diff --git a/pkgs/by-name/gu/guix/guix-build-user-takeover-fix.patch b/pkgs/by-name/gu/guix/guix-build-user-takeover-fix.patch
deleted file mode 100644
index 0e22f0f35042d..0000000000000
--- a/pkgs/by-name/gu/guix/guix-build-user-takeover-fix.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc
-index c5383bc..50d1abc 100644
---- a/nix/libstore/build.cc
-+++ b/nix/libstore/build.cc
-@@ -2312,15 +2312,6 @@ void DerivationGoal::registerOutputs()
-         Path actualPath = path;
-         if (useChroot) {
-             actualPath = chrootRootDir + path;
--            if (pathExists(actualPath)) {
--                /* Move output paths from the chroot to the store. */
--                if (buildMode == bmRepair)
--                    replaceValidPath(path, actualPath);
--                else
--                    if (buildMode != bmCheck && rename(actualPath.c_str(), path.c_str()) == -1)
--                        throw SysError(format("moving build output `%1%' from the chroot to the store") % path);
--            }
--            if (buildMode != bmCheck) actualPath = path;
-         } else {
-             Path redirected = redirectedOutputs[path];
-             if (buildMode == bmRepair
-@@ -2360,6 +2351,21 @@ void DerivationGoal::registerOutputs()
-                something like that. */
-             canonicalisePathMetaData(actualPath, buildUser.enabled() ? buildUser.getUID() : -1, inodesSeen);
- 
-+            if (useChroot) {
-+                if (pathExists(actualPath)) {
-+                    /* Now that output paths have been canonicalized (in particular
-+                    there are no setuid files left), move them outside of the
-+                    chroot and to the store. */
-+                    if (buildMode == bmRepair)
-+                        replaceValidPath(path, actualPath);
-+                    else
-+                        if (buildMode != bmCheck && rename(actualPath.c_str(), path.c_str()) == -1)
-+                            throw SysError(format("moving build output `%1%' from the chroot to the store") % path);
-+                }
-+                if (buildMode != bmCheck) actualPath = path;
-+            }
-+
-+
-             /* FIXME: this is in-memory. */
-             StringSink sink;
-             dumpPath(actualPath, sink);
diff --git a/pkgs/by-name/gu/guix/package.nix b/pkgs/by-name/gu/guix/package.nix
index 5752a45ae6356..feb26b3ea606d 100644
--- a/pkgs/by-name/gu/guix/package.nix
+++ b/pkgs/by-name/gu/guix/package.nix
@@ -3,6 +3,7 @@
   stdenv,
   fetchurl,
   fetchpatch,
+  fetchDebianPatch,
   autoreconfHook,
   disarchive,
   git,
@@ -57,9 +58,19 @@ stdenv.mkDerivation rec {
       url = "https://git.savannah.gnu.org/cgit/guix.git/patch/?id=ff1251de0bc327ec478fc66a562430fbf35aef42";
       hash = "sha256-f4KWDVrvO/oI+4SCUHU5GandkGtHrlaM1BWygM/Qlao=";
     })
-    # manual port of build user takeover remediation commit
     # see https://guix.gnu.org/en/blog/2024/build-user-takeover-vulnerability
-    ./guix-build-user-takeover-fix.patch
+    (fetchDebianPatch {
+      inherit pname version;
+      debianRevision = "8";
+      patch = "security/0101-daemon-Sanitize-failed-build-outputs-prior-to-exposi.patch";
+      hash = "sha256-cbra/+K8+xHUJrCKRgzJCuhMBpzCSjgjosKAkJx7QIo=";
+    })
+    (fetchDebianPatch {
+      inherit pname version;
+      debianRevision = "8";
+      patch = "security/0102-daemon-Sanitize-successful-build-outputs-prior-to-ex.patch";
+      hash = "sha256-mOnlYtpIuYL+kDvSNuXuoDLJP03AA9aI2ALhap+0NOM=";
+    })
   ];
 
   postPatch = ''