GNU bug report logs - #41425
[PATCH 0/5] Have 'guix pull' protect against downgrade attacks

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Ludovic Courtès <ludo <at> gnu.org>
Subject: bug#41425: closed (Re: [bug#41425] [PATCH 0/5] Have 'guix pull'
 protect against downgrade attacks)
Date: Sun, 24 May 2020 22:03:02 +0000

[Message part 1 (text/plain, inline)]

Your bug report

#41425: [PATCH 0/5] Have 'guix pull' protect against downgrade attacks

which was filed against the guix-patches package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 41425 <at> debbugs.gnu.org.

-- 
41425: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=41425
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Ludovic Courtès <ludo <at> gnu.org>
To: 41425-done <at> debbugs.gnu.org
Subject: Re: [bug#41425] [PATCH 0/5] Have 'guix pull' protect against
 downgrade attacks
Date: Mon, 25 May 2020 00:02:49 +0200

Pushed!

  9744cc7b46 pull: Protect against downgrade attacks.
  872898f768 channels: 'latest-channel-instances' guards against non-forward updates.
  8d1d56578a git: 'update-cached-checkout' returns the commit relation.
  9b049de84e channels: 'latest-channel-instances' doesn't leak internal state.
  c098c11be8 git: Add 'commit-relation'.

One step closer to addressing <https://issues.guix.gnu.org/22883>…

Ludo’.

[Message part 3 (message/rfc822, inline)]

From: Ludovic Courtès <ludo <at> gnu.org>
To: guix-patches <at> gnu.org
Cc: Ludovic Courtès <ludo <at> gnu.org>
Subject: [PATCH 0/5] Have 'guix pull' protect against downgrade attacks
Date: Wed, 20 May 2020 23:38:02 +0200

Hello!

This patch series aims to protect against “downgrade attacks”, whereby
a “guix pull” command would in fact deploy an older or an unrelated
revision of Guix, potentially leading you to install vulnerable or
malicious software.

By default ‘guix pull’ would now error out if the target commit of a
channel is not a descendant of the currently-used commit, according to
the commit graph.  There’s an option to bypass that.  ‘guix
time-machine’ behavior is unchanged though: it never complains.

This is generally useful and it’s a requirement for authenticated
checkouts as discussed in <https://issues.guix.gnu.org/22883>,
otherwise one could easily escape the intended authentication scheme
by branching and providing a different ‘.guix-authorizations’ file.

Feedback welcome!

Ludo’.

Ludovic Courtès (5):
  git: Add 'commit-relation'.
  channels: 'latest-channel-instances' doesn't leak internal state.
  git: 'update-cached-checkout' returns the commit relation.
  channels: 'latest-channel-instances' guards against non-forward
    updates.
  pull: Protect against downgrade attacks.

 doc/guix.texi         |  15 ++++
 guix/channels.scm     | 156 ++++++++++++++++++++++++++++++------------
 guix/git.scm          |  37 ++++++++--
 guix/import/opam.scm  |   2 +-
 guix/scripts/pull.scm |  35 +++++++++-
 tests/channels.scm    |  47 +++++++++++--
 tests/git.scm         |  42 +++++++++++-
 7 files changed, 276 insertions(+), 58 deletions(-)

-- 
2.26.2

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.