guix time-machine fails; XXXX is not related to introductory commit of channel 'guix'

  • Done
  • quality assurance status badge
Details
4 participants
  • Jan Nieuwenhuizen
  • Ludovic Courtès
  • Marius Bakke
  • zimoun
Owner
unassigned
Submitted by
Jan Nieuwenhuizen
Severity
serious
J
J
Jan Nieuwenhuizen wrote on 17 Jun 2020 11:27
(address . bug-guix@gnu.org)
87blli11pi.fsf@gnu.org
Hi,

After pulling this morning, guix time-machine fails, look:

Toggle snippet (17 lines)
$ guix pull --commit=559491ea5b36b89b2a2f9d48dacf6a2d7e219910
Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
Building from this channel:
guix https://git.savannah.gnu.org/git/guix.git 559491e
[...]
hint: Run `guix pull --news' to read all the news.

11:23:19 janneke@dundal:~/src/guix/master
$ guix time-machine --commit=36640207c9543e48cd6daa92930f023f80065a5d -- environment hello
Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
guix time-machine: error: '36640207c9543e48cd6daa92930f023f80065a5d' is not related to introductory commit of channel 'guix'

[1]11:23:25 janneke@dundal:~/src/guix/master
git log --pretty=oneline | grep 36640207c9543e48cd6daa92930f023f80065a5d
36640207c9543e48cd6daa92930f023f80065a5d quirks: Build 'compute-guix-derivation' modules with 2.2 when needed.

Am I missing something?

Greetings,
Janneke

--
Jan Nieuwenhuizen <janneke@gnu.org> | GNU LilyPond http://lilypond.org
Freelance IT http://JoyofSource.com| Avatar® http://AvatarAcademy.com
Z
Z
zimoun wrote on 19 Jun 2020 00:29
867dw4vwh8.fsf@gmail.com
Dear Janneke,

On Wed, 17 Jun 2020 at 11:27, Jan Nieuwenhuizen <janneke@gnu.org> wrote:

Toggle quote (5 lines)
> $ guix time-machine --commit=36640207c9543e48cd6daa92930f023f80065a5d -- environment hello
> Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
> guix time-machine: error: '36640207c9543e48cd6daa92930f023f80065a5d'
> is not related to introductory commit of channel 'guix'

It seems related to the new machinery about authentication, i.e., I guess:

838ac881ec * time-machine: Add '--disable-authentication'.


On my machine:

Toggle snippet (4 lines)
guix pull --commit= -p /tmp/bug
/tmp/bug/bin/guix time-machine --commit=36640207c9543e48cd6daa92930f023f80065a5d -- environment hello

works as expected. I mean I get:

Toggle snippet (8 lines)
Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
Authenticating channel 'guix', commits 9edb3f6 to 3664020 (664 new commits)...
substitute: updating substitutes from
'https://ci.guix.gnu.org'... 100.0%
[...]
^C

Then I stopped before it completes. And I re-run the same time-machine
command and I get the same error message:

Toggle snippet (4 lines)
Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
guix time-machine: error: '36640207c9543e48cd6daa92930f023f80065a5d' is not related to introductory commit of channel 'guix'

But with the new option "--disable-authentication", it works -- even it
is maybe not what you want.
Z
Z
zimoun wrote on 19 Jun 2020 01:02
864kr8vuy8.fsf@gmail.com
Sorry, I hit C-c C-c in the wrong buffer and sent the email before
finished it. :-)

CC: Ludo because I do not really understand all the new machinery and
what is the correct solution:
- remove/tweak the file "~/.cache/guix/authentication/channels/guix""
or
- use "--disable-authentication"
or
- is it a real bug? :-)
?

On Fri, 19 Jun 2020 at 00:29, zimoun <zimon.toutoune@gmail.com> wrote:

Toggle quote (4 lines)
> It seems related to the new machinery about authentication, i.e., I guess:
>
> 838ac881ec * time-machine: Add '--disable-authentication'.

[...]

Toggle quote (3 lines)
> But with the new option "--disable-authentication", it works -- even it
> is maybe not what you want.

What do you have in the file ~/.cache/guix/authentication/channels/guix?


Well, basically if I run with a fresh
~/.cache/guix/authentication/channels/guix, it works as expected:

Toggle snippet (6 lines)
$ guix time-machine --commit=36640207c9543e48cd6daa92930f023f80065a5d -- help
Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
Authenticating channel 'guix', commits 9edb3f6 to 3664020 (664 new commits)...
Computing Guix derivation for 'x86_64-linux'... /

however, if I re-run the exact same command, it fails:

Toggle snippet (5 lines)
$ guix time-machine --commit=36640207c9543e48cd6daa92930f023f80065a5d -- help
Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
guix time-machine: error: '36640207c9543e48cd6daa92930f023f80065a5d' is not related to introductory commit of channel 'guix'

and the file says:

Toggle snippet (6 lines)
$ cat ~/.cache/guix/authentication/channels/guix
;; List of previously-authenticated commits.

("36640207c9543e48cd6daa92930f023f80065a5d")

Well, I do not know if it does not come from 'start-commit',
'end-commit' and 'authenticated-commits' in guix/channels.scm:
(authenticate-channel).


All the best,
simon
L
L
Ludovic Courtès wrote on 19 Jun 2020 23:17
(name . Jan Nieuwenhuizen)(address . janneke@gnu.org)
87366qeovy.fsf@gnu.org
Hi,

(+Cc: Marius.)

Jan Nieuwenhuizen <janneke@gnu.org> skribis:

Toggle quote (16 lines)
> $ guix pull --commit=559491ea5b36b89b2a2f9d48dacf6a2d7e219910
> Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
> Building from this channel:
> guix https://git.savannah.gnu.org/git/guix.git 559491e
> [...]
> hint: Run `guix pull --news' to read all the news.
>
> 11:23:19 janneke@dundal:~/src/guix/master
> $ guix time-machine --commit=36640207c9543e48cd6daa92930f023f80065a5d -- environment hello
> Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
> guix time-machine: error: '36640207c9543e48cd6daa92930f023f80065a5d' is not related to introductory commit of channel 'guix'
>
> [1]11:23:25 janneke@dundal:~/src/guix/master
> git log --pretty=oneline | grep 36640207c9543e48cd6daa92930f023f80065a5d
> 36640207c9543e48cd6daa92930f023f80065a5d quirks: Build 'compute-guix-derivation' modules with 2.2 when needed.

I think ‘commit-relation’ is right: the two commits are unrelated.

AIUI, commit 36640207c9543e48cd6daa92930f023f80065a5d was made on master
(May 29) after commit 9edb3f66fd807b096b48283debdcddccfea34bad (May
26). Thus, they really existed in different branches, and they’re
unrelated.

So we probably need to choose another introductory commit, one on
‘master’, and that has to be the merge commit for ‘staging’
(8ab70bae52f8d4b6356ec3b8a88cebf9debe8520, June 13!).

That sucks because that means that any branch forked before that is not
mergeable. That includes at least ‘core-updates’ (but there are few
commits there, so it can be rebased, I think.)

I don’t think we can relax the relation check with the introductory
commit or we’d allow jumping anywhere.

Thoughts?

Ludo’.
L
L
Ludovic Courtès wrote on 19 Jun 2020 23:18
control message for bug #41908
(address . control@debbugs.gnu.org)
871rmaeov1.fsf@gnu.org
severity 41908 serious
quit
Z
Z
zimoun wrote on 20 Jun 2020 01:22
Re: bug#41908: guix time-machine fails; XXXX is not related to introductory commit of channel 'guix'
86366qtzdi.fsf@gmail.com
Hi Ludo,

On Fri, 19 Jun 2020 at 23:17, Ludovic Courtès <ludo@gnu.org> wrote:

Toggle quote (2 lines)
> (+Cc: Marius.)

Not sure you +CC'ed Marius. So I did.

Toggle quote (18 lines)
> I think ‘commit-relation’ is right: the two commits are unrelated.
>
> AIUI, commit 36640207c9543e48cd6daa92930f023f80065a5d was made on master
> (May 29) after commit 9edb3f66fd807b096b48283debdcddccfea34bad (May
> 26). Thus, they really existed in different branches, and they’re
> unrelated.
>
> So we probably need to choose another introductory commit, one on
> ‘master’, and that has to be the merge commit for ‘staging’
> (8ab70bae52f8d4b6356ec3b8a88cebf9debe8520, June 13!).
>
> That sucks because that means that any branch forked before that is not
> mergeable. That includes at least ‘core-updates’ (but there are few
> commits there, so it can be rebased, I think.)
>
> I don’t think we can relax the relation check with the introductory
> commit or we’d allow jumping anywhere.

I do not know if I add noise but below what I observed and it is not
what I am expecting.

For the record, the commit history. Maybe I misread, well I think the
first 2 commits used for pulling and the 5 others used for time-machine
are/were each on the same branch, i.e. they are related (direct path),
and the 2 groups (pull vs time-machine) are/were not in the same branch.
And I do not think the issue comes from the branching.

Toggle snippet (12 lines)
559491ea5b * gnu: Transmission: Clean up the package definition.
e7a7a483bc * gnu: papirus-icon-theme: Update to 20200602.
[...]
41a2d6a8b9 * gnu: emacs-evil: Update to 1.14.0.
[...]
e70e097882 * size: Document that positional arguments can be store items.
[...]
b56cbe8974 * syscalls: Properly match %HOST-TYPE.
36640207c9 * quirks: Build 'compute-guix-derivation' modules with 2.2 when needed.
60b81ec2f3 * gnu: emacs-2048-game: Update home page.

This first sequence appears expected:

Toggle snippet (22 lines)
guix pull --commit=e7a7a483bc -p /tmp/a
cat ~/.cache/guix/authentication/channels/guix
cat: /home/simon/.cache/guix/authentication/channels/guix: No such file or directory

/tmp/a/bin/guix time-machine --commit=36640207c9 -- help
Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
Authenticating channel 'guix', commits 9edb3f6 to 3664020 (664 new commits)...
cat ~/.cache/guix/authentication/channels/guix
;; List of previously-authenticated commits.

("36640207c9543e48cd6daa92930f023f80065a5d")

/tmp/a/bin/guix time-machine --commit=b56cbe8974 -- help
Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
Authenticating channel 'guix', commits 9edb3f6 to b56cbe8 (1 new commits)...
cat ~/.cache/guix/authentication/channels/guix
;; List of previously-authenticated commits.

("b56cbe8974c328a6c7bc28906478ef1b191ada4c"
"36640207c9543e48cd6daa92930f023f80065a5d")

Then this one is not for me:

Toggle snippet (13 lines)
/tmp/a/bin/guix time-machine --commit=60b81ec2f3 -- help
Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
guix time-machine: error: '60b81ec2f324c18d026e9ae05199493bc644960b' is not related to introductory commit of channel 'guix'

/tmp/a/bin/guix time-machine --commit=b56cbe8974 -- help
Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
guix time-machine: error: 'b56cbe8974c328a6c7bc28906478ef1b191ada4c' is not related to introductory commit of channel 'guix'

/tmp/a/bin/guix time-machine --commit=36640207c9 -- help
Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
guix time-machine: error: '36640207c9543e48cd6daa92930f023f80065a5d' is not related to introductory commit of channel 'guix'

Why I cannot go to 60b81ec2f3? I mean I cannot go before the first
time-machine I did which is unexpected for me.

Why I cannot re-do the same time-machine twice?


I pull again but it is not the point. :-)

Toggle snippet (26 lines)
guix pull --commit=559491ea5b -p /tmp/b
cat ~/.cache/guix/authentication/channels/guix
;; List of previously-authenticated commits.

("b56cbe8974c328a6c7bc28906478ef1b191ada4c"
"36640207c9543e48cd6daa92930f023f80065a5d")

/tmp/b/bin/guix time-machine --commit=36640207c9 -- help
Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
guix time-machine: error: '36640207c9543e48cd6daa92930f023f80065a5d' is not related to introductory commit of channel 'guix'

/tmp/b/bin/guix time-machine --commit=41a2d6a8b9 -- help
Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
Authenticating channel 'guix', commits 9edb3f6 to 41a2d6a (7 new commits)...
cat ~/.cache/guix/authentication/channels/guix
;; List of previously-authenticated commits.

("41a2d6a8b9294a6eb8e97aaefd569e755f5f461e"
"b56cbe8974c328a6c7bc28906478ef1b191ada4c"
"36640207c9543e48cd6daa92930f023f80065a5d")

/tmp/b/bin/guix time-machine --commit=e70e097882 -- help
Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
guix time-machine: error: 'e70e097882699865f63eabc5fb29b4fe4468a97b' is not related to introductory commit of channel 'guix'

Well, again it is not expected for me that 36640207c9 is not reachable
even it is already authenticated. But it is similar than previously, I
guess.

However, because 41a2d6a8b9 is descendant, then it is reachable. The
surprise to me is that e70e097882 which is in direct relation between
the two authenticated commits 41a2d6a8b9 and b56cbe8974 is not
reachable.

BTW, from a security perspective, it is easy to cheat by removing some
commits so the file ~/.cache/guix/authentication/channels/guix should be
protected: read-only and only writable by the daemon.


Cheers,
simon
L
L
Ludovic Courtès wrote on 20 Jun 2020 12:40
(name . zimoun)(address . zimon.toutoune@gmail.com)
87tuz6auku.fsf@gnu.org
Hi,

Ah yes, what you observed is interesting. If you first travel to a
current-ish commit, it gets properly authenticated and cached.

From then on, since 36640207c9543e48cd6daa92930f023f80065a5d is in the
closure of the commit you just pulled, it’s authenticated, and you can
travel back to it. It makes perfect sense.

Conversely, if you try to go directly to
36640207c9543e48cd6daa92930f023f80065a5d (e.g., with an empty cache),
all we can say is that we can’t authenticate it because it’s unrelated
to the introductory commit.

So it’s logical, even if surprising. It also means that the problem
sort of “goes away” by itself.

zimoun <zimon.toutoune@gmail.com> skribis:

Toggle quote (4 lines)
> BTW, from a security perspective, it is easy to cheat by removing some
> commits so the file ~/.cache/guix/authentication/channels/guix should be
> protected: read-only and only writable by the daemon.

It’s 600 of course. What we could do is ignore it if it’s not 600 when
we open it.

Crucially: we cannot and should not restrict what the user can do for
the sake of security. Users can pass ‘--disable-authentication’, they
can run binaries taken from the net, whatever; it’s their machine.

Thanks,
Ludo’.
M
M
Marius Bakke wrote on 20 Jun 2020 15:58
(address . 41908@debbugs.gnu.org)
87v9jldejy.fsf@gnu.org
Ludovic Courtès <ludo@gnu.org> writes:

Toggle quote (42 lines)
> Hi,
>
> (+Cc: Marius.)
>
> Jan Nieuwenhuizen <janneke@gnu.org> skribis:
>
>> $ guix pull --commit=559491ea5b36b89b2a2f9d48dacf6a2d7e219910
>> Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
>> Building from this channel:
>> guix https://git.savannah.gnu.org/git/guix.git 559491e
>> [...]
>> hint: Run `guix pull --news' to read all the news.
>>
>> 11:23:19 janneke@dundal:~/src/guix/master
>> $ guix time-machine --commit=36640207c9543e48cd6daa92930f023f80065a5d -- environment hello
>> Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
>> guix time-machine: error: '36640207c9543e48cd6daa92930f023f80065a5d' is not related to introductory commit of channel 'guix'
>>
>> [1]11:23:25 janneke@dundal:~/src/guix/master
>> git log --pretty=oneline | grep 36640207c9543e48cd6daa92930f023f80065a5d
>> 36640207c9543e48cd6daa92930f023f80065a5d quirks: Build 'compute-guix-derivation' modules with 2.2 when needed.
>
> I think ‘commit-relation’ is right: the two commits are unrelated.
>
> AIUI, commit 36640207c9543e48cd6daa92930f023f80065a5d was made on master
> (May 29) after commit 9edb3f66fd807b096b48283debdcddccfea34bad (May
> 26). Thus, they really existed in different branches, and they’re
> unrelated.
>
> So we probably need to choose another introductory commit, one on
> ‘master’, and that has to be the merge commit for ‘staging’
> (8ab70bae52f8d4b6356ec3b8a88cebf9debe8520, June 13!).
>
> That sucks because that means that any branch forked before that is not
> mergeable. That includes at least ‘core-updates’ (but there are few
> commits there, so it can be rebased, I think.)
>
> I don’t think we can relax the relation check with the introductory
> commit or we’d allow jumping anywhere.
>
> Thoughts?

Uff, sorry for the incomplete 'staging' rebase. I did not realize that
.guix-authorizations was missing completely in the earlier commits of
that branch; I only focused on getting Brice's commit authorized.

Yes core-updates needs to be rebased too because of this. And yes, not
a lot of commits yet. So let's move the introductory commit and rebase
core-updates on top, I can take care of the latter in a few days.
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl7uFhEACgkQoqBt8qM6
VPosNAgAs6JdqrmP7XwNY00gfm7lcxRym78lZfIRePmhmTXiB4RTSmWU5DcwvFex
AZHZbvk15SnpJtMDosorZeZ/uVbmUlGx1WLimDVDUu24Ezc1Mls4yfUVrUeNnDPi
LEr3oRB09lSY1PYJOiKLG2HiEXZekY8h9/Y8gg0ymfeHmSo09t1l6SkW+e4bLlHo
AAnS+dbsasPYRNh9lDe2eEjQwM+QOi3KvaGc4XYzMLMNMM+Uff41bbguoFC1pLXK
PlxRmDYunzUwPvSJ7xfcluHdx/WQ6+fRsfD9n6H3BisMDZuanEMPSAFry/+UQNNz
Ch3vBLJr7F+slb29BNnMw9gEfmMZxA==
=UxPD
-----END PGP SIGNATURE-----

L
L
Ludovic Courtès wrote on 21 Jun 2020 17:43
(name . Jan Nieuwenhuizen)(address . janneke@gnu.org)
875zbka0h6.fsf@gnu.org
Hi, Sunday hackers!

Ludovic Courtès <ludo@gnu.org> skribis:

Toggle quote (25 lines)
> Jan Nieuwenhuizen <janneke@gnu.org> skribis:
>
>> $ guix pull --commit=559491ea5b36b89b2a2f9d48dacf6a2d7e219910
>> Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
>> Building from this channel:
>> guix https://git.savannah.gnu.org/git/guix.git 559491e
>> [...]
>> hint: Run `guix pull --news' to read all the news.
>>
>> 11:23:19 janneke@dundal:~/src/guix/master
>> $ guix time-machine --commit=36640207c9543e48cd6daa92930f023f80065a5d -- environment hello
>> Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
>> guix time-machine: error: '36640207c9543e48cd6daa92930f023f80065a5d' is not related to introductory commit of channel 'guix'
>>
>> [1]11:23:25 janneke@dundal:~/src/guix/master
>> git log --pretty=oneline | grep 36640207c9543e48cd6daa92930f023f80065a5d
>> 36640207c9543e48cd6daa92930f023f80065a5d quirks: Build 'compute-guix-derivation' modules with 2.2 when needed.
>
> I think ‘commit-relation’ is right: the two commits are unrelated.
>
> AIUI, commit 36640207c9543e48cd6daa92930f023f80065a5d was made on master
> (May 29) after commit 9edb3f66fd807b096b48283debdcddccfea34bad (May
> 26). Thus, they really existed in different branches, and they’re
> unrelated.

Thinking more about it, I think the test that leads to the error above
is in fact bogus (that’s what you were hinting at, Simon). Namely, it
reads:

(define commits
;; Commits to authenticate, excluding the closure of
;; AUTHENTICATED-COMMITS.
(commit-difference end-commit start-commit
authenticated-commits))

;; When COMMITS is empty, it's either because AUTHENTICATED-COMMITS
;; contains END-COMMIT or because END-COMMIT is not a descendant of
;; START-COMMIT. Check that.

But that’s wrong: If START-COMMIT and END-COMMIT are unrelated, then
‘commit-difference’ will return a whole lot of commits (those who are
not both in the closure of START-COMMIT and that of END-COMMIT).

The difference between 36640207c9543e48cd6daa92930f023f80065a5d and
9edb3f66fd807b096b48283debdcddccfea34bad is a set of 664 commits, as
shown with “git log --oneline 9edb3f6..3664020 | wc -l” or by calling
‘commit-difference’.

Those 664 commits are those that were made on master between
9edb3f66fd807b096b48283debdcddccfea34bad’s parent on master, and
36640207c9543e48cd6daa92930f023f80065a5d. They can be authenticated
just fine.

If someone passed ‘--allow-downgrades’ and tries to jump to an unrelated
commit, authentication will fail on some commit. So I think the test
was just enforcing an additional restriction that was unnecessary.

I removed that test in e4a4287c5fb51c0e47431606df5ee78b953d71f8; we can
keep the introductory commit unchanged, all is good! Let me know what
you think.

Thanks,
Ludo’.
Closed
Z
Z
zimoun wrote on 21 Jun 2020 18:17
(name . Ludovic Courtès)(address . ludo@gnu.org)
86mu4ws8ah.fsf@gmail.com
Hi Ludo,

On Sat, 20 Jun 2020 at 12:40, Ludovic Courtès <ludo@gnu.org> wrote:
Toggle quote (9 lines)
> zimoun <zimon.toutoune@gmail.com> skribis:

>> BTW, from a security perspective, it is easy to cheat by removing some
>> commits so the file ~/.cache/guix/authentication/channels/guix should be
>> protected: read-only and only writable by the daemon.
>
> It’s 600 of course. What we could do is ignore it if it’s not 600 when
> we open it.

This could help. :-)


Toggle quote (4 lines)
> Crucially: we cannot and should not restrict what the user can do for
> the sake of security. Users can pass ‘--disable-authentication’, they
> can run binaries taken from the net, whatever; it’s their machine.

Well, I have not thought deeply to an attack, but the point is to
protect the user when they runs "guix pull" alone i.e., they can trust
the server. An attack could be for example an email with an attachment,
click, then boum: tweak ~/.config/guix/channels.scm and
~/.cache/guix/authentication/channels/guix, then the user runs "guix
pull" which the expectation that everything is checked and
authenticated and in fact no, they is talking to malicious server.


Cheers,
simon
Z
Z
zimoun wrote on 21 Jun 2020 18:18
(address . 41908-done@debbugs.gnu.org)
86lfkgs88u.fsf@gmail.com
Hi Ludo,

On Sun, 21 Jun 2020 at 17:43, Ludovic Courtès <ludo@gnu.org> wrote:

Toggle quote (3 lines)
> I removed that test in e4a4287c5fb51c0e47431606df5ee78b953d71f8; we can
> keep the introductory commit unchanged, all is good! Let me know what
> you think.
Closed
L
L
Ludovic Courtès wrote on 22 Jun 2020 10:01
(name . zimoun)(address . zimon.toutoune@gmail.com)
87zh8v7cme.fsf@gnu.org
Hi,

zimoun <zimon.toutoune@gmail.com> skribis:

Toggle quote (12 lines)
> On Sat, 20 Jun 2020 at 12:40, Ludovic Courtès <ludo@gnu.org> wrote:
>> zimoun <zimon.toutoune@gmail.com> skribis:
>
>>> BTW, from a security perspective, it is easy to cheat by removing some
>>> commits so the file ~/.cache/guix/authentication/channels/guix should be
>>> protected: read-only and only writable by the daemon.
>>
>> It’s 600 of course. What we could do is ignore it if it’s not 600 when
>> we open it.
>
> This could help. :-)

Done in 41939c374a3ef421d2d4c6453c327a9cd7af4ce5.

Toggle quote (12 lines)
>> Crucially: we cannot and should not restrict what the user can do for
>> the sake of security. Users can pass ‘--disable-authentication’, they
>> can run binaries taken from the net, whatever; it’s their machine.
>
> Well, I have not thought deeply to an attack, but the point is to
> protect the user when they runs "guix pull" alone i.e., they can trust
> the server. An attack could be for example an email with an attachment,
> click, then boum: tweak ~/.config/guix/channels.scm and
> ~/.cache/guix/authentication/channels/guix, then the user runs "guix
> pull" which the expectation that everything is checked and
> authenticated and in fact no, they is talking to malicious server.

I don’t really see how the attachment would modify a local file, but
even if that’s a possibility, it’s beyond the scope of Guix: we cannot
prevent users from shooting themselves in the foot.

Ludo’.
Z
Z
zimoun wrote on 22 Jun 2020 10:54
(address . 41908-done@debbugs.gnu.org)
86imfjsco3.fsf@gmail.com
Hi Ludo,

On Sun, 21 Jun 2020 at 17:43, Ludovic Courtès <ludo@gnu.org> wrote:

Toggle quote (4 lines)
> I removed that test in e4a4287c5fb51c0e47431606df5ee78b953d71f8; we can
> keep the introductory commit unchanged, all is good! Let me know what
> you think.

Now the sequences never return an error. Nice!

For the record, the history is:

* 41a2d6a8b9 (newer)
* e70e097882 (between)
* 36640207c9 (older)

Toggle snippet (5 lines)
$ guix pull --commit=e4a4287c5fb51c0e47431606df5ee78b953d71f8 -p /tmp/c
$ cat ~/.cache/guix/authentication/channels/guix
cat: /home/simon/.cache/guix/authentication/channels/guix: No such file or directory

Let consider this first sequence.

Toggle snippet (28 lines)
$ /tmp/c/bin/guix time-machine --commit=e70e097882 -- help
Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
Authenticating channel 'guix', commits 9edb3f6 to e70e097 (668 new commits)...
$ cat ~/.cache/guix/authentication/channels/guix
;; List of previously-authenticated commits.

("e70e097882699865f63eabc5fb29b4fe4468a97b")

$ /tmp/c/bin/guix time-machine --commit=41a2d6a8b9 -- help
Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
Authenticating channel 'guix', commits 9edb3f6 to 41a2d6a (4 new commits)...
$ cat ~/.cache/guix/authentication/channels/guix
;; List of previously-authenticated commits.

("41a2d6a8b9294a6eb8e97aaefd569e755f5f461e"
"e70e097882699865f63eabc5fb29b4fe4468a97b")

$ /tmp/c/bin/guix time-machine --commit=36640207c9 -- help
Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
Usage: guix COMMAND ARGS...

$ cat ~/.cache/guix/authentication/channels/guix
;; List of previously-authenticated commits.

("41a2d6a8b9294a6eb8e97aaefd569e755f5f461e"
"e70e097882699865f63eabc5fb29b4fe4468a97b")

However, the commit 36640207c9 is not considered as authenticated,
right? So, the older authenticated commit is the first commit used by
time-machine, right?


Let consider this second sequence.

Toggle snippet (27 lines)
$ rm ~/.cache/guix/authentication/channels/guix

$ /tmp/c/bin/guix time-machine --commit=36640207c9 -- help
Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
Authenticating channel 'guix', commits 9edb3f6 to 3664020 (664 new commits)...

$ /tmp/c/bin/guix time-machine --commit=41a2d6a8b9 -- help
Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
Authenticating channel 'guix', commits 9edb3f6 to 41a2d6a (8 new commits)...

$ cat ~/.cache/guix/authentication/channels/guix
;; List of previously-authenticated commits.

("41a2d6a8b9294a6eb8e97aaefd569e755f5f461e"
"36640207c9543e48cd6daa92930f023f80065a5d")

$ /tmp/c/bin/guix time-machine --commit=e70e097882 -- help
Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
Usage: guix COMMAND ARGS...

$ cat ~/.cache/guix/authentication/channels/guix
;; List of previously-authenticated commits.

("41a2d6a8b9294a6eb8e97aaefd569e755f5f461e"
"36640207c9543e48cd6daa92930f023f80065a5d")

The commit e70e097882 between 36640207c9 and 41a2d6a8b9 is not
considered as authenticated, right?


Cheers,
simon
Closed
L
L
Ludovic Courtès wrote on 23 Jun 2020 09:35
(name . zimoun)(address . zimon.toutoune@gmail.com)
87d05q5j4w.fsf@gnu.org
Hi Simon,

zimoun <zimon.toutoune@gmail.com> skribis:

Toggle quote (15 lines)
> $ /tmp/c/bin/guix time-machine --commit=36640207c9 -- help
> Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
> Usage: guix COMMAND ARGS...
>
> $ cat ~/.cache/guix/authentication/channels/guix
> ;; List of previously-authenticated commits.
>
> ("41a2d6a8b9294a6eb8e97aaefd569e755f5f461e"
> "e70e097882699865f63eabc5fb29b4fe4468a97b")
>
>
> However, the commit 36640207c9 is not considered as authenticated,
> right? So, the older authenticated commit is the first commit used by
> time-machine, right?

Note that it’s the closure of the commits listed in the cache that’s
considered authenticated. So not every commit is listed.

Does that make sense?

Ludo’.
Closed
Z
Z
zimoun wrote on 23 Jun 2020 10:42
(name . Ludovic Courtès)(address . ludo@gnu.org)
86d05qrx5a.fsf@gmail.com
Hi Ludo,

On Tue, 23 Jun 2020 at 09:35, Ludovic Courtès <ludo@gnu.org> wrote:
Toggle quote (24 lines)
> Hi Simon,
>
> zimoun <zimon.toutoune@gmail.com> skribis:
>
>> $ /tmp/c/bin/guix time-machine --commit=36640207c9 -- help
>> Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
>> Usage: guix COMMAND ARGS...
>>
>> $ cat ~/.cache/guix/authentication/channels/guix
>> ;; List of previously-authenticated commits.
>>
>> ("41a2d6a8b9294a6eb8e97aaefd569e755f5f461e"
>> "e70e097882699865f63eabc5fb29b4fe4468a97b")
>>
>>
>> However, the commit 36640207c9 is not considered as authenticated,
>> right? So, the older authenticated commit is the first commit used by
>> time-machine, right?
>
> Note that it’s the closure of the commits listed in the cache that’s
> considered authenticated. So not every commit is listed.
>
> Does that make sense?

Just to be sure to understand:

1- * 41a2d6a8b9 (newer)
2- * e70e097882 (between)
3- * 36640207c9 (older)
4- * xxxxxxxxxx (first authenticated commit)

From a fresh cache,

a) if #2 is authenticated, because it is descendant of #4, it is stored
and all the commits between (closure), i.e., #3 should be considered as
authenticated.

b) then if #1 is authenticated, because it is a descendant of the last
authenticated i.e. #2, it is stored in the cache.

c) now let try #3. It is considered authenticated because in the closure
of #4 and #2.

Yes it makes sense. All is good. :-)

(And the assumption is: if Guix does not raise then it means that the
commit is authenticated.)


Cheers,
simon
Closed
L
L
Ludovic Courtès wrote on 23 Jun 2020 10:53
(name . zimoun)(address . zimon.toutoune@gmail.com)
87blla40yt.fsf@gnu.org
zimoun <zimon.toutoune@gmail.com> skribis:

Toggle quote (21 lines)
> Just to be sure to understand:
>
> 1- * 41a2d6a8b9 (newer)
> 2- * e70e097882 (between)
> 3- * 36640207c9 (older)
> 4- * xxxxxxxxxx (first authenticated commit)
>
> From a fresh cache,
>
> a) if #2 is authenticated, because it is descendant of #4, it is stored
> and all the commits between (closure), i.e., #3 should be considered as
> authenticated.
>
> b) then if #1 is authenticated, because it is a descendant of the last
> authenticated i.e. #2, it is stored in the cache.
>
> c) now let try #3. It is considered authenticated because in the closure
> of #4 and #2.
>
> Yes it makes sense. All is good. :-)

Yup, looks correct. :-)

Toggle quote (3 lines)
> (And the assumption is: if Guix does not raise then it means that the
> commit is authenticated.)

Exactly. I know it’s disappointing, but it’s one of these features
that’s pretty much invisible until you run into troubles.

Ludo’.
Closed
?