From unknown Sun Jun 22 17:15:22 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#41425] [PATCH 0/5] Have 'guix pull' protect against downgrade attacks Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 20 May 2020 21:39:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 41425 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 41425@debbugs.gnu.org Cc: Ludovic =?UTF-8?Q?Court=C3=A8s?= X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.159001069622226 (code B ref -1); Wed, 20 May 2020 21:39:02 +0000 Received: (at submit) by debbugs.gnu.org; 20 May 2020 21:38:16 +0000 Received: from localhost ([127.0.0.1]:54516 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jbWPo-0005mQ-J1 for submit@debbugs.gnu.org; Wed, 20 May 2020 17:38:16 -0400 Received: from lists.gnu.org ([209.51.188.17]:50122) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jbWPn-0005mJ-4T for submit@debbugs.gnu.org; Wed, 20 May 2020 17:38:15 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:49986) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jbWPm-0003SJ-Tw for guix-patches@gnu.org; Wed, 20 May 2020 17:38:14 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:59142) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jbWPm-00014T-L5; Wed, 20 May 2020 17:38:14 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=56646 helo=gnu.org) by fencepost.gnu.org with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1jbWPl-0006fi-Mt; Wed, 20 May 2020 17:38:13 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Date: Wed, 20 May 2020 23:38:02 +0200 Message-Id: <20200520213802.2170-1-ludo@gnu.org> X-Mailer: git-send-email 2.26.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hello! This patch series aims to protect against “downgrade attacks”, whereby a “guix pull” command would in fact deploy an older or an unrelated revision of Guix, potentially leading you to install vulnerable or malicious software. By default ‘guix pull’ would now error out if the target commit of a channel is not a descendant of the currently-used commit, according to the commit graph. There’s an option to bypass that. ‘guix time-machine’ behavior is unchanged though: it never complains. This is generally useful and it’s a requirement for authenticated checkouts as discussed in , otherwise one could easily escape the intended authentication scheme by branching and providing a different ‘.guix-authorizations’ file. Feedback welcome! Ludo’. Ludovic Courtès (5): git: Add 'commit-relation'. channels: 'latest-channel-instances' doesn't leak internal state. git: 'update-cached-checkout' returns the commit relation. channels: 'latest-channel-instances' guards against non-forward updates. pull: Protect against downgrade attacks. doc/guix.texi | 15 ++++ guix/channels.scm | 156 ++++++++++++++++++++++++++++++------------ guix/git.scm | 37 ++++++++-- guix/import/opam.scm | 2 +- guix/scripts/pull.scm | 35 +++++++++- tests/channels.scm | 47 +++++++++++-- tests/git.scm | 42 +++++++++++- 7 files changed, 276 insertions(+), 58 deletions(-) -- 2.26.2 From unknown Sun Jun 22 17:15:22 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#41425] [PATCH 1/5] git: Add 'commit-relation'. References: <20200520213802.2170-1-ludo@gnu.org> In-Reply-To: <20200520213802.2170-1-ludo@gnu.org> Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 20 May 2020 21:48:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 41425 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 41425@debbugs.gnu.org Cc: Ludovic =?UTF-8?Q?Court=C3=A8s?= Received: via spool by 41425-submit@debbugs.gnu.org id=B41425.159001126523201 (code B ref 41425); Wed, 20 May 2020 21:48:01 +0000 Received: (at 41425) by debbugs.gnu.org; 20 May 2020 21:47:45 +0000 Received: from localhost ([127.0.0.1]:54537 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jbWYz-000627-64 for submit@debbugs.gnu.org; Wed, 20 May 2020 17:47:45 -0400 Received: from eggs.gnu.org ([209.51.188.92]:43938) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jbWYw-00061i-U3 for 41425@debbugs.gnu.org; Wed, 20 May 2020 17:47:43 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:59451) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jbWYq-0003L1-E3; Wed, 20 May 2020 17:47:37 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=56656 helo=gnu.org) by fencepost.gnu.org with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1jbWYp-0007cZ-D7; Wed, 20 May 2020 17:47:35 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Date: Wed, 20 May 2020 23:47:21 +0200 Message-Id: <20200520214725.2437-1-ludo@gnu.org> X-Mailer: git-send-email 2.26.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) * guix/git.scm (commit-relation): New procedure. * tests/git.scm ("commit-relation"): New test. --- guix/git.scm | 16 ++++++++++++++++ tests/git.scm | 42 +++++++++++++++++++++++++++++++++++++++++- 2 files changed, 57 insertions(+), 1 deletion(-) diff --git a/guix/git.scm b/guix/git.scm index 92121156cf..249d622756 100644 --- a/guix/git.scm +++ b/guix/git.scm @@ -43,6 +43,7 @@ url+commit->name latest-repository-commit commit-difference + commit-relation git-checkout git-checkout? @@ -405,6 +406,21 @@ that of OLD." (cons head result) (set-insert head visited))))))) +(define (commit-relation old new) + "Return a symbol denoting the relation between OLD and NEW, two commit +objects: 'ancestor (meaning that OLD is an ancestor of NEW), 'descendant, or +'unrelated, or 'self (OLD and NEW are the same commit)." + (if (eq? old new) + 'self + (let ((newest (commit-closure new))) + (if (set-contains? newest old) + 'ancestor + (let* ((seen (list->setq (commit-parents new))) + (oldest (commit-closure old seen))) + (if (set-contains? oldest new) + 'descendant + 'unrelated)))))) + ;;; ;;; Checkouts. diff --git a/tests/git.scm b/tests/git.scm index 052f8a79c4..4a806abcc3 100644 --- a/tests/git.scm +++ b/tests/git.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2019 Ludovic Courtès +;;; Copyright © 2019, 2020 Ludovic Courtès ;;; ;;; This file is part of GNU Guix. ;;; @@ -122,4 +122,44 @@ (lset= eq? (commit-difference commit4 commit1 (list commit5)) (list commit2 commit3 commit4))))))) +(unless (which (git-command)) (test-skip 1)) +(test-equal "commit-relation" + '(self ;master3 master3 + ancestor ;master1 master3 + descendant ;master3 master1 + unrelated ;master2 branch1 + unrelated ;branch1 master2 + ancestor ;branch1 merge + descendant ;merge branch1 + ancestor ;master1 merge + descendant) ;merge master1 + (with-temporary-git-repository directory + '((add "a.txt" "A") + (commit "first commit") + (branch "hack") + (checkout "hack") + (add "1.txt" "1") + (commit "branch commit") + (checkout "master") + (add "b.txt" "B") + (commit "second commit") + (add "c.txt" "C") + (commit "third commit") + (merge "hack" "merge")) + (with-repository directory repository + (let ((master1 (find-commit repository "first")) + (master2 (find-commit repository "second")) + (master3 (find-commit repository "third")) + (branch1 (find-commit repository "branch")) + (merge (find-commit repository "merge"))) + (list (commit-relation master3 master3) + (commit-relation master1 master3) + (commit-relation master3 master1) + (commit-relation master2 branch1) + (commit-relation branch1 master2) + (commit-relation branch1 merge) + (commit-relation merge branch1) + (commit-relation master1 merge) + (commit-relation merge master1)))))) + (test-end "git") -- 2.26.2 From unknown Sun Jun 22 17:15:22 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#41425] [PATCH 2/5] channels: 'latest-channel-instances' doesn't leak internal state. Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 20 May 2020 21:48:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 41425 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 41425@debbugs.gnu.org Cc: Ludovic =?UTF-8?Q?Court=C3=A8s?= Received: via spool by 41425-submit@debbugs.gnu.org id=B41425.159001126523209 (code B ref 41425); Wed, 20 May 2020 21:48:02 +0000 Received: (at 41425) by debbugs.gnu.org; 20 May 2020 21:47:45 +0000 Received: from localhost ([127.0.0.1]:54540 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jbWYz-000629-GC for submit@debbugs.gnu.org; Wed, 20 May 2020 17:47:45 -0400 Received: from eggs.gnu.org ([209.51.188.92]:43942) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jbWYx-00061k-7A for 41425@debbugs.gnu.org; Wed, 20 May 2020 17:47:43 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:59454) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jbWYr-0003L9-TZ; Wed, 20 May 2020 17:47:37 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=56656 helo=gnu.org) by fencepost.gnu.org with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1jbWYr-0007cZ-9V; Wed, 20 May 2020 17:47:37 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Date: Wed, 20 May 2020 23:47:22 +0200 Message-Id: <20200520214725.2437-2-ludo@gnu.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200520214725.2437-1-ludo@gnu.org> References: <20200520214725.2437-1-ludo@gnu.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) * guix/channels.scm (latest-channel-instances): Remove 'previous-channels' argument. Introduce 'loop' and use it. --- guix/channels.scm | 67 +++++++++++++++++++++++------------------------ 1 file changed, 33 insertions(+), 34 deletions(-) diff --git a/guix/channels.scm b/guix/channels.scm index f0174de767..e0a7a84f55 100644 --- a/guix/channels.scm +++ b/guix/channels.scm @@ -231,10 +231,9 @@ result is unspecified." #:select? (negate dot-git?)))) (channel-instance channel commit checkout)))) -(define* (latest-channel-instances store channels #:optional (previous-channels '())) +(define* (latest-channel-instances store channels) "Return a list of channel instances corresponding to the latest checkouts of -CHANNELS and the channels on which they depend. PREVIOUS-CHANNELS is a list -of previously processed channels." +CHANNELS and the channels on which they depend." ;; Only process channels that are unique, or that are more specific than a ;; previous channel specification. (define (ignore? channel others) @@ -245,38 +244,38 @@ of previously processed channels." (not (or (channel-commit a) (channel-commit b)))))))) - ;; Accumulate a list of instances. A list of processed channels is also - ;; accumulated to decide on duplicate channel specifications. - (define-values (resulting-channels instances) - (fold2 (lambda (channel previous-channels instances) - (if (ignore? channel previous-channels) - (values previous-channels instances) - (begin - (format (current-error-port) - (G_ "Updating channel '~a' from Git repository at '~a'...~%") - (channel-name channel) - (channel-url channel)) - (let ((instance (latest-channel-instance store channel))) - (let-values (((new-instances new-channels) - (latest-channel-instances - store - (channel-instance-dependencies instance) - previous-channels))) - (values (append (cons channel new-channels) - previous-channels) - (append (cons instance new-instances) - instances))))))) - previous-channels - '() ;instances - channels)) + (let loop ((channels channels) + (previous-channels '())) + ;; Accumulate a list of instances. A list of processed channels is also + ;; accumulated to decide on duplicate channel specifications. + (define-values (resulting-channels instances) + (fold2 (lambda (channel previous-channels instances) + (if (ignore? channel previous-channels) + (values previous-channels instances) + (begin + (format (current-error-port) + (G_ "Updating channel '~a' from Git repository at '~a'...~%") + (channel-name channel) + (channel-url channel)) + (let ((instance (latest-channel-instance store channel))) + (let-values (((new-instances new-channels) + (loop (channel-instance-dependencies instance) + previous-channels))) + (values (append (cons channel new-channels) + previous-channels) + (append (cons instance new-instances) + instances))))))) + previous-channels + '() ;instances + channels)) - (let ((instance-name (compose channel-name channel-instance-channel))) - ;; Remove all earlier channel specifications if they are followed by a - ;; more specific one. - (values (delete-duplicates instances - (lambda (a b) - (eq? (instance-name a) (instance-name b)))) - resulting-channels))) + (let ((instance-name (compose channel-name channel-instance-channel))) + ;; Remove all earlier channel specifications if they are followed by a + ;; more specific one. + (values (delete-duplicates instances + (lambda (a b) + (eq? (instance-name a) (instance-name b)))) + resulting-channels)))) (define* (checkout->channel-instance checkout #:key commit -- 2.26.2 From unknown Sun Jun 22 17:15:22 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#41425] [PATCH 4/5] channels: 'latest-channel-instances' guards against non-forward updates. Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 20 May 2020 21:48:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 41425 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 41425@debbugs.gnu.org Cc: Ludovic =?UTF-8?Q?Court=C3=A8s?= Received: via spool by 41425-submit@debbugs.gnu.org id=B41425.159001127123232 (code B ref 41425); Wed, 20 May 2020 21:48:02 +0000 Received: (at 41425) by debbugs.gnu.org; 20 May 2020 21:47:51 +0000 Received: from localhost ([127.0.0.1]:54544 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jbWZ4-00062c-Si for submit@debbugs.gnu.org; Wed, 20 May 2020 17:47:51 -0400 Received: from eggs.gnu.org ([209.51.188.92]:43970) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jbWZ0-00061r-UV for 41425@debbugs.gnu.org; Wed, 20 May 2020 17:47:47 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:59461) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jbWYv-0003Lz-Js; Wed, 20 May 2020 17:47:41 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=56656 helo=gnu.org) by fencepost.gnu.org with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1jbWYu-0007cZ-3e; Wed, 20 May 2020 17:47:40 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Date: Wed, 20 May 2020 23:47:24 +0200 Message-Id: <20200520214725.2437-4-ludo@gnu.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200520214725.2437-1-ludo@gnu.org> References: <20200520214725.2437-1-ludo@gnu.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) * guix/channels.scm (latest-channel-instance): Add #:starting-commit and pass it to 'update-cached-checkout'. Return the commit relation as a second value. (ensure-forward-channel-update): New procedure. (latest-channel-instances): Add #:current-channels and #:validate-pull. [current-commit]: New procedure. Pass #:starting-commit to 'latest-channel-instance'. When the returned relation is true, call VALIDATE-PULL. (latest-channel-derivation): Add #:current-channels and #:validate-pull. Pass them to 'latest-channel-instances*'. * tests/channels.scm ("latest-channel-instances #:validate-pull"): New test. --- guix/channels.scm | 89 ++++++++++++++++++++++++++++++++++++++++------ tests/channels.scm | 35 ++++++++++++++++++ 2 files changed, 114 insertions(+), 10 deletions(-) diff --git a/guix/channels.scm b/guix/channels.scm index 75b767a94c..70e2d7f07c 100644 --- a/guix/channels.scm +++ b/guix/channels.scm @@ -73,6 +73,7 @@ channel-instances->manifest %channel-profile-hooks channel-instances->derivation + ensure-forward-channel-update profile-channels @@ -212,15 +213,18 @@ result is unspecified." (loop rest))))) (define* (latest-channel-instance store channel - #:key (patches %patches)) - "Return the latest channel instance for CHANNEL." + #:key (patches %patches) + starting-commit) + "Return two values: the latest channel instance for CHANNEL, and its +relation to STARTING-COMMIT when provided." (define (dot-git? file stat) (and (string=? (basename file) ".git") (eq? 'directory (stat:type stat)))) (let-values (((checkout commit relation) (update-cached-checkout (channel-url channel) - #:ref (channel-reference channel)))) + #:ref (channel-reference channel) + #:starting-commit starting-commit))) (when (guix-channel? channel) ;; Apply the relevant subset of PATCHES directly in CHECKOUT. This is ;; safe to do because 'switch-to-ref' eventually does a hard reset. @@ -229,11 +233,51 @@ result is unspecified." (let* ((name (url+commit->name (channel-url channel) commit)) (checkout (add-to-store store name #t "sha256" checkout #:select? (negate dot-git?)))) - (channel-instance channel commit checkout)))) + (values (channel-instance channel commit checkout) + relation)))) -(define* (latest-channel-instances store channels) +(define (ensure-forward-channel-update channel start instance relation) + "Raise an error if RELATION is not 'ancestor, meaning that START is not an +ancestor of the commit in INSTANCE, unless CHANNEL specifies a commit. + +This procedure implements a channel update policy meant to be used as a +#:validate-pull argument." + (match relation + ('ancestor #t) + ('self #t) + (_ + (raise (apply make-compound-condition + (condition + (&message (message + (format #f (G_ "\ +aborting update of channel '~a' to commit ~a, which is not a descendant of ~a") + (channel-name channel) + (channel-instance-commit instance) + start)))) + + ;; Don't show the hint when the user explicitly specified a + ;; commit in CHANNEL. + (if (channel-commit channel) + '() + (list (condition + (&fix-hint + (hint (G_ "This could indicate that the channel has +been tampered with and is trying to force a roll-back, preventing you from +getting the latest updates. If you think this is not the case, explicitly +allow non-forward updates."))))))))))) + +(define* (latest-channel-instances store channels + #:key + (current-channels '()) + (validate-pull + ensure-forward-channel-update)) "Return a list of channel instances corresponding to the latest checkouts of -CHANNELS and the channels on which they depend." +CHANNELS and the channels on which they depend. + +CURRENT-CHANNELS is the list of currently used channels. It is compared +against the newly-fetched instances of CHANNELS, and VALIDATE-PULL is called +for each channel update and can choose to emit warnings or raise an error, +depending on the policy it implements." ;; Only process channels that are unique, or that are more specific than a ;; previous channel specification. (define (ignore? channel others) @@ -244,6 +288,13 @@ CHANNELS and the channels on which they depend." (not (or (channel-commit a) (channel-commit b)))))))) + (define (current-commit name) + ;; Return the current commit for channel NAME. + (any (lambda (channel) + (and (eq? (channel-name channel) name) + (channel-commit channel))) + current-channels)) + (let loop ((channels channels) (previous-channels '())) ;; Accumulate a list of instances. A list of processed channels is also @@ -257,7 +308,15 @@ CHANNELS and the channels on which they depend." (G_ "Updating channel '~a' from Git repository at '~a'...~%") (channel-name channel) (channel-url channel)) - (let ((instance (latest-channel-instance store channel))) + (let*-values (((current) + (current-commit (channel-name channel))) + ((instance relation) + (latest-channel-instance store channel + #:starting-commit + current))) + (when relation + (validate-pull channel current instance relation)) + (let-values (((new-instances new-channels) (loop (channel-instance-dependencies instance) previous-channels))) @@ -617,10 +676,20 @@ channel instances." (define latest-channel-instances* (store-lift latest-channel-instances)) -(define* (latest-channel-derivation #:optional (channels %default-channels)) +(define* (latest-channel-derivation #:optional (channels %default-channels) + #:key + (current-channels '()) + (validate-pull + ensure-forward-channel-update)) "Return as a monadic value the derivation that builds the profile for the -latest instances of CHANNELS." - (mlet %store-monad ((instances (latest-channel-instances* channels))) +latest instances of CHANNELS. CURRENT-CHANNELS and VALIDATE-PULL are passed +to 'latest-channel-instances'." + (mlet %store-monad ((instances + (latest-channel-instances* channels + #:current-channels + current-channels + #:validate-pull + validate-pull))) (channel-instances->derivation instances))) (define (profile-channels profile) diff --git a/tests/channels.scm b/tests/channels.scm index 3578b57204..3b141428c8 100644 --- a/tests/channels.scm +++ b/tests/channels.scm @@ -37,6 +37,7 @@ #:use-module (srfi srfi-34) #:use-module (srfi srfi-35) #:use-module (srfi srfi-64) + #:use-module (ice-9 control) #:use-module (ice-9 match)) (test-begin "channels") @@ -178,6 +179,40 @@ "abc1234"))) instances))))))) +(unless (which (git-command)) (test-skip 1)) +(test-equal "latest-channel-instances #:validate-pull" + 'descendant + + ;; Make sure the #:validate-pull procedure receives the right values. + (let/ec return + (with-temporary-git-repository directory + '((add "a.txt" "A") + (commit "first commit") + (add "b.scm" "#t") + (commit "second commit")) + (with-repository directory repository + (let* ((commit1 (find-commit repository "first")) + (commit2 (find-commit repository "second")) + (spec (channel (url (string-append "file://" directory)) + (name 'foo))) + (new (channel (inherit spec) + (commit (oid->string (commit-id commit2))))) + (old (channel (inherit spec) + (commit (oid->string (commit-id commit1)))))) + (define (validate-pull channel current instance relation) + (return (and (eq? channel old) + (string=? (oid->string (commit-id commit2)) + current) + (string=? (oid->string (commit-id commit1)) + (channel-instance-commit instance)) + relation))) + + (with-store store + ;; Attempt a downgrade from NEW to OLD. + (latest-channel-instances store (list old) + #:current-channels (list new) + #:validate-pull validate-pull))))))) + (test-assert "channel-instances->manifest" ;; Compute the manifest for a graph of instances and make sure we get a ;; derivation graph that mirrors the instance graph. This test also ensures -- 2.26.2 From unknown Sun Jun 22 17:15:22 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#41425] [PATCH 3/5] git: 'update-cached-checkout' returns the commit relation. Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 20 May 2020 21:48:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 41425 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 41425@debbugs.gnu.org Cc: Ludovic =?UTF-8?Q?Court=C3=A8s?= Received: via spool by 41425-submit@debbugs.gnu.org id=B41425.159001127123238 (code B ref 41425); Wed, 20 May 2020 21:48:03 +0000 Received: (at 41425) by debbugs.gnu.org; 20 May 2020 21:47:51 +0000 Received: from localhost ([127.0.0.1]:54546 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jbWZ5-00062f-Ay for submit@debbugs.gnu.org; Wed, 20 May 2020 17:47:51 -0400 Received: from eggs.gnu.org ([209.51.188.92]:43958) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jbWYz-00061p-8o for 41425@debbugs.gnu.org; Wed, 20 May 2020 17:47:49 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:59458) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jbWYt-0003LT-Ir; Wed, 20 May 2020 17:47:39 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=56656 helo=gnu.org) by fencepost.gnu.org with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1jbWYs-0007cZ-7Y; Wed, 20 May 2020 17:47:38 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Date: Wed, 20 May 2020 23:47:23 +0200 Message-Id: <20200520214725.2437-3-ludo@gnu.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200520214725.2437-1-ludo@gnu.org> References: <20200520214725.2437-1-ludo@gnu.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) * guix/git.scm (update-cached-checkout): Add #:starting-commit parameter. Call 'commit-relation' when #:starting-commit is true. Always return the relation or #f as the third vaule. (latest-repository-commit): Adjust accordingly. * guix/import/opam.scm (get-opam-repository): Likewise. * tests/channels.scm ("latest-channel-instances includes channel dependencies") ("latest-channel-instances excludes duplicate channel dependencies"): Update mock of 'update-cached-checkout' accordingly. --- guix/channels.scm | 2 +- guix/git.scm | 21 ++++++++++++++++----- guix/import/opam.scm | 2 +- tests/channels.scm | 12 ++++++------ 4 files changed, 24 insertions(+), 13 deletions(-) diff --git a/guix/channels.scm b/guix/channels.scm index e0a7a84f55..75b767a94c 100644 --- a/guix/channels.scm +++ b/guix/channels.scm @@ -218,7 +218,7 @@ result is unspecified." (and (string=? (basename file) ".git") (eq? 'directory (stat:type stat)))) - (let-values (((checkout commit) + (let-values (((checkout commit relation) (update-cached-checkout (channel-url channel) #:ref (channel-reference channel)))) (when (guix-channel? channel) diff --git a/guix/git.scm b/guix/git.scm index 249d622756..c197e566db 100644 --- a/guix/git.scm +++ b/guix/git.scm @@ -262,14 +262,16 @@ definitely available in REPOSITORY, false otherwise." #:key (ref '(branch . "master")) recursive? + starting-commit (log-port (%make-void-port "w")) (cache-directory (url-cache-directory url (%repository-cache-directory) #:recursive? recursive?))) - "Update the cached checkout of URL to REF in CACHE-DIRECTORY. Return two + "Update the cached checkout of URL to REF in CACHE-DIRECTORY. Return three values: the cache directory name, and the SHA1 commit (a string) corresponding -to REF. +to REF, and the relation of the new commit relative to STARTING-COMMIT (if +provided) as returned by 'commit-relation'. REF is pair whose key is [branch | commit | tag | tag-or-commit ] and value the associated data: [ | | | ]. @@ -302,7 +304,16 @@ When RECURSIVE? is true, check out submodules as well, if any." (remote-fetch (remote-lookup repository "origin")))) (when recursive? (update-submodules repository #:log-port log-port)) - (let ((oid (switch-to-ref repository canonical-ref))) + + ;; Note: call 'commit-relation' from here because it's more efficient + ;; than letting users re-open the checkout later on. + (let* ((oid (switch-to-ref repository canonical-ref)) + (new (commit-lookup repository oid)) + (old (and starting-commit + (commit-lookup repository + (string->oid starting-commit)))) + (relation (and starting-commit + (commit-relation old new)))) ;; Reclaim file descriptors and memory mappings associated with ;; REPOSITORY as soon as possible. @@ -310,7 +321,7 @@ When RECURSIVE? is true, check out submodules as well, if any." 'repository-close!) (repository-close! repository)) - (values cache-directory (oid->string oid)))))) + (values cache-directory (oid->string oid) relation))))) (define* (latest-repository-commit store url #:key @@ -343,7 +354,7 @@ Log progress and checkout info to LOG-PORT." (format log-port "updating checkout of '~a'...~%" url) (let*-values - (((checkout commit) + (((checkout commit _) (update-cached-checkout url #:recursive? recursive? #:ref ref diff --git a/guix/import/opam.scm b/guix/import/opam.scm index ae7df8a8b5..9cda3da006 100644 --- a/guix/import/opam.scm +++ b/guix/import/opam.scm @@ -115,7 +115,7 @@ (define (get-opam-repository) "Update or fetch the latest version of the opam repository and return the path to the repository." - (receive (location commit) + (receive (location commit _) (update-cached-checkout "https://github.com/ocaml/opam-repository") location)) diff --git a/tests/channels.scm b/tests/channels.scm index 910088ba15..3578b57204 100644 --- a/tests/channels.scm +++ b/tests/channels.scm @@ -136,11 +136,11 @@ (url "test"))) (test-dir (channel-instance-checkout instance--simple))) (mock ((guix git) update-cached-checkout - (lambda* (url #:key ref) + (lambda* (url #:key ref starting-commit) (match url - ("test" (values test-dir "caf3cabba9e")) + ("test" (values test-dir "caf3cabba9e" #f)) (_ (values (channel-instance-checkout instance--no-deps) - "abcde1234"))))) + "abcde1234" #f))))) (with-store store (let ((instances (latest-channel-instances store (list channel)))) (and (eq? 2 (length instances)) @@ -155,11 +155,11 @@ (url "test"))) (test-dir (channel-instance-checkout instance--with-dupes))) (mock ((guix git) update-cached-checkout - (lambda* (url #:key ref) + (lambda* (url #:key ref starting-commit) (match url - ("test" (values test-dir "caf3cabba9e")) + ("test" (values test-dir "caf3cabba9e" #f)) (_ (values (channel-instance-checkout instance--no-deps) - "abcde1234"))))) + "abcde1234" #f))))) (with-store store (let ((instances (latest-channel-instances store (list channel)))) (and (= 2 (length instances)) -- 2.26.2 From unknown Sun Jun 22 17:15:22 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#41425] [PATCH 5/5] pull: Protect against downgrade attacks. Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 20 May 2020 21:48:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 41425 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 41425@debbugs.gnu.org Cc: Ludovic =?UTF-8?Q?Court=C3=A8s?= Received: via spool by 41425-submit@debbugs.gnu.org id=B41425.159001127523254 (code B ref 41425); Wed, 20 May 2020 21:48:03 +0000 Received: (at 41425) by debbugs.gnu.org; 20 May 2020 21:47:55 +0000 Received: from localhost ([127.0.0.1]:54548 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jbWZ8-00062z-RJ for submit@debbugs.gnu.org; Wed, 20 May 2020 17:47:55 -0400 Received: from eggs.gnu.org ([209.51.188.92]:43974) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jbWZ2-000625-JM for 41425@debbugs.gnu.org; Wed, 20 May 2020 17:47:52 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:59462) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jbWYx-0003M6-AT; Wed, 20 May 2020 17:47:43 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=56656 helo=gnu.org) by fencepost.gnu.org with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1jbWYv-0007cZ-TH; Wed, 20 May 2020 17:47:42 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Date: Wed, 20 May 2020 23:47:25 +0200 Message-Id: <20200520214725.2437-5-ludo@gnu.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200520214725.2437-1-ludo@gnu.org> References: <20200520214725.2437-1-ludo@gnu.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) * guix/scripts/pull.scm (%default-options): Add 'validate-pull'. (%options, show-help): Add '--allow-downgrades'. (warn-about-backward-updates): New procedure. (guix-pull): Pass #:current-channels and #:validate-pull to 'latest-channel-instances'. * guix/channels.scm (ensure-forward-channel-update): Add hint for when (channel-commit channel) is true. * doc/guix.texi (Invoking guix pull): Document '--allow-downgrades'. --- doc/guix.texi | 15 +++++++++++++++ guix/channels.scm | 34 +++++++++++++++++++--------------- guix/scripts/pull.scm | 35 ++++++++++++++++++++++++++++++++--- 3 files changed, 66 insertions(+), 18 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index eef5b703fe..79ed260a85 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -3900,6 +3900,21 @@ Use @var{profile} instead of @file{~/.config/guix/current}. Show which channel commit(s) would be used and what would be built or substituted but do not actually do it. +@item --allow-downgrades +Allow pulling older or unrelated revisions of channels than those +currently in use. + +@cindex downgrade attacks, protection against +By default, @command{guix pull} protects against so-called ``downgrade +attacks'' whereby the Git repository of a channel would be reset to an +earlier or unrelated revision of itself, potentially leading you to +install older, known-vulnerable versions of software packages. + +@quotation Note +Make sure you understand its security implications before using +@option{--allow-downgrades}. +@end quotation + @item --system=@var{system} @itemx -s @var{system} Attempt to build for @var{system}---e.g., @code{i686-linux}---instead of diff --git a/guix/channels.scm b/guix/channels.scm index 70e2d7f07c..84c47fc0d0 100644 --- a/guix/channels.scm +++ b/guix/channels.scm @@ -246,25 +246,29 @@ This procedure implements a channel update policy meant to be used as a ('ancestor #t) ('self #t) (_ - (raise (apply make-compound-condition - (condition - (&message (message - (format #f (G_ "\ + (raise (make-compound-condition + (condition + (&message (message + (format #f (G_ "\ aborting update of channel '~a' to commit ~a, which is not a descendant of ~a") - (channel-name channel) - (channel-instance-commit instance) - start)))) + (channel-name channel) + (channel-instance-commit instance) + start)))) - ;; Don't show the hint when the user explicitly specified a - ;; commit in CHANNEL. - (if (channel-commit channel) - '() - (list (condition - (&fix-hint - (hint (G_ "This could indicate that the channel has + ;; If the user asked for a specific commit, they might want + ;; that to happen nevertheless, so tell them about the + ;; relevant 'guix pull' option. + (if (channel-commit channel) + (condition + (&fix-hint + (hint (G_ "Use @option{--allow-downgrades} to force +this downgrade.")))) + (condition + (&fix-hint + (hint (G_ "This could indicate that the channel has been tampered with and is trying to force a roll-back, preventing you from getting the latest updates. If you think this is not the case, explicitly -allow non-forward updates."))))))))))) +allow non-forward updates.")))))))))) (define* (latest-channel-instances store channels #:key diff --git a/guix/scripts/pull.scm b/guix/scripts/pull.scm index dfe7ee7ad5..c386d81b8e 100644 --- a/guix/scripts/pull.scm +++ b/guix/scripts/pull.scm @@ -81,7 +81,8 @@ (multiplexed-build-output? . #t) (graft? . #t) (debug . 0) - (verbosity . 1))) + (verbosity . 1) + (validate-pull . ,ensure-forward-channel-update))) (define (show-help) (display (G_ "Usage: guix pull [OPTION]... @@ -94,6 +95,8 @@ Download and deploy the latest version of Guix.\n")) --commit=COMMIT download the specified COMMIT")) (display (G_ " --branch=BRANCH download the tip of the specified BRANCH")) + (display (G_ " + --allow-downgrades allow downgrades to earlier channel revisions")) (display (G_ " -N, --news display news compared to the previous generation")) (display (G_ " @@ -158,6 +161,10 @@ Download and deploy the latest version of Guix.\n")) (option '("branch") #t #f (lambda (opt name arg result) (alist-cons 'ref `(branch . ,arg) result))) + (option '("allow-downgrades") #f #f + (lambda (opt name arg result) + (alist-cons 'validate-pull warn-about-backward-updates + result))) (option '(#\p "profile") #t #f (lambda (opt name arg result) (alist-cons 'profile (canonicalize-profile arg) @@ -188,6 +195,21 @@ Download and deploy the latest version of Guix.\n")) %standard-build-options)) +(define (warn-about-backward-updates channel start instance relation) + "Warn about non-forward updates of CHANNEL from START to INSTANCE, without +aborting." + (match relation + ((or 'ancestor 'self) + #t) + ('descendant + (warning (G_ "rolling back channel '~a' from ~a to ~a~%") + (channel-name channel) start + (channel-instance-commit instance))) + ('unrelated + (warning (G_ "moving channel '~a' from ~a to unrelated commit ~a~%") + (channel-name channel) start + (channel-instance-commit instance))))) + (define* (display-profile-news profile #:key concise? current-is-newer?) "Display what's up in PROFILE--new packages, and all that. If @@ -749,7 +771,9 @@ Use '~/.config/guix/channels.scm' instead.")) (substitutes? (assoc-ref opts 'substitutes?)) (dry-run? (assoc-ref opts 'dry-run?)) (channels (channel-list opts)) - (profile (or (assoc-ref opts 'profile) %current-profile))) + (profile (or (assoc-ref opts 'profile) %current-profile)) + (current-channels (profile-channels profile)) + (validate-pull (assoc-ref opts 'validate-pull))) (cond ((assoc-ref opts 'query) (process-query opts profile)) ((assoc-ref opts 'generation) @@ -766,7 +790,12 @@ Use '~/.config/guix/channels.scm' instead.")) (ensure-default-profile) (honor-x509-certificates store) - (let ((instances (latest-channel-instances store channels))) + (let ((instances + (latest-channel-instances store channels + #:current-channels + current-channels + #:validate-pull + validate-pull))) (format (current-error-port) (N_ "Building from this channel:~%" "Building from these channels:~%" -- 2.26.2 From unknown Sun Jun 22 17:15:22 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#41425] [PATCH 0/5] Have 'guix pull' protect against downgrade attacks Resent-From: zimoun Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 21 May 2020 14:07:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 41425 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 41425@debbugs.gnu.org Received: via spool by 41425-submit@debbugs.gnu.org id=B41425.159007000613517 (code B ref 41425); Thu, 21 May 2020 14:07:02 +0000 Received: (at 41425) by debbugs.gnu.org; 21 May 2020 14:06:46 +0000 Received: from localhost ([127.0.0.1]:57036 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jblqQ-0003Vx-4p for submit@debbugs.gnu.org; Thu, 21 May 2020 10:06:46 -0400 Received: from mail-qt1-f196.google.com ([209.85.160.196]:35543) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jblqO-0003Vj-Tk for 41425@debbugs.gnu.org; Thu, 21 May 2020 10:06:45 -0400 Received: by mail-qt1-f196.google.com with SMTP id z18so5561108qto.2 for <41425@debbugs.gnu.org>; Thu, 21 May 2020 07:06:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=aYkHAy45kr9luAkTZt1RMcOmKTYdmkq9pjMSu518LuU=; b=QhReLDTCjqZzg+RwFK94mnmC9S4YseqMqe+hcY5FryEcRl9WKM7YM6geTIfEmzr6cv MT3dk0gt4CLzgOqmEq6BzjOV5HSghAtINGwHHp/IFxBxOwKYT/6dHpEYbRBEaRCI5xlj QxH52KGl/7jIjdb7QCqO/BL01dmVe1otG3UuR8gfEd8zT/dGCtChhvAReb74OzZ2cqAK HN/OYPoeeVZ7Zn/aliP3Yv5Y+felcUawcIDiiWtI2b2ABwrb04uymYlJ2ahVDSUijArx bbFJJgwUuRx8+8Sx4+9NpxnLdhLisPJXqzLYH1ZXCZiFFMdGDcqgWfn7aFcKMUVxEUch fW8w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=aYkHAy45kr9luAkTZt1RMcOmKTYdmkq9pjMSu518LuU=; b=cARiCBjU5JtUHeL70Y/fOAkGEGYCJ8ZmmgvrcA5TIqU4Oin0i3a4V7GaaUVGF3amVG TVn4yOOzw9uBRBuxSMTO3PRBuhf0IfN02jSLqehtX2Ud0RJphfa3TlkY8YHtdL2y1ilb grn2S8uP6y7DdOV5NNJISbD7D0vuRDEqGp8nJzqbzFnIRPX6WHLuYnsW/ZI7FJwt9uh+ WdbXjQRD2MO1QBUSk3yB/i9in2aGlDxLD91J3Ip6xP96AIGu71aDLQINmVDMBhe75wMv 5B3zanagbrfpd2+RR7Rg00MupYPMgbr6kkb8lDxlahQsIHq3uJ0BH2kD99stBg5ytRsP r36Q== X-Gm-Message-State: AOAM530k8idySsPG1ypc1uEwG+vrOHnkarB1OKy7eoUYymR+U/jN5jMs xk6kPM/TlYvp2QuOUgqa+WVQdBWopX9YraizAps= X-Google-Smtp-Source: ABdhPJyl6jhtWXMSSZiVb9JHeNb2O7M8wffDIcIurXfvdrpN6EC7DOKeARFHS2o/DDuj0lRzrsBOStKpSVm1zd/n/jc= X-Received: by 2002:aed:2062:: with SMTP id 89mr10416443qta.327.1590069999152; Thu, 21 May 2020 07:06:39 -0700 (PDT) MIME-Version: 1.0 References: <20200520213802.2170-1-ludo@gnu.org> In-Reply-To: <20200520213802.2170-1-ludo@gnu.org> From: zimoun Date: Thu, 21 May 2020 16:06:27 +0200 Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Ludo, On Wed, 20 May 2020 at 23:39, Ludovic Court=C3=A8s wrote: > By default =E2=80=98guix pull=E2=80=99 would now error out if the target = commit of a > channel is not a descendant of the currently-used commit, according to > the commit graph. There=E2=80=99s an option to bypass that. =E2=80=98gu= ix > time-machine=E2=80=99 behavior is unchanged though: it never complains. What is the extra time cost of such check? Well, it depends on the "distance" between the 2 commits and maybe the complexity of the graph -- it it not clear what happen for complex merge -- but say pulling once a month. It is not easy -- nor impossible -- to evaluate such cost at the level of "guix pull". And I failed to evaluate it using 'commit-relation' with "guix repl" -- Segmentation fault with commit c81457a5883ea43950eb2ecdcbb58a5b144bcd11 and 4bdf4182fe080c3409f6ef9b410146b67cfa2595; probably because I did used correctly the API. Well, what will be the timing impact of checking the "fast-fowardness"? All the best, simon From unknown Sun Jun 22 17:15:22 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#41425] [PATCH 0/5] Have 'guix pull' protect against downgrade attacks Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 22 May 2020 13:57:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 41425 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: zimoun Cc: 41425@debbugs.gnu.org Received: via spool by 41425-submit@debbugs.gnu.org id=B41425.15901557812908 (code B ref 41425); Fri, 22 May 2020 13:57:02 +0000 Received: (at 41425) by debbugs.gnu.org; 22 May 2020 13:56:21 +0000 Received: from localhost ([127.0.0.1]:59912 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jc89t-0000kq-46 for submit@debbugs.gnu.org; Fri, 22 May 2020 09:56:21 -0400 Received: from eggs.gnu.org ([209.51.188.92]:44836) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jc89d-0000kS-8f for 41425@debbugs.gnu.org; Fri, 22 May 2020 09:56:19 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:48762) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jc89X-0003Mc-KG; Fri, 22 May 2020 09:55:59 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=49326 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1jc89W-0001to-Uz; Fri, 22 May 2020 09:55:59 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <20200520213802.2170-1-ludo@gnu.org> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 4 Prairial an 228 de la =?UTF-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Fri, 22 May 2020 15:55:56 +0200 In-Reply-To: (zimoun's message of "Thu, 21 May 2020 16:06:27 +0200") Message-ID: <87r1vc9iqb.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi Simon, zimoun skribis: > On Wed, 20 May 2020 at 23:39, Ludovic Court=C3=A8s wrote: > >> By default =E2=80=98guix pull=E2=80=99 would now error out if the target= commit of a >> channel is not a descendant of the currently-used commit, according to >> the commit graph. There=E2=80=99s an option to bypass that. =E2=80=98g= uix >> time-machine=E2=80=99 behavior is unchanged though: it never complains. > > What is the extra time cost of such check? The problem is not the cost. =E2=80=98guix pull=E2=80=99 compares the targ= et commit(s) against the commit(s) of the currently-used =E2=80=98guix=E2=80=99; it can = clearly see if it=E2=80=99s a forward pull or not. However, in the case of =E2=80=98guix time-machine=E2=80=99, there=E2=80=99= s nothing to compare against (it=E2=80=99s a bit like a fresh =E2=80=98git clone=E2=80=99 as opp= osed to a =E2=80=98git pull=E2=80=99, if you see what I mean.) Additionally, the purpose of =E2=80=98guix time-machine=E2=80=99 is to trav= el in time, usually in the past, so it would be inconvenient to get warnings or errors every time. > It is not easy -- nor impossible -- to evaluate such cost at the level > of "guix pull". And I failed to evaluate it using 'commit-relation' > with "guix repl" -- Segmentation fault with commit > c81457a5883ea43950eb2ecdcbb58a5b144bcd11 and > 4bdf4182fe080c3409f6ef9b410146b67cfa2595; probably because I did used > correctly the API. How can I reproduce the issue? > Well, what will be the timing impact of checking the "fast-fowardness"? I haven=E2=80=99t measured it, but it=E2=80=99s small compared to the cost = of fetching the new revisions and performing the checkout. It=E2=80=99s roughly what = =E2=80=98git pull=E2=80=99 does, although =E2=80=98git pull=E2=80=99 is probably faster = because it=E2=80=99s in C and has been well optimized over the years. Thanks for your feedback! Ludo=E2=80=99. From unknown Sun Jun 22 17:15:22 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Subject: bug#41425: closed (Re: [bug#41425] [PATCH 0/5] Have 'guix pull' protect against downgrade attacks) Message-ID: References: <874ks5xa7q.fsf@gnu.org> <20200520213802.2170-1-ludo@gnu.org> X-Gnu-PR-Message: they-closed 41425 X-Gnu-PR-Package: guix-patches X-Gnu-PR-Keywords: patch Reply-To: 41425@debbugs.gnu.org Date: Sun, 24 May 2020 22:03:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1590357782-32334-1" This is a multi-part message in MIME format... ------------=_1590357782-32334-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #41425: [PATCH 0/5] Have 'guix pull' protect against downgrade attacks which was filed against the guix-patches package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 41425@debbugs.gnu.org. --=20 41425: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D41425 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1590357782-32334-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 41425-done) by debbugs.gnu.org; 24 May 2020 22:02:58 +0000 Received: from localhost ([127.0.0.1]:38974 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jcyhu-0008PG-0l for submit@debbugs.gnu.org; Sun, 24 May 2020 18:02:58 -0400 Received: from eggs.gnu.org ([209.51.188.92]:42524) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jcyhs-0008P4-Th for 41425-done@debbugs.gnu.org; Sun, 24 May 2020 18:02:57 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:38217) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jcyhn-0007yI-LJ for 41425-done@debbugs.gnu.org; Sun, 24 May 2020 18:02:51 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=44418 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1jcyhn-0002TV-44 for 41425-done@debbugs.gnu.org; Sun, 24 May 2020 18:02:51 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: 41425-done@debbugs.gnu.org Subject: Re: [bug#41425] [PATCH 0/5] Have 'guix pull' protect against downgrade attacks References: <20200520213802.2170-1-ludo@gnu.org> Date: Mon, 25 May 2020 00:02:49 +0200 In-Reply-To: <20200520213802.2170-1-ludo@gnu.org> ("Ludovic \=\?utf-8\?Q\?Cour\?\= \=\?utf-8\?Q\?t\=C3\=A8s\=22's\?\= message of "Wed, 20 May 2020 23:38:02 +0200") Message-ID: <874ks5xa7q.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 41425-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Pushed! 9744cc7b46 pull: Protect against downgrade attacks. 872898f768 channels: 'latest-channel-instances' guards against non-forwar= d updates. 8d1d56578a git: 'update-cached-checkout' returns the commit relation. 9b049de84e channels: 'latest-channel-instances' doesn't leak internal sta= te. c098c11be8 git: Add 'commit-relation'. One step closer to addressing =E2=80=A6 Ludo=E2=80=99. ------------=_1590357782-32334-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 20 May 2020 21:38:16 +0000 Received: from localhost ([127.0.0.1]:54516 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jbWPo-0005mQ-J1 for submit@debbugs.gnu.org; Wed, 20 May 2020 17:38:16 -0400 Received: from lists.gnu.org ([209.51.188.17]:50122) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jbWPn-0005mJ-4T for submit@debbugs.gnu.org; Wed, 20 May 2020 17:38:15 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:49986) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jbWPm-0003SJ-Tw for guix-patches@gnu.org; Wed, 20 May 2020 17:38:14 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:59142) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jbWPm-00014T-L5; Wed, 20 May 2020 17:38:14 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=56646 helo=gnu.org) by fencepost.gnu.org with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1jbWPl-0006fi-Mt; Wed, 20 May 2020 17:38:13 -0400 From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= To: guix-patches@gnu.org Subject: [PATCH 0/5] Have 'guix pull' protect against downgrade attacks Date: Wed, 20 May 2020 23:38:02 +0200 Message-Id: <20200520213802.2170-1-ludo@gnu.org> X-Mailer: git-send-email 2.26.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: submit Cc: =?UTF-8?q?Ludovic=20Court=C3=A8s?= X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hello! This patch series aims to protect against “downgrade attacks”, whereby a “guix pull” command would in fact deploy an older or an unrelated revision of Guix, potentially leading you to install vulnerable or malicious software. By default ‘guix pull’ would now error out if the target commit of a channel is not a descendant of the currently-used commit, according to the commit graph. There’s an option to bypass that. ‘guix time-machine’ behavior is unchanged though: it never complains. This is generally useful and it’s a requirement for authenticated checkouts as discussed in , otherwise one could easily escape the intended authentication scheme by branching and providing a different ‘.guix-authorizations’ file. Feedback welcome! Ludo’. Ludovic Courtès (5): git: Add 'commit-relation'. channels: 'latest-channel-instances' doesn't leak internal state. git: 'update-cached-checkout' returns the commit relation. channels: 'latest-channel-instances' guards against non-forward updates. pull: Protect against downgrade attacks. doc/guix.texi | 15 ++++ guix/channels.scm | 156 ++++++++++++++++++++++++++++++------------ guix/git.scm | 37 ++++++++-- guix/import/opam.scm | 2 +- guix/scripts/pull.scm | 35 +++++++++- tests/channels.scm | 47 +++++++++++-- tests/git.scm | 42 +++++++++++- 7 files changed, 276 insertions(+), 58 deletions(-) -- 2.26.2 ------------=_1590357782-32334-1-- From unknown Sun Jun 22 17:15:22 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#41425] [PATCH 0/5] Have 'guix pull' protect against downgrade attacks Resent-From: zimoun Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 25 May 2020 14:38:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 41425 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 41425@debbugs.gnu.org Received: via spool by 41425-submit@debbugs.gnu.org id=B41425.15904174317009 (code B ref 41425); Mon, 25 May 2020 14:38:02 +0000 Received: (at 41425) by debbugs.gnu.org; 25 May 2020 14:37:11 +0000 Received: from localhost ([127.0.0.1]:42083 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jdEE2-0001oz-Oe for submit@debbugs.gnu.org; Mon, 25 May 2020 10:37:11 -0400 Received: from mail-qv1-f66.google.com ([209.85.219.66]:38162) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jdEE0-0001ok-V9 for 41425@debbugs.gnu.org; Mon, 25 May 2020 10:37:09 -0400 Received: by mail-qv1-f66.google.com with SMTP id fb16so8114521qvb.5 for <41425@debbugs.gnu.org>; Mon, 25 May 2020 07:37:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=qYdzml2Lf9fszqonwnVcqb4YrHXnHqJ1HEYgbf1KEtE=; b=C/jn1cigha/462sbcadqT/3e/U7pLTVKRKh4jcQwX4xguM/5tczq61DEMRLxqXlo2r 2jqZOUw9TbfG0SWLXSgbTm/DMvlz94hf1vSkE82vCANl+w5/5HJ4DgUXh2JZim6lNiiM Bw+roz7L/NIdQlkb/lU6BvzJfVEhZUaKqptvj8/1HXqoFGZAZ/K05Qb6jxrCJdQ7vvhc VTFXPQ2FA5VfPfuHhbnHuZDWzIeiqghimDALbGkZH+qUaItdT1NQ8Xo8BF24WC1BXfLZ FD/K+376yRhF+INmNN/JbFffzqHALm3VhmokpAQzPQA+39GBFaRVFJ2OneGYfP9n9Gb0 YAIw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=qYdzml2Lf9fszqonwnVcqb4YrHXnHqJ1HEYgbf1KEtE=; b=PvWr+pkfx44sjupuVdPiWviGVgyIikDoxoiXYsUvPppNh20JAqlUhlw5E+eUjhpE8v RJyapwTeY6HbFiiGZzdszZXNnppGOzBJgEzTaGLe2fZOV7ONO2dStS4vUTU7PfAaE1+5 LPAO4bPZmHaqgzQazdlNK0L3f96lvv5CcK5PDEABxC74T+YYJY6J8xN2B1yba5p9pES9 rFT4w2W6kjnaY7R1Fb83D0kXqy1XTe50mUw8GRoxCKqDo+xaR3Df6zQgCNokAYQjzJfH GS8fPI1sxcU9lQuQaiY4YdOamOP36TGV/OU8zhB+78uEXTuEZZVNJk61ag6ACiRw7b4w DXig== X-Gm-Message-State: AOAM5308vGjruTUMcUTLGApc9WJS2zPVHUnrJ50rOFEQ572nVfD6ynlv DXQ3Ndtz+NWWkrWnAJAHDalO9kVOCyDCvo7OOMZNMsVQ X-Google-Smtp-Source: ABdhPJyej4Rq1QULg7RnyEAOajWTrsMTCnjSVLhRov+0v9xjQFRNasq2Ss9yELae5v+e0IN4BjRP+CONyLyaSGVrd4k= X-Received: by 2002:a05:6214:1932:: with SMTP id es18mr15916899qvb.6.1590417423144; Mon, 25 May 2020 07:37:03 -0700 (PDT) MIME-Version: 1.0 References: <20200520213802.2170-1-ludo@gnu.org> <87r1vc9iqb.fsf@gnu.org> In-Reply-To: <87r1vc9iqb.fsf@gnu.org> From: zimoun Date: Mon, 25 May 2020 16:36:52 +0200 Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) On Fri, 22 May 2020 at 15:56, Ludovic Court=C3=A8s wrote: > > It is not easy -- nor impossible -- to evaluate such cost at the level > > of "guix pull". And I failed to evaluate it using 'commit-relation' > > with "guix repl" -- Segmentation fault with commit > > c81457a5883ea43950eb2ecdcbb58a5b144bcd11 and > > 4bdf4182fe080c3409f6ef9b410146b67cfa2595; probably because I did used > > correctly the API. Obviously, one had to read "probably I did *not* used correctly the API". := -) > How can I reproduce the issue? --8<---------------cut here---------------start------------->8--- (use-modules (guix git) (guix channels) (guix tests git) (git)) (define url-cache-directory (@@ (guix git) url-cache-directory)) (define dir (url-cache-directory (channel-url (car %default-channels)))) (define merge (with-repository dir repo (find-commit repo "Merge"))) merge ;; $1 =3D # (define left (car (commit-parents merge))) left ;; $2 =3D # (commit-relation left merge) Segmentation fault --8<---------------cut here---------------end--------------->8--- Because of 'commit-closure'. I do not know if it is the correct use of the API; and because I do not know how to get easily a commit, I use 'find-commit' which is not nice. > > Well, what will be the timing impact of checking the "fast-fowardness"? > > I haven=E2=80=99t measured it, but it=E2=80=99s small compared to the cos= t of fetching > the new revisions and performing the checkout. It=E2=80=99s roughly what= =E2=80=98git > pull=E2=80=99 does, although =E2=80=98git pull=E2=80=99 is probably faste= r because it=E2=80=99s in C and > has been well optimized over the years. My "worry" is about the complexity of the graph because 'commit-relation' walks somehow the graph of commits. Cheers, simon From unknown Sun Jun 22 17:15:22 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#41425] [PATCH 0/5] Have 'guix pull' protect against downgrade attacks Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 27 May 2020 16:33:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 41425 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: zimoun Cc: 41425@debbugs.gnu.org Received: via spool by 41425-submit@debbugs.gnu.org id=B41425.159059714918770 (code B ref 41425); Wed, 27 May 2020 16:33:02 +0000 Received: (at 41425) by debbugs.gnu.org; 27 May 2020 16:32:29 +0000 Received: from localhost ([127.0.0.1]:49835 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jdyyj-0004sf-0w for submit@debbugs.gnu.org; Wed, 27 May 2020 12:32:29 -0400 Received: from eggs.gnu.org ([209.51.188.92]:51778) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jdyyf-0004sO-4F for 41425@debbugs.gnu.org; Wed, 27 May 2020 12:32:27 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:39932) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jdyyZ-0003Bn-QT; Wed, 27 May 2020 12:32:19 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=35654 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1jdyyZ-0001oT-4q; Wed, 27 May 2020 12:32:19 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <20200520213802.2170-1-ludo@gnu.org> <87r1vc9iqb.fsf@gnu.org> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 9 Prairial an 228 de la =?UTF-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Wed, 27 May 2020 18:32:17 +0200 In-Reply-To: (zimoun's message of "Mon, 25 May 2020 16:36:52 +0200") Message-ID: <87v9khjq3y.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi, zimoun skribis: > (use-modules (guix git) (guix channels) (guix tests git) (git)) > (define url-cache-directory (@@ (guix git) url-cache-directory)) > (define dir (url-cache-directory (channel-url (car %default-channels)))) > (define merge (with-repository dir repo (find-commit repo "Merge"))) > merge > ;; $1 =3D # > (define left (car (commit-parents merge))) > left > ;; $2 =3D # > (commit-relation left merge) > Segmentation fault It took me a while to notice, but the problem with the code above is that =E2=80=98repo=E2=80=99 is closed when you call =E2=80=98commit-relatio= n=E2=80=99, and thus the commit objects are invalid. It works if you keep =E2=80=98repo=E2=80=99 al= ive: --8<---------------cut here---------------start------------->8--- $ guix describe Generacio 145 May 25 2020 00:37:58 (nuna) guix 9744cc7 repository URL: https://git.savannah.gnu.org/git/guix.git branch: master commit: 9744cc7b4636fafb772c94adb8f05961b5b39f16 $ guix repl GNU Guile 3.0.2 Copyright (C) 1995-2020 Free Software Foundation, Inc. Guile comes with ABSOLUTELY NO WARRANTY; for details type `,show w'. This program is free software, and you are welcome to redistribute it under certain conditions; type `,show c' for details. Enter `,help' for help. scheme@(guix-user)> (use-modules (guix git) (guix channels) (guix tests git= ) (git)) (define url-cache-directory (@@ (guix git) url-cache-directory)) (define dir (url-cache-directory (channel-url (car %default-channels)))) ;;; :2:0: warning: possibly unused local top-level variable `url-cac= he-directory' ;;; :3:0: warning: possibly unused local top-level variable `dir' scheme@(guix-user)> (define repo (repository-open dir)) ;;; :4:0: warning: possibly unused local top-level variable `repo' scheme@(guix-user)> (define merge (find-commit repo "Merge")) ;;; :5:0: warning: possibly unused local top-level variable `merge' scheme@(guix-user)> merge $1 =3D # scheme@(guix-user)> (define left (car (commit-parents merge))) left ;;; :7:0: warning: possibly unused local top-level variable `left' $2 =3D # scheme@(guix-user)> (commit-relation left merge) $3 =3D ancestor scheme@(guix-user)> (gc) scheme@(guix-user)> (commit-relation left merge) $4 =3D ancestor --8<---------------cut here---------------end--------------->8--- The solution in such cases is to synchronize the object lifetimes. In this case, commits would keep a reference to the repository object to prevent it from being GC=E2=80=99d, as is done with =E2=80=98%submodule-own= ers=E2=80=99 in (git submodule). Could you make an issue over at ? Thanks, Ludo=E2=80=99. From unknown Sun Jun 22 17:15:22 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#41425] [PATCH 0/5] Have 'guix pull' protect against downgrade attacks Resent-From: zimoun Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 28 May 2020 08:07:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 41425 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 41425@debbugs.gnu.org Received: via spool by 41425-submit@debbugs.gnu.org id=B41425.159065320219259 (code B ref 41425); Thu, 28 May 2020 08:07:01 +0000 Received: (at 41425) by debbugs.gnu.org; 28 May 2020 08:06:42 +0000 Received: from localhost ([127.0.0.1]:50879 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jeDYZ-0004zr-Oa for submit@debbugs.gnu.org; Thu, 28 May 2020 04:06:42 -0400 Received: from mail-qk1-f194.google.com ([209.85.222.194]:44756) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jeDYW-0004zb-QY for 41425@debbugs.gnu.org; Thu, 28 May 2020 04:06:26 -0400 Received: by mail-qk1-f194.google.com with SMTP id b6so2243233qkh.11 for <41425@debbugs.gnu.org>; Thu, 28 May 2020 01:06:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=zsEBEL3tVKTlXNc3/gNQk46no7tVOBCsEVSEpDpQNug=; b=dcDLPxX2YEQfpNS6TZA/loFGG+hlGBi/0lo45bXfnoOdxLtNWCvXeJu//mjYRQc/yJ 9LguGyYE7pNtiIW5pdoY6X1MxMp9B3dEYGXDsA2jEGF5Wt3U55iBWjmTfUFvbpvVQ+3Q ZY/i5Fo5fPmWqxGDkvbxdRfZUn9COfsXsjLuuR5AU0arTyI44WkYa2C0QSWxWhoX0hON pnQxA+hm9avvRdfpBD8X54pcahyyZrkMDngYffQ8bIvyYV15WunyQ3OIhgyr9gGseZso 0RsPTzWeiUx3Pee5JYh/nAdgt7u0Xp/zhk9mNG4EzgSWF/Xj37zhlP4la1uw0L1rQJi6 sBVw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=zsEBEL3tVKTlXNc3/gNQk46no7tVOBCsEVSEpDpQNug=; b=JYpXYzPMHA5dw6SLYv7Zzlo/T2+hjq9VyS5MCaiLdIGOeh2CLfrX52cgiNGOdA0qgQ AzzAXJGT7lMBGPesjORRj1XrogYE/6Z4f8PanGeX2Nqld4kt/vUjhydh2Upi7jEm96Dy JuJce5LOAVPCgez/saXFGoCSpiY8GL9541lFy2gxIRteDA0ld//pDvEGLnPxREdNZ3Sf ibb42cvoJJSvfOYFn4NgCuTk2pP2KzjzIoH/mSYrlU4TgS5h4+lNY8EE9JPukCxTO9SM iLZ5JVy8jdX+rtTb0GwTtwAhpmWdKZ/9kMJtwChXIhAWoQHGY4CClLln21nstpeVIXyb PlPw== X-Gm-Message-State: AOAM530/R4x3KuJjuN39bwZUTdwghJGVyg2x7HHcgsgsXWfgIbU3NTqA HX2lHZPyysNSrzcBF9GIhl0CpfU0tSEWeQxA5x2IF0Wi X-Google-Smtp-Source: ABdhPJxd19Uz/fh5UEJfBLw8r6Ba2/kfkQitFgni1h4VbnTPVeqJSJvK23jMCOacG23gxS0TI0WhEZJQvymf5hR9N0I= X-Received: by 2002:a37:4b88:: with SMTP id y130mr1582202qka.80.1590653179100; Thu, 28 May 2020 01:06:19 -0700 (PDT) MIME-Version: 1.0 References: <20200520213802.2170-1-ludo@gnu.org> <87r1vc9iqb.fsf@gnu.org> <87v9khjq3y.fsf@gnu.org> In-Reply-To: <87v9khjq3y.fsf@gnu.org> From: zimoun Date: Thu, 28 May 2020 10:06:07 +0200 Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Ludo, On Wed, 27 May 2020 at 18:32, Ludovic Court=C3=A8s wrote: > > (commit-relation left merge) > > Segmentation fault > > It took me a while to notice, but the problem with the code above is > that =E2=80=98repo=E2=80=99 is closed when you call =E2=80=98commit-relat= ion=E2=80=99, and thus the > commit objects are invalid. It works if you keep =E2=80=98repo=E2=80=99 = alive: It make totally sense. Thank you for the explanations. > --8<---------------cut here---------------start------------->8--- > $ guix describe > Generacio 145 May 25 2020 00:37:58 (nuna) > guix 9744cc7 > repository URL: https://git.savannah.gnu.org/git/guix.git > branch: master > commit: 9744cc7b4636fafb772c94adb8f05961b5b39f16 > $ guix repl > GNU Guile 3.0.2 > Copyright (C) 1995-2020 Free Software Foundation, Inc. > > Guile comes with ABSOLUTELY NO WARRANTY; for details type `,show w'. > This program is free software, and you are welcome to redistribute it > under certain conditions; type `,show c' for details. > > Enter `,help' for help. > scheme@(guix-user)> (use-modules (guix git) (guix channels) (guix tests g= it) (git)) > (define url-cache-directory (@@ (guix git) url-cache-directory)) > (define dir (url-cache-directory (channel-url (car %default-channels)))) > ;;; :2:0: warning: possibly unused local top-level variable `url-c= ache-directory' > ;;; :3:0: warning: possibly unused local top-level variable `dir' > scheme@(guix-user)> (define repo (repository-open dir)) > ;;; :4:0: warning: possibly unused local top-level variable `repo' > scheme@(guix-user)> (define merge (find-commit repo "Merge")) > ;;; :5:0: warning: possibly unused local top-level variable `merge= ' > scheme@(guix-user)> merge > $1 =3D # > scheme@(guix-user)> (define left (car (commit-parents merge))) > left > ;;; :7:0: warning: possibly unused local top-level variable `left' > $2 =3D # > scheme@(guix-user)> (commit-relation left merge) > $3 =3D ancestor > scheme@(guix-user)> (gc) > scheme@(guix-user)> (commit-relation left merge) > $4 =3D ancestor > --8<---------------cut here---------------end--------------->8--- Well, the '(gc)' has no effect here because 'repo' is still alive and thus the reference too. Instead, an example would be: --8<---------------cut here---------------start------------->8--- [...] scheme@(guix-user)> (commit-relation left merge) $3 =3D ancestor scheme@(guix-user)> (define repo 42) scheme@(guix-user)> (commit-relation left merge) $4 =3D ancestor scheme@(guix-user)> (gc) scheme@(guix-user)> (commit-relation left merge) Segmentation fault --8<---------------cut here---------------end--------------->8--- isn't? Which is somehow the same than the initial example. > The solution in such cases is to synchronize the object lifetimes. In > this case, commits would keep a reference to the repository object to > prevent it from being GC=E2=80=99d, as is done with =E2=80=98%submodule-o= wners=E2=80=99 in (git > submodule). I think I understand. > Could you make an issue over at > ? I will. Thank you for the explanation.