From debbugs-submit-bounces@debbugs.gnu.org Wed May 20 17:38:16 2020 Received: (at submit) by debbugs.gnu.org; 20 May 2020 21:38:16 +0000 Received: from localhost ([127.0.0.1]:54516 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jbWPo-0005mQ-J1 for submit@debbugs.gnu.org; Wed, 20 May 2020 17:38:16 -0400 Received: from lists.gnu.org ([209.51.188.17]:50122) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jbWPn-0005mJ-4T for submit@debbugs.gnu.org; Wed, 20 May 2020 17:38:15 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:49986) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jbWPm-0003SJ-Tw for guix-patches@gnu.org; Wed, 20 May 2020 17:38:14 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:59142) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jbWPm-00014T-L5; Wed, 20 May 2020 17:38:14 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=56646 helo=gnu.org) by fencepost.gnu.org with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1jbWPl-0006fi-Mt; Wed, 20 May 2020 17:38:13 -0400 From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= To: guix-patches@gnu.org Subject: [PATCH 0/5] Have 'guix pull' protect against downgrade attacks Date: Wed, 20 May 2020 23:38:02 +0200 Message-Id: <20200520213802.2170-1-ludo@gnu.org> X-Mailer: git-send-email 2.26.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: submit Cc: =?UTF-8?q?Ludovic=20Court=C3=A8s?= X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hello! This patch series aims to protect against “downgrade attacks”, whereby a “guix pull” command would in fact deploy an older or an unrelated revision of Guix, potentially leading you to install vulnerable or malicious software. By default ‘guix pull’ would now error out if the target commit of a channel is not a descendant of the currently-used commit, according to the commit graph. There’s an option to bypass that. ‘guix time-machine’ behavior is unchanged though: it never complains. This is generally useful and it’s a requirement for authenticated checkouts as discussed in , otherwise one could easily escape the intended authentication scheme by branching and providing a different ‘.guix-authorizations’ file. Feedback welcome! Ludo’. Ludovic Courtès (5): git: Add 'commit-relation'. channels: 'latest-channel-instances' doesn't leak internal state. git: 'update-cached-checkout' returns the commit relation. channels: 'latest-channel-instances' guards against non-forward updates. pull: Protect against downgrade attacks. doc/guix.texi | 15 ++++ guix/channels.scm | 156 ++++++++++++++++++++++++++++++------------ guix/git.scm | 37 ++++++++-- guix/import/opam.scm | 2 +- guix/scripts/pull.scm | 35 +++++++++- tests/channels.scm | 47 +++++++++++-- tests/git.scm | 42 +++++++++++- 7 files changed, 276 insertions(+), 58 deletions(-) -- 2.26.2