How to report security issues

To report sensitive security issues in Guix itself or the packages it provides, you can write to the private mailing list This list is monitored by a small team of Guix developers.

If you prefer to send your report using OpenPGP encrypted email, please send it to one of the following Guix developers using their respective OpenPGP key:

Release signatures

Releases of Guix are signed using one of the following OpenPGP keys:

Users should verify their downloads before extracting or running them.

Security updates

When security vulnerabilities are found in Guix or the packages provided by Guix, we will provide security updates quickly and with minimal disruption for users. When appropriate, a security advisory is published on the blog with the Security Advisory tag and on the info-guix mailing list; guix pull --news may also display the advisory.

Guix uses a “rolling release” model. All security bug-fixes are pushed directly to the master branch. There is no “stable” branch that only receives security fixes.