How to report security issues
To report sensitive security issues in Guix itself or the packages it provides, you can write to the private mailing list firstname.lastname@example.org. This list is monitored by a small team of Guix developers.
Releases of Guix and GuixSD are signed using the OpenPGP key with the fingerprint 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5. Users should verify their downloads before extracting or running them.
When security vulnerabilities are found in Guix or the packages provided by Guix, we will provide security updates quickly and with minimal disruption for users.
Guix uses a "rolling release" model. All security bug-fixes are pushed directly to the master branch. There is no "stable" branch that only receives security fixes.