GNU bug report logs - #59383
[PATCH] doc: Call out potential for downgrade attacks with time-machine.

Previous Next

Full log

View this message in rfc822 format

From: zimoun <zimon.toutoune <at> gmail.com>
To: "pelzflorian (Florian Pelz)" <pelzflorian <at> pelzflorian.de>, Tobias Geerinckx-Rice <me <at> tobias.gr>
Cc: 59383 <at> debbugs.gnu.org
Subject: [bug#59383] [PATCH] doc: Call out potential for downgrade attacks with time-machine.
Date: Mon, 21 Nov 2022 12:19:05 +0100

Hi,

On Sat, 19 Nov 2022 at 18:39, "pelzflorian (Florian Pelz)" <pelzflorian <at> pelzflorian.de> wrote:

>>> @quotation Note
>>> Naturally, no security fixes can be provided for old versions of Guix
>>> or its channels.  This also means that careless use of @command{guix
>>> time-machine} opens the door to downgrade attacks.
>>> @xref{Invoking guix pull, @option{--allow-downgrades}}.
>>> @end quotation
>>
>> ‘Attack’ is a very big word.  It should not end a paragraph.  What
>> would the downgrade attack—distinct from a downgrade—look like?

Why not something like,

--8<---------------cut here---------------start------------->8---
@quotation Note
The history of Guix is immutable and @command{guix time-machine}
provides the exact same software as they are in a specific Guix
revision.  Naturally, no security fixes are provided for old versions
of Guix or its channels.  A careless use of @command{guix time-machine}
opens the door to security vulnerabilities @xref{Invoking guix pull,
@option{--allow-downgrades}}.
@end quotation
--8<---------------cut here---------------end--------------->8---

?

Cheers,
simon

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.