Issue #5

This Week in Guix: 3 July 2026

This issue covers Guix development, package updates, and community discussion from 2026-06-26 through 2026-07-03.

Top Stories

Guix Substitute And Pull Vulnerabilities Disclosed And Fixed

GNU Guix published ‘guix substitute‘ and ‘guix pull‘ Vulnerabilities, disclosing several critical vulnerabilities in the Guix daemon along with a vulnerability affecting guix pull and guix time-machine, and recommending that all users upgrade. The pull request Fix vulnerabilities in guix substitute and guix pull describes four issues, three affecting guix substitute and one affecting guix pull and guix time-machine, with full details in a security advisory opened for guix-artwork. The advisory was announced on Mastodon by @guix and @civodul, and discussed on r/GUIX.

Security Fixes Merged Into Guix

The fixes landed on the main branch, including substitutes: Ignore narinfos that don’t match the request, scripts: substitute: restrict where "file://" URIs can be used, guix: serialization: validate directory entry names in fold-archive, and channels: Do not compute cache key from channel name. A news entry was added and guix was updated to 2ef8ed9. Related security grafts landed for ffmpeg 8.1.2, ffmpeg-6 6.1.6, and ffmpeg-4 4.4.8, and librewolf was updated to 152.0.4-1.

Development

Deblobbed Debian Kernel Package Proposed

The pull request gnu: Add linux-debian adds a deblobbed build of the upstream Linux kernel following the Debian Free Software Guidelines, with the submitter reporting a successful boot in a QEMU VM.

Electronics Packages Move To Engineering Module

The issue Cleanup electronics.scm proposed relocating the csxcad suite and openems solvers out of electronics.scm, followed by the pull request Move csxcad and openems packages to engineering module.

Python Team Prepares Branch For Merge

The issue [python-team]: Branch readiness for the merge tracks tier and release manifest checks ahead of merging the python-team branch. Separately, a build-system-based manifest generator was added to profiles.

Packages

Astronomy, Emacs, And Desktop Packages Updated

Astronomy packages saw broad updates including python-astropy 8.0.0, python-sunpy 7.1.2, and indi 2.2.3.1, alongside new additions such as python-plasmapy and python-astroquery. Other updates included emacs-magit 4.6.0, emacs-exwm 0.35, endless-sky 0.11.2, scummvm 2026.3.0, buildah 1.44.0, podman 5.8.4, transmission 4.1.3, and gerbv 2.13.0. On the Nonguix side, firefox was updated to 152.0.3, element-desktop to 1.12.22, and linux-firmware to 20260622. Removals included recutils, jimtcl, and emacs-chess.

Community

Interoperating Nix Packages With Guix

GuixPkgs: every Guix package, as a Nix flake points to Farid Zakaria's blog post on importing the entire Guix package set into Nix. Going the other direction, a post introduced a with-nix-profile macro for collecting Nix packages from Guix System and Guix Home declarations, with a companion write-up shared on r/GUIX.

Community Posts Covered Daily Driving, Onboarding, And A Hardened Config

r/GUIX discussion included What's it like daily driving Guix and learning guile scheme?, Daily Driving Guix, Should I jump straight into Guix as a linux beginner?, and a hardened Guix build with a custom kernel. On Mastodon, Ludovic Courtès noted presenting Guix community work at a summer school, a Guix repository was created on Radicle, and a post argued for migrating off PyPI for Guix, referencing issue 6992.

Reader Submissions

No reader submissions were included this week.