GNU bug report logs - #59383
[PATCH] doc: Call out potential for downgrade attacks with time-machine.

Previous Next

Package: guix-patches;

Reported by: "pelzflorian (Florian Pelz)" <pelzflorian <at> pelzflorian.de>

Date: Sat, 19 Nov 2022 12:10:02 UTC

Severity: normal

Tags: patch

Done: "pelzflorian (Florian Pelz)" <pelzflorian <at> pelzflorian.de>

Bug is archived. No further changes may be made.

Full log

Message #14 received at 59383 <at> debbugs.gnu.org (full text, mbox):

From: "pelzflorian (Florian Pelz)" <pelzflorian <at> pelzflorian.de>
To: Tobias Geerinckx-Rice <me <at> tobias.gr>
Cc: 59383 <at> debbugs.gnu.org, guix-patches <at> gnu.org
Subject: Re: [bug#59383] [PATCH] doc: Call out potential for downgrade
 attacks with time-machine.
Date: Sat, 19 Nov 2022 18:39:50 +0100

Hi Tobias, thanks for your thoughts.

Tobias Geerinckx-Rice <me <at> tobias.gr> writes:
> pelzflorian (Florian Pelz) 写道:
>> @quotation Note
>> Naturally, no security fixes can be provided for old versions of Guix
>> or its channels.  This also means that careless use of @command{guix
>> time-machine} opens the door to downgrade attacks.
>> @xref{Invoking guix pull, @option{--allow-downgrades}}.
>> @end quotation
> ‘Attack’ is a very big word.  It should not end a paragraph.  What
> would the downgrade attack—distinct from a downgrade—look like?

My choice of words was the same as in the unattended upgrades service,
but perhaps I should add before the @xref:

Suggestions to ``just use the time machine'' could be attempts to trick
people to use old software.  But they can also get you back to a working
state.

Regards,
Florian
This bug report was last modified 2 years and 232 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.