GNU bug report logs -
#41425
[PATCH 0/5] Have 'guix pull' protect against downgrade attacks
Previous Next
Reported by: Ludovic Courtès <ludo <at> gnu.org>
Date: Wed, 20 May 2020 21:39:02 UTC
Severity: normal
Tags: patch
Done: Ludovic Courtès <ludo <at> gnu.org>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
Hello!
This patch series aims to protect against “downgrade attacks”, whereby
a “guix pull” command would in fact deploy an older or an unrelated
revision of Guix, potentially leading you to install vulnerable or
malicious software.
By default ‘guix pull’ would now error out if the target commit of a
channel is not a descendant of the currently-used commit, according to
the commit graph. There’s an option to bypass that. ‘guix
time-machine’ behavior is unchanged though: it never complains.
This is generally useful and it’s a requirement for authenticated
checkouts as discussed in <https://issues.guix.gnu.org/22883>,
otherwise one could easily escape the intended authentication scheme
by branching and providing a different ‘.guix-authorizations’ file.
Feedback welcome!
Ludo’.
Ludovic Courtès (5):
git: Add 'commit-relation'.
channels: 'latest-channel-instances' doesn't leak internal state.
git: 'update-cached-checkout' returns the commit relation.
channels: 'latest-channel-instances' guards against non-forward
updates.
pull: Protect against downgrade attacks.
doc/guix.texi | 15 ++++
guix/channels.scm | 156 ++++++++++++++++++++++++++++++------------
guix/git.scm | 37 ++++++++--
guix/import/opam.scm | 2 +-
guix/scripts/pull.scm | 35 +++++++++-
tests/channels.scm | 47 +++++++++++--
tests/git.scm | 42 +++++++++++-
7 files changed, 276 insertions(+), 58 deletions(-)
--
2.26.2
This bug report was last modified 5 years and 15 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.