[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#41425] [PATCH 0/5] Have 'guix pull' protect against downgrade attac
|
From: |
Ludovic Courtès |
|
Subject: |
[bug#41425] [PATCH 0/5] Have 'guix pull' protect against downgrade attacks |
|
Date: |
Wed, 20 May 2020 23:38:02 +0200 |
Hello!
This patch series aims to protect against “downgrade attacks”, whereby
a “guix pull” command would in fact deploy an older or an unrelated
revision of Guix, potentially leading you to install vulnerable or
malicious software.
By default ‘guix pull’ would now error out if the target commit of a
channel is not a descendant of the currently-used commit, according to
the commit graph. There’s an option to bypass that. ‘guix
time-machine’ behavior is unchanged though: it never complains.
This is generally useful and it’s a requirement for authenticated
checkouts as discussed in <https://issues.guix.gnu.org/22883>,
otherwise one could easily escape the intended authentication scheme
by branching and providing a different ‘.guix-authorizations’ file.
Feedback welcome!
Ludo’.
Ludovic Courtès (5):
git: Add 'commit-relation'.
channels: 'latest-channel-instances' doesn't leak internal state.
git: 'update-cached-checkout' returns the commit relation.
channels: 'latest-channel-instances' guards against non-forward
updates.
pull: Protect against downgrade attacks.
doc/guix.texi | 15 ++++
guix/channels.scm | 156 ++++++++++++++++++++++++++++++------------
guix/git.scm | 37 ++++++++--
guix/import/opam.scm | 2 +-
guix/scripts/pull.scm | 35 +++++++++-
tests/channels.scm | 47 +++++++++++--
tests/git.scm | 42 +++++++++++-
7 files changed, 276 insertions(+), 58 deletions(-)
--
2.26.2
- [bug#41425] [PATCH 0/5] Have 'guix pull' protect against downgrade attacks,
Ludovic Courtès <=