Previous: , Up: Installing Guix on a Cluster   [Contents][Index]

9.5 Security Considerations

On an HPC cluster, Guix is typically used to manage scientific software. Security-critical software such as the operating system kernel and system services such as sshd and the batch scheduler remain under control of sysadmins.

The Guix project has a good track record delivering security updates in a timely fashion (see Security Updates in GNU Guix Reference Manual). To get security updates, users have to run guix pull && guix upgrade.

Because Guix uniquely identifies software variants, it is easy to see if a vulnerable piece of software is in use. For instance, to check whether the glibc 2.25 variant without the mitigation patch against “Stack Clash”, one can check whether user profiles refer to it at all:

guix gc --referrers /gnu/store/…-glibc-2.25

This will report whether profiles exist that refer to this specific glibc variant.