Removing Guix from Debian
8 days ago
- #Debian
- #Guix
- #Package Management
- Debian plans to remove the Guix package manager from its repositories for Debian 12 (bookworm) and 13 (trixie) due to security vulnerabilities and maintenance challenges.
- Guix offers functional package management with features like transactional upgrades and rollbacks, but its rolling-release model complicates backporting security fixes for distributions like Debian.
- Security vulnerabilities (CVE-2025-46415 and CVE-2025-46416) in guix-daemon were disclosed, affecting Guix, Nix, and Lix, but Guix did not release a new version, complicating fixes for Debian.
- Debian package maintainers faced difficulties backporting security fixes due to intertwined changes in Guix's development, leading to the decision to remove the package.
- The Guix project has adopted a yearly release schedule, but this does not address the need for stable branches for distributions like Debian.
- Removing Guix from Debian will affect a small number of users (around 230 systems according to popcon), but users can still install Guix directly from the project's binaries.