro's package of Guix (as opposed to having used the install script) you may need to take other steps or upgrade the Guix package as per other packages on your distro. Please consult the relevant documentation from your distro or contact the package maintainer for additional information or questions. # Conclusion ## Test for presence of vulnerability Below is code to check if your `guix-daemon` is vulnerable to this exploit. Save this file as `content-addressed-mirrors-vuln-check.scm` and run following the instructions above, in "Mitigation." (use-modules (guix monads) (guix derivations) (guix gexp) (guix store) (guix utils) (guix packages) (srfi srfi-34)) (define %test-filename "/tmp/content-addressed-mirrors-vulnerable") (define %test-content-addressed-mirrors `(begin (mkdir ,%test-filename) (exit 33))) (define %test-content-addressed-mirrors-file (plain-file "content-addressed-mirrors" (object->string %test-content-addressed-mirrors))) (define (test-content-addressed-mirrors content-addressed-mirrors) (mlet %store-monad ((content-addressed-mirrors (lower-object content-addressed-mirrors))) (raw-derivation "content-addressed-mirrors-vuln-check" "builtin:download" '() #:hash (base32 "dddddddddddddddddddddddddddddddddddddddddddddddddddd") #:hash-algo 'sha256 #:sources (list content-addressed-mirrors) #:env-vars `(("url" . "/doesnotexist") ("content-addressed-mirrors" . ,content-addressed-mirrors)) #:local-build? #t))) (with-store store (let ((drv (run-with-store store (test-content-addressed-mirrors %test-content-addressed-mirrors-file)))) (guard (c ((and (store-protocol-error? c) (string-contains (store-protocol-error-message c) "failed")) (cond ((file-exists? %test-filename) (format #t "content-addressed-mirrors can evaluate arbitrary code, guix-daemon is VULNERABLE~%") (exit 1)) (else (format #t "content-addressed-mirrors can't create files, guix-daemon is not vulnerable~%") (exit 0))))) (build-derivations store (list drv)))))

From Arch: Starting with `7.4.1-2`, the following Zabbix system user accounts (previously shipped by their related packages) will no longer be used. Instead, all Zabbix components will now rely on a shared `zabbix` user account (as originally intended by upstream and done by other distributions): * zabbix-server * zabbix-proxy * zabbix-agent _(also used by the`zabbix-agent2` package)_ * zabbix-web-service This shared `zabbix` user account is provided by the newly introduced `zabbix-common` _split_ package, which is now a dependency for all relevant `zabbix-*` packages. The switch to the new user account is handled automatically for the corresponding main configuration files and `systemd` service units. However, **manual intervention may be required** if you created custom files or configurations referencing to and / or being owned by the above deprecated users accounts, for example: * `PSK` files used for encrypted communication * Custom scripts for metrics collections or report generations * `sudoers` rules for metrics requiring elevated privileges to be collected * ... Those should therefore be updated to refer to and / or be owned by the new `zabbix` user account, otherwise some services or user parameters may fail to work properly, or not at all. Once migrated, you may [remove the obsolete user accounts from your system].

From Arch: Starting with `7.4.1-2`, the following Zabbix system user accounts (previously shipped by their related packages) will no longer be used. Instead, all Zabbix components will now rely on a shared `zabbix` user account (as originally intended by upstream and done by other distributions): * zabbix-server * zabbix-proxy * zabbix-agent _(also used by the`zabbix-agent2` package)_ * zabbix-web-service This shared `zabbix` user account is provided by the newly introduced `zabbix-common` _split_ package, which is now a dependency for all relevant `zabbix-*` packages. The switch to the new user account is handled automatically for the corresponding main configuration files and `systemd` service units. However, **manual intervention may be required** if you created custom files or configurations referencing to and / or being owned by the above deprecated users accounts, for example: * `PSK` files used for encrypted communication * Custom scripts for metrics collections or report generations * `sudoers` rules for metrics requiring elevated privileges to be collected * ... Those should therefore be updated to refer to and / or be owned by the new `zabbix` user account, otherwise some services or user parameters may fail to work properly, or not at all. Once migrated, you may [remove the obsolete user accounts from your system].

Dear all Luis Falcón, author of GNU Health and president of GNU Solidario, will be a keynote speaker at the 4th One-Health conference, that will take place in Rome, Italy September 30 – October 2, 2025. Those of you who know the mission of GNU Solidario will understand the relevance of this congress in our society, our planet and humanity. Among other things, Luis will talk about the importance of GNU Health, the Global Exposome project and Open Science to achieve social justice, and why is crucial to immediately move away from the ruthless anthropocentrism and start respecting other species and nature is the morally right thing to do, but the only key if we want to survive as a species. Looking forward to meeting you in Rome! More information: https://onehealthconference.it/

GNU mailutils version 3.20 is available for download. New in this version: ### Movemail synchronization mode Setting synchronization mode allows the user to keep messages in remote source mailbox, while downloading only recently received messages. The mode is defined via the **--sync** command line option or **sync** configuration statement. Allowed values are **uidnext** , **uidl** , and **all**. When set to **uidnext** , **movemail** uses the combination of uidvalidity/uidnext values. This is useful mainly if the source mailbox is accessed via IMAP4 protocol. When using this method, **movemail** stores session metadata in files in the directory **~/.movemail.sync**. The directory location can be changed using the **--sync-dir** option or **sync-dir** configuration statement. The **uidl** setting instructs the program to use UIDL values. This is useful if the source mailbox is accessed via the POP3 protocol. Finally, the value **all** tells it to download all messages. This is the default behavior when no **--sync** option is given. ### Other changes in movemail * The **--reverse** option removed. It made little sense and was never used. * The **--max-messages** option sets the maximum number of latest messages to process. ### New Sieve test: uidnew This test keeps track of the processed messages. It evaluates to true if the current message was not processed before. The test is implemented as an external module. To require it, use > require "test-uidnew"; > Sample use: > if uidnew > { > fileinto "store"; keep; > } > For each processed mailbox, the test keeps its state in a GDBM file **~/.uidnew.db**. The **:db** tagged argument can be used to alter this location. ### Bugfix in imap4d UID SEARCH command The UID SEARCH command incorrectly treated message range argument as UIDs instead of as message sequence numbers.

Join the FSF and friends on Friday, July 11 from 12:00 to 15:00 EDT (16:00 to 19:00 UTC) to help improve the Free Software Directory.

Join the FSF and friends on Friday, June 27 from 12:00 to 15:00 EDT (16:00 to 19:00 UTC) to help improve the Free Software Directory.

Two security issues, known as **CVE-2025-46415** and **CVE-2025-46416**, have been identified in `guix-daemon`, which allow for a local user to gain the privileges of any of the build users and subsequently use this to manipulate the output of any build, as well as to subsequently gain the privileges of the daemon user. You are strongly advised to **upgrade your daemon now** (see instructions below), especially on multi-user systems. Both exploits require the ability to start a derivation build. CVE-2025-46415 requires the ability to create files in `/tmp` in the root mount namespace on the machine the build occurs on, and CVE-2025-46416 requires the ability to run arbitrary code in the root PID and network namespaces on the machine the build occurs on. As such, this represents an increased risk primarily to multi-user systems, but also more generally to any system in which untrusted code may be able to access guix-daemon's socket, which is usually located at `/var/guix/daemon-socket/socket`. # Vulnerability One of the longstanding oversights of Guix's build environment isolation is what has become known as the _abstract Unix-domain socket hole_ : a Linux-specific feature that enables any two processes in the same network namespace to communicate _via_ Unix-domain sockets, _regardless of all other namespace state_. Unix-domain sockets are perhaps the single most powerful form of interprocess communication (IPC) that Unix-like systems have to offer, for the reason that they allow file descriptors to be passed between processes. This behavior had played a crucial role in CVE-2024-27297, in which it was possible to smuggle a writable file descriptor to one of the output files of a fixed-output derivation to a process outside of the build environment sandbox. More specifically, this would use a fixed-output derivation that doesn't use a builtin builder; examples of this class of derivation include derivations produced by origins using `svn-fetch` and `hg-fetch`, but not `git-fetch` or `url-fetch`, since those are implemented using builtin builders. The process could then wait for the daemon to validate the hash and register the output, and subsequently modify the file to contain any contents it desired. The fix for CVE-2024-27297 seems to have made the assumption that once the build was finished, no more processes could be running as that build user. This is unfortunately incorrect: the builder could also smuggle out the file descriptor of a setuid program, which could subsequently be executed either using `/proc/self/fd/N` or `execveat` to gain the privileges of the build user. This assumption was likely believed to hold in Nix because Nix had a seccomp filter that attempted to forbid the creation of setuid programs entirely by blocking the necessary `chmod` calls. The security researchers who discovered CVE-2025-46415 and CVE-2025-46416 discovered ways around Nix's seccomp filter, but Guix never had any such filter to begin with. It was therefore possible to run arbitrary code as the build user outside of the isolated build environment at any time. Because it is possible to run arbitrary code as the build user even after the build has finished, many assumptions made in the design of the build daemon — not only in fixing CVE-2024-27297 but going way back — can be violated and exploited. One such assumption is that directories being deleted by `deletePath` — for instance the build tree of a build that has just failed — won't be modified while it is recursing through them. By violating this assumption, it is possible to exploit race conditions in `deletePath` to get the daemon to delete arbitrary files. One such file is a build directory of the form `/tmp/guix-build-PACKAGE-X.Y.drv-0`. If this is done between when the build directory is created and when it is `chown`ed to the build user, an attacker can put a symbolic link in the appropriate place and get it to `chown` any file owned by the daemon's user to now be owned by the build user. In the case of a daemon running as root, that includes files such as `/etc/passwd`. The build users, as mentioned before, are easily compromised, so an attacker can at this point write to the target file. When `guix-daemon` is _not_ running as root, the attacker would gain privileges of the `guix-daemon` user, giving write access to the store and nothing else. In short, there are two separate problems here: 1. It is possible to take over build users by exfiltrating setuid programs (CVE-2025-46416). 2. Race conditions in the daemon make it possible to elevate privileges when other processes can concurrently modify files it operates on (CVE-2025-46415). # Mitigation This security issue has been fixed by 6 commits (7173c2c0ca, be8aca0651, fb42611b8f, c659f977bb, 0e79d5b655, and 30a5d140aa as part of pull request #788). Users should make sure they have upgraded to commit 30a5d140aa or any later commit to be protected from this vulnerability. Upgrade instructions are in the following section. The fix was accomplished primarily by closing the "abstract Unix-domain socket hole" entirely. To do this, the daemon was modified so that all builds — even fixed-output ones – occur in a fresh network namespace. To keep networking functional despite the separate network namespace, a userspace networking stack, slirp4netns, is used. Additionally, some of the daemon's file deletion and copying helper procedures were modified to use the `openat` family of system calls, so that even in cases where build users can be taken over (for example, when the daemon is run with `--disable-chroot`), those particular helper procedures can't be exploited to escalate privileges. A test for the presence of the abstract Unix-domain socket hole is available at the end of this post. One can run this code with: guix repl -- abstract-socket-vuln-check.scm This will output whether the current `guix-daemon` being used is vulnerable or not. If it is _not_ vulnerable, the last line will contain `Abstract unix socket hole is CLOSED`, otherwise the last line will contain `Abstract unix socket hole is OPEN, guix-daemon is VULNERABLE`. Note that this will properly report that the hole is still open for daemons running with `--disable-chroot`, which is, as before, still insecure wherever untrusted users can access the daemon's socket. # Upgrading Due to the severity of this security advisory, **we strongly recommend all users to upgrade`guix-daemon` immediately**. **For Guix System** , the procedure is to reconfigure the system after a `guix pull`, either restarting `guix-daemon` or rebooting. For example: guix pull sudo guix system reconfigure /run/current-system/configuration.scm sudo herd restart guix-daemon where `/run/current-system/configuration.scm` is the current system configuration but could, of course, be replaced by a system configuration file of a user's choice. **For Guix on another distribution** , one needs to `guix pull` with `sudo`, as the `guix-daemon` runs as root, and restart the `guix-daemon` service, as documented. For example, on a system using systemd to manage services, run: sudo --login guix pull sudo systemctl restart guix-daemon.service Note that for users with their distro's package of Guix (as opposed to having used the install script) you may need to take other steps or upgrade the Guix package as per other packages on your distro. Please consult the relevant documentation from your distro or contact the package maintainer for additional information or questions. # Timeline On March 27th, the NixOS/Nixpkgs security team forwarded a detailed report about two vulnerabilities from Snyk Security Labs to the Guix security team and to Ludovic Courtès and Reepca Russelstein (as contributors to `guix-daemon`). A 90-day disclosure timeline was agreed upon with Snyk and all the affected projects: Nix, Lix, and Guix. During that time, development of the fixes in Guix was led by Reepca Russelstein with peer review happening on the private `guix-security` mailing list. Coordination with the other projects and for this security advisory was managed by the Guix security team. A pre-disclosure announcement was sent by the NixOS/Nixpkgs and the Guix security teams on June 19th–20th, giving June 24th as the full public disclosure date. Some other CVEs that were included in the report were CVE-2025-52991, CVE-2025-52992, and CVE-2025-52993. These don't represent direct vulnerabilities so much as missed opportunities to mitigate the attack the researchers identified — that is, it has to be possible to do things like exfiltrate file descriptors (for CVE-2025-52992) and trick the daemon into deleting arbitrary files (for CVE-2025-52991 and CVE-2025-52993) before these start mattering. # Conclusion More information concerning the fix for this vulnerability and the design choices made for it will be provided in a follow-up blog post. We thank the Security Labs team at Snyk for discovering similar-but-not-quite-the-same vulnerabilities in Nix, and the NixOS/Nixpkgs security team for sharing this information with the Guix security team, which led us to realize our own related vulnerabilities. ## Test for presence of vulnerability Below is code to check if your `guix-daemon` is vulnerable to this exploit. Save this file as `abstract-socket-vuln-check.scm` and run following the instructions above, in "Mitigation." ;; Checking for CVE-2025-46415 and CVE-2025-46416. (use-modules (guix) (gcrypt hash) ((rnrs bytevectors) #:select (string->utf8)) (ice-9 match) (ice-9 threads) (srfi srfi-34)) (define nonce (string-append "-" (number->string (car (gettimeofday)) 16) "-" (number->string (getpid)))) (define socket-name (string-append "\0" nonce)) (define test-message nonce) (define check (computed-file "check-abstract-socket-hole" #~(begin (use-modules (ice-9 textual-ports)) (let ((sock (socket AF_UNIX SOCK_STREAM 0))) ;; Attempt to connect to the abstract Unix-domain socket outside. (connect sock AF_UNIX #$socket-name) ;; If we reach this line, then we successfully managed to connect to ;; the abstract Unix-domain socket. (call-with-output-file #$output (lambda (port) (display (get-string-all sock) port))))) #:options `(#:hash-algo sha256 #:hash ,(sha256 (string->utf8 test-message)) #:local-build? #t))) (define build-result ;; Listen on the abstract Unix-domain socket at SOCKET-NAME and build ;; CHECK. If CHECK succeeds, then it managed to connect to SOCKET-NAME. (let ((sock (socket AF_UNIX SOCK_STREAM 0))) (bind sock AF_UNIX socket-name) (listen sock 1) (call-with-new-thread (lambda () (match (accept sock) ((connection . peer) (format #t "accepted connection on abstract Unix-domain socket~%") (display test-message connection) (close-port connection))))) (with-store store (let ((drv (run-with-store store (lower-object check)))) (guard (c ((store-protocol-error? c) c)) (build-derivations store (list drv)) #t))))) (if (store-protocol-error? build-result) (format (current-error-port) "Abstract Unix-domain socket hole is CLOSED, build failed with ~S.~%" (store-protocol-error-message build-result)) (format (current-error-port) "Abstract Unix-domain socket hole is OPEN, guix-daemon is VULNERABLE!~%"))

# GNUnet 0.24.3 This is a bugfix release for gnunet 0.24.2. It fixes some regressions and minor bugs. #### Links * Source: https://ftpmirror.gnu.org/gnunet/gnunet-0.24.3.tar.gz ( https://ftpmirror.gnu.org/gnunet/gnunet-0.24.3.tar.gz.sig ) * Detailed list of changes: https://git.gnunet.org/gnunet.git/log/?h=v0.24.3 * NEWS: https://git.gnunet.org/gnunet.git/tree/NEWS?h=v0.24.3 The GPG key used to sign is: 3D11063C10F98D14BD24D1470B0998EF86F59B6A Note that due to mirror synchronization, not all links may be functional early after the release. For direct access try https://ftp.gnu.org/gnu/gnunet/

GNU Parallel 20250622 ('Павутина') has been released. It is available for download at: lbry://@GnuParallel:4 Quote of the month: GNU Parallel is a seriously underrated tool, at least based on how little I hear people talk about it (and how often I possibly over-use it) -- Byron Alley @byronalley New in this release: * No new features. * Bug fixes and man page updates. News about GNU Parallel: * Maîtriser la commande parallel https://blog.stephane-robert.info/docs/admin-serveurs/linux/parallel/ GNU Parallel - For people who live life in the parallel lane. If you like GNU Parallel record a video testimonial: Say who you are, what you use GNU Parallel for, how it helps you, and what you like most about it. Include a command that uses GNU Parallel if you feel like it. ## About GNU Parallel GNU Parallel is a shell tool for executing jobs in parallel using one or more computers. A job can be a single command or a small script that has to be run for each of the lines in the input. The typical input is a list of files, a list of hosts, a list of users, a list of URLs, or a list of tables. A job can also be a command that reads from a pipe. GNU Parallel can then split the input and pipe it into commands in parallel. If you use xargs and tee today you will find GNU Parallel very easy to use as GNU Parallel is written to have the same options as xargs. If you write loops in shell, you will find GNU Parallel may be able to replace most of the loops and make them run faster by running several jobs in parallel. GNU Parallel can even replace nested loops. GNU Parallel makes sure output from the commands is the same output as you would get had you run the commands sequentially. This makes it possible to use output from GNU Parallel as input for other programs. For example you can run this to convert all jpeg files into png and gif files and have a progress bar: parallel --bar convert {1} {1.}.{2} ::: *.jpg ::: png gif Or you can generate big, medium, and small thumbnails of all jpeg files in sub dirs: find . -name '*.jpg' | parallel convert -geometry {2} {1} {1//}/thumb{2}_{1/} :::: - ::: 50 100 200 You can find more about GNU Parallel at: http://www.gnu.org/s/parallel/ You can install GNU Parallel in just 10 seconds with: $ (wget -O - pi.dk/3 || lynx -source pi.dk/3 || curl pi.dk/3/ || \ fetch -o - http://pi.dk/3 ) > install.sh $ sha1sum install.sh | grep c555f616391c6f7c28bf938044f4ec50 12345678 c555f616 391c6f7c 28bf9380 44f4ec50 $ md5sum install.sh | grep 707275363428aa9e9a136b9a7296dfe4 70727536 3428aa9e 9a136b9a 7296dfe4 $ sha512sum install.sh | grep b24bfe249695e0236f6bc7de85828fe1f08f4259 83320d89 f56698ec 77454856 895edc3e aa16feab 2757966e 5092ef2d 661b8b45 b24bfe24 9695e023 6f6bc7de 85828fe1 f08f4259 6ce5480a 5e1571b2 8b722f21 $ bash install.sh Watch the intro video on http://www.youtube.com/playlist?list=PL284C9FF2488BC6D1 Walk through the tutorial (man parallel_tutorial). Your command line will love you for it. When using programs that use GNU Parallel to process data for publication please cite: O. Tange (2018): GNU Parallel 2018, March 2018, https://doi.org/10.5281/zenodo.1146014. If you like GNU Parallel: * Give a demo at your local user group/team/colleagues * Post the intro videos on Reddit/Diaspora*/forums/blogs/ Identi.ca/Google+/Twitter/Facebook/Linkedin/mailing lists * Get the merchandise https://gnuparallel.threadless.com/designs/gnu-parallel * Request or write a review for your favourite blog or magazine * Request or build a package for your favourite distribution (if it is not already there) * Invite me for your next conference If you use programs that use GNU Parallel for research: * Please cite GNU Parallel in you publications (use --citation) If GNU Parallel saves you money: * (Have your company) donate to FSF https://my.fsf.org/donate/ ## About GNU SQL GNU sql aims to give a simple, unified interface for accessing databases through all the different databases' command line clients. So far the focus has been on giving a common way to specify login information (protocol, username, password, hostname, and port number), size (database and table size), and running queries. The database is addressed using a DBURL. If commands are left out you will get that database's interactive shell. When using GNU SQL for a publication please cite: O. Tange (2011): GNU SQL - A Command Line Tool for Accessing Different Databases Using DBURLs, ;login: The USENIX Magazine, April 2011:29-32. ## About GNU Niceload GNU niceload slows down a program when the computer load average (or other system activity) is above a certain limit. When the limit is reached the program will be suspended for some time. If the limit is a soft limit the program will be allowed to run for short amounts of time before being suspended again. If the limit is a hard limit the program will only be allowed to run when the system is below the limit.

The Free Software Foundation's (FSF) summer fundraiser is underway, and that means the GNU Press Shop is open!

Arrive bientôt.

Proximamente.

Join the FSF and friends on Friday, June 20 from 12:00 to 15:00 EDT (16:00 to 19:00 UTC) to help improve the Free Software Directory.

This free software licensing 101 talk is intended to cover as many details as possible involving the subject of free software licensing. The talk is broad in scope and is geared toward the beginner and intermediate audience.