Issue #5
This Week in Guix: 3 July 2026
This issue covers Guix development, package updates, and community discussion from 2026-06-26 through 2026-07-03.
Top Stories
Guix Substitute And Pull Vulnerabilities Disclosed And Fixed
GNU Guix published ‘guix substitute‘ and ‘guix pull‘ Vulnerabilities, disclosing several critical vulnerabilities in the Guix daemon along with a vulnerability affecting guix pull and guix time-machine, and recommending that all users upgrade. The pull request Fix vulnerabilities in guix substitute and guix pull describes four issues, three affecting guix substitute and one affecting guix pull and guix time-machine, with full details in a security advisory opened for guix-artwork. The advisory was announced on Mastodon by @guix and @civodul, and discussed on r/GUIX.
Security Fixes Merged Into Guix
The fixes landed on the main branch, including substitutes: Ignore narinfos that don’t match the request, scripts: substitute: restrict where "file://" URIs can be used, guix: serialization: validate directory entry names in fold-archive, and channels: Do not compute cache key from channel name. A news entry was added and guix was updated to 2ef8ed9. Related security grafts landed for ffmpeg 8.1.2, ffmpeg-6 6.1.6, and ffmpeg-4 4.4.8, and librewolf was updated to 152.0.4-1.
Development
Deblobbed Debian Kernel Package Proposed
The pull request gnu: Add linux-debian adds a deblobbed build of the upstream Linux kernel following the Debian Free Software Guidelines, with the submitter reporting a successful boot in a QEMU VM.
Electronics Packages Move To Engineering Module
The issue Cleanup electronics.scm proposed relocating the csxcad suite and openems solvers out of electronics.scm, followed by the pull request Move csxcad and openems packages to engineering module.
Python Team Prepares Branch For Merge
The issue [python-team]: Branch readiness for the merge tracks tier and release manifest checks ahead of merging the python-team branch. Separately, a build-system-based manifest generator was added to profiles.
Packages
Astronomy, Emacs, And Desktop Packages Updated
Astronomy packages saw broad updates including python-astropy 8.0.0, python-sunpy 7.1.2, and indi 2.2.3.1, alongside new additions such as python-plasmapy and python-astroquery. Other updates included emacs-magit 4.6.0, emacs-exwm 0.35, endless-sky 0.11.2, scummvm 2026.3.0, buildah 1.44.0, podman 5.8.4, transmission 4.1.3, and gerbv 2.13.0. On the Nonguix side, firefox was updated to 152.0.3, element-desktop to 1.12.22, and linux-firmware to 20260622. Removals included recutils, jimtcl, and emacs-chess.
Community
Interoperating Nix Packages With Guix
GuixPkgs: every Guix package, as a Nix flake points to Farid Zakaria's blog post on importing the entire Guix package set into Nix. Going the other direction, a post introduced a with-nix-profile macro for collecting Nix packages from Guix System and Guix Home declarations, with a companion write-up shared on r/GUIX.
Preview Added a with-nix-profile macro. It can be used in package declaration of Guix System and Guix Home, transforming nix-shell-wrapper into packages and collecting Nix packages from them. With the collected Nix packages, an additional build-nix-profile command is provided to build and link the resulted profile to the specified path, also registering GC root. What's left is to write services to execute this build-nix-pro…
Community Posts Covered Daily Driving, Onboarding, And A Hardened Config
r/GUIX discussion included What's it like daily driving Guix and learning guile scheme?, Daily Driving Guix, Should I jump straight into Guix as a linux beginner?, and a hardened Guix build with a custom kernel. On Mastodon, Ludovic Courtès noted presenting Guix community work at a summer school, a Guix repository was created on Radicle, and a post argued for migrating off PyPI for Guix, referencing issue 6992.
Reader Submissions
No reader submissions were included this week.