GNU bug report logs - #41425
[PATCH 0/5] Have 'guix pull' protect against downgrade attacks

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: guix-patches; Reported by: Ludovic Courtès <ludo@HIDDEN>; Keywords: patch; Done: Ludovic Courtès <ludo@HIDDEN>; Maintainer for guix-patches is guix-patches@HIDDEN.

Message received at 41425 <at> debbugs.gnu.org:


Received: (at 41425) by debbugs.gnu.org; 25 May 2020 14:37:11 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon May 25 10:37:11 2020
Received: from localhost ([127.0.0.1]:42083 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1jdEE2-0001oz-Oe
	for submit <at> debbugs.gnu.org; Mon, 25 May 2020 10:37:11 -0400
Received: from mail-qv1-f66.google.com ([209.85.219.66]:38162)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <zimon.toutoune@HIDDEN>) id 1jdEE0-0001ok-V9
 for 41425 <at> debbugs.gnu.org; Mon, 25 May 2020 10:37:09 -0400
Received: by mail-qv1-f66.google.com with SMTP id fb16so8114521qvb.5
 for <41425 <at> debbugs.gnu.org>; Mon, 25 May 2020 07:37:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc:content-transfer-encoding;
 bh=qYdzml2Lf9fszqonwnVcqb4YrHXnHqJ1HEYgbf1KEtE=;
 b=C/jn1cigha/462sbcadqT/3e/U7pLTVKRKh4jcQwX4xguM/5tczq61DEMRLxqXlo2r
 2jqZOUw9TbfG0SWLXSgbTm/DMvlz94hf1vSkE82vCANl+w5/5HJ4DgUXh2JZim6lNiiM
 Bw+roz7L/NIdQlkb/lU6BvzJfVEhZUaKqptvj8/1HXqoFGZAZ/K05Qb6jxrCJdQ7vvhc
 VTFXPQ2FA5VfPfuHhbnHuZDWzIeiqghimDALbGkZH+qUaItdT1NQ8Xo8BF24WC1BXfLZ
 FD/K+376yRhF+INmNN/JbFffzqHALm3VhmokpAQzPQA+39GBFaRVFJ2OneGYfP9n9Gb0
 YAIw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc:content-transfer-encoding;
 bh=qYdzml2Lf9fszqonwnVcqb4YrHXnHqJ1HEYgbf1KEtE=;
 b=PvWr+pkfx44sjupuVdPiWviGVgyIikDoxoiXYsUvPppNh20JAqlUhlw5E+eUjhpE8v
 RJyapwTeY6HbFiiGZzdszZXNnppGOzBJgEzTaGLe2fZOV7ONO2dStS4vUTU7PfAaE1+5
 LPAO4bPZmHaqgzQazdlNK0L3f96lvv5CcK5PDEABxC74T+YYJY6J8xN2B1yba5p9pES9
 rFT4w2W6kjnaY7R1Fb83D0kXqy1XTe50mUw8GRoxCKqDo+xaR3Df6zQgCNokAYQjzJfH
 GS8fPI1sxcU9lQuQaiY4YdOamOP36TGV/OU8zhB+78uEXTuEZZVNJk61ag6ACiRw7b4w
 DXig==
X-Gm-Message-State: AOAM5308vGjruTUMcUTLGApc9WJS2zPVHUnrJ50rOFEQ572nVfD6ynlv
 DXQ3Ndtz+NWWkrWnAJAHDalO9kVOCyDCvo7OOMZNMsVQ
X-Google-Smtp-Source: ABdhPJyej4Rq1QULg7RnyEAOajWTrsMTCnjSVLhRov+0v9xjQFRNasq2Ss9yELae5v+e0IN4BjRP+CONyLyaSGVrd4k=
X-Received: by 2002:a05:6214:1932:: with SMTP id
 es18mr15916899qvb.6.1590417423144; 
 Mon, 25 May 2020 07:37:03 -0700 (PDT)
MIME-Version: 1.0
References: <20200520213802.2170-1-ludo@HIDDEN>
 <CAJ3okZ3cp8knVLAiGPV17fM6WFLG9t0jF=5msvZdJakzEDz3Xw@HIDDEN>
 <87r1vc9iqb.fsf@HIDDEN>
In-Reply-To: <87r1vc9iqb.fsf@HIDDEN>
From: zimoun <zimon.toutoune@HIDDEN>
Date: Mon, 25 May 2020 16:36:52 +0200
Message-ID: <CAJ3okZ3RrEUKE-iGxf_Z-0Ce_TS-ArKY0Vzq9ddeKaFBsqoybw@HIDDEN>
Subject: Re: [bug#41425] [PATCH 0/5] Have 'guix pull' protect against
 downgrade attacks
To: =?UTF-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 41425
Cc: 41425 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

On Fri, 22 May 2020 at 15:56, Ludovic Court=C3=A8s <ludo@HIDDEN> wrote:

> > It is not easy -- nor impossible -- to evaluate such cost at the level
> > of "guix pull".  And I failed to evaluate it using 'commit-relation'
> > with "guix repl" -- Segmentation fault with commit
> > c81457a5883ea43950eb2ecdcbb58a5b144bcd11 and
> > 4bdf4182fe080c3409f6ef9b410146b67cfa2595; probably because I did used
> > correctly the API.

Obviously, one had to read "probably I did *not* used correctly the API". :=
-)

> How can I reproduce the issue?

--8<---------------cut here---------------start------------->8---
(use-modules (guix git) (guix channels) (guix tests git) (git))
(define url-cache-directory (@@ (guix git) url-cache-directory))
(define dir (url-cache-directory (channel-url (car %default-channels))))
(define merge (with-repository dir repo (find-commit repo "Merge")))
merge
;; $1 =3D #<git-commit 4bdf4182fe080c3409f6ef9b410146b67cfa2595>
(define left (car (commit-parents merge)))
left
;; $2 =3D #<git-commit c81457a5883ea43950eb2ecdcbb58a5b144bcd11>
(commit-relation left merge)
Segmentation fault
--8<---------------cut here---------------end--------------->8---

Because of 'commit-closure'.
I do not know if it is the correct use of the API; and because I do
not know how to get easily a commit, I use 'find-commit' which is not
nice.


> > Well, what will be the timing impact of checking the "fast-fowardness"?
>
> I haven=E2=80=99t measured it, but it=E2=80=99s small compared to the cos=
t of fetching
> the new revisions and performing the checkout.  It=E2=80=99s roughly what=
 =E2=80=98git
> pull=E2=80=99 does, although =E2=80=98git pull=E2=80=99 is probably faste=
r because it=E2=80=99s in C and
> has been well optimized over the years.

My "worry" is about the complexity of the graph because
'commit-relation' walks somehow the graph of commits.


Cheers,
simon




Information forwarded to guix-patches@HIDDEN:
bug#41425; Package guix-patches. Full text available.

Message received at 41425-done <at> debbugs.gnu.org:


Received: (at 41425-done) by debbugs.gnu.org; 24 May 2020 22:02:58 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun May 24 18:02:58 2020
Received: from localhost ([127.0.0.1]:38974 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1jcyhu-0008PG-0l
	for submit <at> debbugs.gnu.org; Sun, 24 May 2020 18:02:58 -0400
Received: from eggs.gnu.org ([209.51.188.92]:42524)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1jcyhs-0008P4-Th
 for 41425-done <at> debbugs.gnu.org; Sun, 24 May 2020 18:02:57 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:38217)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <ludo@HIDDEN>) id 1jcyhn-0007yI-LJ
 for 41425-done <at> debbugs.gnu.org; Sun, 24 May 2020 18:02:51 -0400
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=44418 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@HIDDEN>) id 1jcyhn-0002TV-44
 for 41425-done <at> debbugs.gnu.org; Sun, 24 May 2020 18:02:51 -0400
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
To: 41425-done <at> debbugs.gnu.org
Subject: Re: [bug#41425] [PATCH 0/5] Have 'guix pull' protect against
 downgrade attacks
References: <20200520213802.2170-1-ludo@HIDDEN>
Date: Mon, 25 May 2020 00:02:49 +0200
In-Reply-To: <20200520213802.2170-1-ludo@HIDDEN> ("Ludovic
 \=\?utf-8\?Q\?Cour\?\= \=\?utf-8\?Q\?t\=C3\=A8s\=22's\?\= message
 of "Wed, 20 May 2020 23:38:02 +0200")
Message-ID: <874ks5xa7q.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 41425-done
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Pushed!

  9744cc7b46 pull: Protect against downgrade attacks.
  872898f768 channels: 'latest-channel-instances' guards against non-forwar=
d updates.
  8d1d56578a git: 'update-cached-checkout' returns the commit relation.
  9b049de84e channels: 'latest-channel-instances' doesn't leak internal sta=
te.
  c098c11be8 git: Add 'commit-relation'.

One step closer to addressing <https://issues.guix.gnu.org/22883>=E2=80=A6

Ludo=E2=80=99.




Notification sent to Ludovic Courtès <ludo@HIDDEN>:
bug acknowledged by developer. Full text available.
Reply sent to Ludovic Courtès <ludo@HIDDEN>:
You have taken responsibility. Full text available.

Message received at 41425 <at> debbugs.gnu.org:


Received: (at 41425) by debbugs.gnu.org; 22 May 2020 13:56:21 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri May 22 09:56:21 2020
Received: from localhost ([127.0.0.1]:59912 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1jc89t-0000kq-46
	for submit <at> debbugs.gnu.org; Fri, 22 May 2020 09:56:21 -0400
Received: from eggs.gnu.org ([209.51.188.92]:44836)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1jc89d-0000kS-8f
 for 41425 <at> debbugs.gnu.org; Fri, 22 May 2020 09:56:19 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:48762)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <ludo@HIDDEN>)
 id 1jc89X-0003Mc-KG; Fri, 22 May 2020 09:55:59 -0400
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=49326 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@HIDDEN>)
 id 1jc89W-0001to-Uz; Fri, 22 May 2020 09:55:59 -0400
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
To: zimoun <zimon.toutoune@HIDDEN>
Subject: Re: [bug#41425] [PATCH 0/5] Have 'guix pull' protect against
 downgrade attacks
References: <20200520213802.2170-1-ludo@HIDDEN>
 <CAJ3okZ3cp8knVLAiGPV17fM6WFLG9t0jF=5msvZdJakzEDz3Xw@HIDDEN>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 4 Prairial an 228 de la =?utf-8?Q?R=C3=A9volution?=
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Fri, 22 May 2020 15:55:56 +0200
In-Reply-To: <CAJ3okZ3cp8knVLAiGPV17fM6WFLG9t0jF=5msvZdJakzEDz3Xw@HIDDEN>
 (zimoun's message of "Thu, 21 May 2020 16:06:27 +0200")
Message-ID: <87r1vc9iqb.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 41425
Cc: 41425 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Hi Simon,

zimoun <zimon.toutoune@HIDDEN> skribis:

> On Wed, 20 May 2020 at 23:39, Ludovic Court=C3=A8s <ludo@HIDDEN> wrote:
>
>> By default =E2=80=98guix pull=E2=80=99 would now error out if the target=
 commit of a
>> channel is not a descendant of the currently-used commit, according to
>> the commit graph.  There=E2=80=99s an option to bypass that.  =E2=80=98g=
uix
>> time-machine=E2=80=99 behavior is unchanged though: it never complains.
>
> What is the extra time cost of such check?

The problem is not the cost.  =E2=80=98guix pull=E2=80=99 compares the targ=
et commit(s)
against the commit(s) of the currently-used =E2=80=98guix=E2=80=99; it can =
clearly see
if it=E2=80=99s a forward pull or not.

However, in the case of =E2=80=98guix time-machine=E2=80=99, there=E2=80=99=
s nothing to compare
against (it=E2=80=99s a bit like a fresh =E2=80=98git clone=E2=80=99 as opp=
osed to a =E2=80=98git pull=E2=80=99,
if you see what I mean.)

Additionally, the purpose of =E2=80=98guix time-machine=E2=80=99 is to trav=
el in time,
usually in the past, so it would be inconvenient to get warnings or
errors every time.

> It is not easy -- nor impossible -- to evaluate such cost at the level
> of "guix pull".  And I failed to evaluate it using 'commit-relation'
> with "guix repl" -- Segmentation fault with commit
> c81457a5883ea43950eb2ecdcbb58a5b144bcd11 and
> 4bdf4182fe080c3409f6ef9b410146b67cfa2595; probably because I did used
> correctly the API.

How can I reproduce the issue?

> Well, what will be the timing impact of checking the "fast-fowardness"?

I haven=E2=80=99t measured it, but it=E2=80=99s small compared to the cost =
of fetching
the new revisions and performing the checkout.  It=E2=80=99s roughly what =
=E2=80=98git
pull=E2=80=99 does, although =E2=80=98git pull=E2=80=99 is probably faster =
because it=E2=80=99s in C and
has been well optimized over the years.

Thanks for your feedback!

Ludo=E2=80=99.




Information forwarded to guix-patches@HIDDEN:
bug#41425; Package guix-patches. Full text available.

Message received at 41425 <at> debbugs.gnu.org:


Received: (at 41425) by debbugs.gnu.org; 21 May 2020 14:06:46 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu May 21 10:06:46 2020
Received: from localhost ([127.0.0.1]:57036 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1jblqQ-0003Vx-4p
	for submit <at> debbugs.gnu.org; Thu, 21 May 2020 10:06:46 -0400
Received: from mail-qt1-f196.google.com ([209.85.160.196]:35543)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <zimon.toutoune@HIDDEN>) id 1jblqO-0003Vj-Tk
 for 41425 <at> debbugs.gnu.org; Thu, 21 May 2020 10:06:45 -0400
Received: by mail-qt1-f196.google.com with SMTP id z18so5561108qto.2
 for <41425 <at> debbugs.gnu.org>; Thu, 21 May 2020 07:06:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc:content-transfer-encoding;
 bh=aYkHAy45kr9luAkTZt1RMcOmKTYdmkq9pjMSu518LuU=;
 b=QhReLDTCjqZzg+RwFK94mnmC9S4YseqMqe+hcY5FryEcRl9WKM7YM6geTIfEmzr6cv
 MT3dk0gt4CLzgOqmEq6BzjOV5HSghAtINGwHHp/IFxBxOwKYT/6dHpEYbRBEaRCI5xlj
 QxH52KGl/7jIjdb7QCqO/BL01dmVe1otG3UuR8gfEd8zT/dGCtChhvAReb74OzZ2cqAK
 HN/OYPoeeVZ7Zn/aliP3Yv5Y+felcUawcIDiiWtI2b2ABwrb04uymYlJ2ahVDSUijArx
 bbFJJgwUuRx8+8Sx4+9NpxnLdhLisPJXqzLYH1ZXCZiFFMdGDcqgWfn7aFcKMUVxEUch
 fW8w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc:content-transfer-encoding;
 bh=aYkHAy45kr9luAkTZt1RMcOmKTYdmkq9pjMSu518LuU=;
 b=cARiCBjU5JtUHeL70Y/fOAkGEGYCJ8ZmmgvrcA5TIqU4Oin0i3a4V7GaaUVGF3amVG
 TVn4yOOzw9uBRBuxSMTO3PRBuhf0IfN02jSLqehtX2Ud0RJphfa3TlkY8YHtdL2y1ilb
 grn2S8uP6y7DdOV5NNJISbD7D0vuRDEqGp8nJzqbzFnIRPX6WHLuYnsW/ZI7FJwt9uh+
 WdbXjQRD2MO1QBUSk3yB/i9in2aGlDxLD91J3Ip6xP96AIGu71aDLQINmVDMBhe75wMv
 5B3zanagbrfpd2+RR7Rg00MupYPMgbr6kkb8lDxlahQsIHq3uJ0BH2kD99stBg5ytRsP
 r36Q==
X-Gm-Message-State: AOAM530k8idySsPG1ypc1uEwG+vrOHnkarB1OKy7eoUYymR+U/jN5jMs
 xk6kPM/TlYvp2QuOUgqa+WVQdBWopX9YraizAps=
X-Google-Smtp-Source: ABdhPJyl6jhtWXMSSZiVb9JHeNb2O7M8wffDIcIurXfvdrpN6EC7DOKeARFHS2o/DDuj0lRzrsBOStKpSVm1zd/n/jc=
X-Received: by 2002:aed:2062:: with SMTP id 89mr10416443qta.327.1590069999152; 
 Thu, 21 May 2020 07:06:39 -0700 (PDT)
MIME-Version: 1.0
References: <20200520213802.2170-1-ludo@HIDDEN>
In-Reply-To: <20200520213802.2170-1-ludo@HIDDEN>
From: zimoun <zimon.toutoune@HIDDEN>
Date: Thu, 21 May 2020 16:06:27 +0200
Message-ID: <CAJ3okZ3cp8knVLAiGPV17fM6WFLG9t0jF=5msvZdJakzEDz3Xw@HIDDEN>
Subject: Re: [bug#41425] [PATCH 0/5] Have 'guix pull' protect against
 downgrade attacks
To: =?UTF-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 41425
Cc: 41425 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi Ludo,

On Wed, 20 May 2020 at 23:39, Ludovic Court=C3=A8s <ludo@HIDDEN> wrote:

> By default =E2=80=98guix pull=E2=80=99 would now error out if the target =
commit of a
> channel is not a descendant of the currently-used commit, according to
> the commit graph.  There=E2=80=99s an option to bypass that.  =E2=80=98gu=
ix
> time-machine=E2=80=99 behavior is unchanged though: it never complains.

What is the extra time cost of such check?  Well, it depends on the
"distance" between the 2 commits and maybe the complexity of the graph
-- it it not clear what happen for complex merge -- but say pulling
once a month.

It is not easy -- nor impossible -- to evaluate such cost at the level
of "guix pull".  And I failed to evaluate it using 'commit-relation'
with "guix repl" -- Segmentation fault with commit
c81457a5883ea43950eb2ecdcbb58a5b144bcd11 and
4bdf4182fe080c3409f6ef9b410146b67cfa2595; probably because I did used
correctly the API.


Well, what will be the timing impact of checking the "fast-fowardness"?


All the best,
simon




Information forwarded to guix-patches@HIDDEN:
bug#41425; Package guix-patches. Full text available.

Message received at 41425 <at> debbugs.gnu.org:


Received: (at 41425) by debbugs.gnu.org; 20 May 2020 21:47:55 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed May 20 17:47:55 2020
Received: from localhost ([127.0.0.1]:54548 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1jbWZ8-00062z-RJ
	for submit <at> debbugs.gnu.org; Wed, 20 May 2020 17:47:55 -0400
Received: from eggs.gnu.org ([209.51.188.92]:43974)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1jbWZ2-000625-JM
 for 41425 <at> debbugs.gnu.org; Wed, 20 May 2020 17:47:52 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:59462)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <ludo@HIDDEN>)
 id 1jbWYx-0003M6-AT; Wed, 20 May 2020 17:47:43 -0400
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=56656 helo=gnu.org)
 by fencepost.gnu.org with esmtpsa
 (TLS1.2:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.82)
 (envelope-from <ludo@HIDDEN>)
 id 1jbWYv-0007cZ-TH; Wed, 20 May 2020 17:47:42 -0400
From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@HIDDEN>
To: 41425 <at> debbugs.gnu.org
Subject: [PATCH 5/5] pull: Protect against downgrade attacks.
Date: Wed, 20 May 2020 23:47:25 +0200
Message-Id: <20200520214725.2437-5-ludo@HIDDEN>
X-Mailer: git-send-email 2.26.2
In-Reply-To: <20200520214725.2437-1-ludo@HIDDEN>
References: <20200520214725.2437-1-ludo@HIDDEN>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 41425
Cc: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

* guix/scripts/pull.scm (%default-options): Add 'validate-pull'.
(%options, show-help): Add '--allow-downgrades'.
(warn-about-backward-updates): New procedure.
(guix-pull): Pass #:current-channels and #:validate-pull to
'latest-channel-instances'.
* guix/channels.scm (ensure-forward-channel-update): Add hint for
when (channel-commit channel) is true.
* doc/guix.texi (Invoking guix pull): Document '--allow-downgrades'.
---
 doc/guix.texi         | 15 +++++++++++++++
 guix/channels.scm     | 34 +++++++++++++++++++---------------
 guix/scripts/pull.scm | 35 ++++++++++++++++++++++++++++++++---
 3 files changed, 66 insertions(+), 18 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index eef5b703fe..79ed260a85 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -3900,6 +3900,21 @@ Use @var{profile} instead of @file{~/.config/guix/current}.
 Show which channel commit(s) would be used and what would be built or
 substituted but do not actually do it.
 
+@item --allow-downgrades
+Allow pulling older or unrelated revisions of channels than those
+currently in use.
+
+@cindex downgrade attacks, protection against
+By default, @command{guix pull} protects against so-called ``downgrade
+attacks'' whereby the Git repository of a channel would be reset to an
+earlier or unrelated revision of itself, potentially leading you to
+install older, known-vulnerable versions of software packages.
+
+@quotation Note
+Make sure you understand its security implications before using
+@option{--allow-downgrades}.
+@end quotation
+
 @item --system=@var{system}
 @itemx -s @var{system}
 Attempt to build for @var{system}---e.g., @code{i686-linux}---instead of
diff --git a/guix/channels.scm b/guix/channels.scm
index 70e2d7f07c..84c47fc0d0 100644
--- a/guix/channels.scm
+++ b/guix/channels.scm
@@ -246,25 +246,29 @@ This procedure implements a channel update policy meant to be used as a
     ('ancestor #t)
     ('self #t)
     (_
-     (raise (apply make-compound-condition
-                   (condition
-                    (&message (message
-                               (format #f (G_ "\
+     (raise (make-compound-condition
+             (condition
+              (&message (message
+                         (format #f (G_ "\
 aborting update of channel '~a' to commit ~a, which is not a descendant of ~a")
-                                       (channel-name channel)
-                                       (channel-instance-commit instance)
-                                       start))))
+                                 (channel-name channel)
+                                 (channel-instance-commit instance)
+                                 start))))
 
-                   ;; Don't show the hint when the user explicitly specified a
-                   ;; commit in CHANNEL.
-                   (if (channel-commit channel)
-                       '()
-                       (list (condition
-                              (&fix-hint
-                               (hint (G_ "This could indicate that the channel has
+             ;; If the user asked for a specific commit, they might want
+             ;; that to happen nevertheless, so tell them about the
+             ;; relevant 'guix pull' option.
+             (if (channel-commit channel)
+                 (condition
+                  (&fix-hint
+                   (hint (G_ "Use @option{--allow-downgrades} to force
+this downgrade."))))
+                 (condition
+                  (&fix-hint
+                   (hint (G_ "This could indicate that the channel has
 been tampered with and is trying to force a roll-back, preventing you from
 getting the latest updates.  If you think this is not the case, explicitly
-allow non-forward updates.")))))))))))
+allow non-forward updates."))))))))))
 
 (define* (latest-channel-instances store channels
                                    #:key
diff --git a/guix/scripts/pull.scm b/guix/scripts/pull.scm
index dfe7ee7ad5..c386d81b8e 100644
--- a/guix/scripts/pull.scm
+++ b/guix/scripts/pull.scm
@@ -81,7 +81,8 @@
     (multiplexed-build-output? . #t)
     (graft? . #t)
     (debug . 0)
-    (verbosity . 1)))
+    (verbosity . 1)
+    (validate-pull . ,ensure-forward-channel-update)))
 
 (define (show-help)
   (display (G_ "Usage: guix pull [OPTION]...
@@ -94,6 +95,8 @@ Download and deploy the latest version of Guix.\n"))
       --commit=COMMIT    download the specified COMMIT"))
   (display (G_ "
       --branch=BRANCH    download the tip of the specified BRANCH"))
+  (display (G_ "
+      --allow-downgrades allow downgrades to earlier channel revisions"))
   (display (G_ "
   -N, --news             display news compared to the previous generation"))
   (display (G_ "
@@ -158,6 +161,10 @@ Download and deploy the latest version of Guix.\n"))
          (option '("branch") #t #f
                  (lambda (opt name arg result)
                    (alist-cons 'ref `(branch . ,arg) result)))
+         (option '("allow-downgrades") #f #f
+                 (lambda (opt name arg result)
+                   (alist-cons 'validate-pull warn-about-backward-updates
+                               result)))
          (option '(#\p "profile") #t #f
                  (lambda (opt name arg result)
                    (alist-cons 'profile (canonicalize-profile arg)
@@ -188,6 +195,21 @@ Download and deploy the latest version of Guix.\n"))
 
          %standard-build-options))
 
+(define (warn-about-backward-updates channel start instance relation)
+  "Warn about non-forward updates of CHANNEL from START to INSTANCE, without
+aborting."
+  (match relation
+    ((or 'ancestor 'self)
+     #t)
+    ('descendant
+     (warning (G_ "rolling back channel '~a' from ~a to ~a~%")
+              (channel-name channel) start
+              (channel-instance-commit instance)))
+    ('unrelated
+     (warning (G_ "moving channel '~a' from ~a to unrelated commit ~a~%")
+              (channel-name channel) start
+              (channel-instance-commit instance)))))
+
 (define* (display-profile-news profile #:key concise?
                                current-is-newer?)
   "Display what's up in PROFILE--new packages, and all that.  If
@@ -749,7 +771,9 @@ Use '~/.config/guix/channels.scm' instead."))
             (substitutes? (assoc-ref opts 'substitutes?))
             (dry-run?     (assoc-ref opts 'dry-run?))
             (channels     (channel-list opts))
-            (profile      (or (assoc-ref opts 'profile) %current-profile)))
+            (profile      (or (assoc-ref opts 'profile) %current-profile))
+            (current-channels (profile-channels profile))
+            (validate-pull    (assoc-ref opts 'validate-pull)))
        (cond ((assoc-ref opts 'query)
               (process-query opts profile))
              ((assoc-ref opts 'generation)
@@ -766,7 +790,12 @@ Use '~/.config/guix/channels.scm' instead."))
                       (ensure-default-profile)
                       (honor-x509-certificates store)
 
-                      (let ((instances (latest-channel-instances store channels)))
+                      (let ((instances
+                             (latest-channel-instances store channels
+                                                       #:current-channels
+                                                       current-channels
+                                                       #:validate-pull
+                                                       validate-pull)))
                         (format (current-error-port)
                                 (N_ "Building from this channel:~%"
                                     "Building from these channels:~%"
-- 
2.26.2





Information forwarded to guix-patches@HIDDEN:
bug#41425; Package guix-patches. Full text available.

Message received at 41425 <at> debbugs.gnu.org:


Received: (at 41425) by debbugs.gnu.org; 20 May 2020 21:47:51 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed May 20 17:47:51 2020
Received: from localhost ([127.0.0.1]:54546 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1jbWZ5-00062f-Ay
	for submit <at> debbugs.gnu.org; Wed, 20 May 2020 17:47:51 -0400
Received: from eggs.gnu.org ([209.51.188.92]:43958)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1jbWYz-00061p-8o
 for 41425 <at> debbugs.gnu.org; Wed, 20 May 2020 17:47:49 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:59458)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <ludo@HIDDEN>)
 id 1jbWYt-0003LT-Ir; Wed, 20 May 2020 17:47:39 -0400
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=56656 helo=gnu.org)
 by fencepost.gnu.org with esmtpsa
 (TLS1.2:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.82)
 (envelope-from <ludo@HIDDEN>)
 id 1jbWYs-0007cZ-7Y; Wed, 20 May 2020 17:47:38 -0400
From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@HIDDEN>
To: 41425 <at> debbugs.gnu.org
Subject: [PATCH 3/5] git: 'update-cached-checkout' returns the commit relation.
Date: Wed, 20 May 2020 23:47:23 +0200
Message-Id: <20200520214725.2437-3-ludo@HIDDEN>
X-Mailer: git-send-email 2.26.2
In-Reply-To: <20200520214725.2437-1-ludo@HIDDEN>
References: <20200520214725.2437-1-ludo@HIDDEN>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 41425
Cc: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

* guix/git.scm (update-cached-checkout): Add #:starting-commit
parameter.  Call 'commit-relation' when #:starting-commit is true.
Always return the relation or #f as the third vaule.
(latest-repository-commit): Adjust accordingly.
* guix/import/opam.scm (get-opam-repository): Likewise.
* tests/channels.scm ("latest-channel-instances includes channel dependencies")
("latest-channel-instances excludes duplicate channel dependencies"):
Update mock of 'update-cached-checkout' accordingly.
---
 guix/channels.scm    |  2 +-
 guix/git.scm         | 21 ++++++++++++++++-----
 guix/import/opam.scm |  2 +-
 tests/channels.scm   | 12 ++++++------
 4 files changed, 24 insertions(+), 13 deletions(-)

diff --git a/guix/channels.scm b/guix/channels.scm
index e0a7a84f55..75b767a94c 100644
--- a/guix/channels.scm
+++ b/guix/channels.scm
@@ -218,7 +218,7 @@ result is unspecified."
     (and (string=? (basename file) ".git")
          (eq? 'directory (stat:type stat))))
 
-  (let-values (((checkout commit)
+  (let-values (((checkout commit relation)
                 (update-cached-checkout (channel-url channel)
                                         #:ref (channel-reference channel))))
     (when (guix-channel? channel)
diff --git a/guix/git.scm b/guix/git.scm
index 249d622756..c197e566db 100644
--- a/guix/git.scm
+++ b/guix/git.scm
@@ -262,14 +262,16 @@ definitely available in REPOSITORY, false otherwise."
                                  #:key
                                  (ref '(branch . "master"))
                                  recursive?
+                                 starting-commit
                                  (log-port (%make-void-port "w"))
                                  (cache-directory
                                   (url-cache-directory
                                    url (%repository-cache-directory)
                                    #:recursive? recursive?)))
-  "Update the cached checkout of URL to REF in CACHE-DIRECTORY.  Return two
+  "Update the cached checkout of URL to REF in CACHE-DIRECTORY.  Return three
 values: the cache directory name, and the SHA1 commit (a string) corresponding
-to REF.
+to REF, and the relation of the new commit relative to STARTING-COMMIT (if
+provided) as returned by 'commit-relation'.
 
 REF is pair whose key is [branch | commit | tag | tag-or-commit ] and value
 the associated data: [<branch name> | <sha1> | <tag name> | <string>].
@@ -302,7 +304,16 @@ When RECURSIVE? is true, check out submodules as well, if any."
            (remote-fetch (remote-lookup repository "origin"))))
      (when recursive?
        (update-submodules repository #:log-port log-port))
-     (let ((oid (switch-to-ref repository canonical-ref)))
+
+     ;; Note: call 'commit-relation' from here because it's more efficient
+     ;; than letting users re-open the checkout later on.
+     (let* ((oid      (switch-to-ref repository canonical-ref))
+            (new      (commit-lookup repository oid))
+            (old      (and starting-commit
+                           (commit-lookup repository
+                                          (string->oid starting-commit))))
+            (relation (and starting-commit
+                           (commit-relation old new))))
 
        ;; Reclaim file descriptors and memory mappings associated with
        ;; REPOSITORY as soon as possible.
@@ -310,7 +321,7 @@ When RECURSIVE? is true, check out submodules as well, if any."
                               'repository-close!)
          (repository-close! repository))
 
-       (values cache-directory (oid->string oid))))))
+       (values cache-directory (oid->string oid) relation)))))
 
 (define* (latest-repository-commit store url
                                    #:key
@@ -343,7 +354,7 @@ Log progress and checkout info to LOG-PORT."
 
   (format log-port "updating checkout of '~a'...~%" url)
   (let*-values
-      (((checkout commit)
+      (((checkout commit _)
         (update-cached-checkout url
                                 #:recursive? recursive?
                                 #:ref ref
diff --git a/guix/import/opam.scm b/guix/import/opam.scm
index ae7df8a8b5..9cda3da006 100644
--- a/guix/import/opam.scm
+++ b/guix/import/opam.scm
@@ -115,7 +115,7 @@
 (define (get-opam-repository)
   "Update or fetch the latest version of the opam repository and return the
 path to the repository."
-  (receive (location commit)
+  (receive (location commit _)
     (update-cached-checkout "https://github.com/ocaml/opam-repository")
     location))
 
diff --git a/tests/channels.scm b/tests/channels.scm
index 910088ba15..3578b57204 100644
--- a/tests/channels.scm
+++ b/tests/channels.scm
@@ -136,11 +136,11 @@
                    (url "test")))
          (test-dir (channel-instance-checkout instance--simple)))
     (mock ((guix git) update-cached-checkout
-           (lambda* (url #:key ref)
+           (lambda* (url #:key ref starting-commit)
              (match url
-               ("test" (values test-dir "caf3cabba9e"))
+               ("test" (values test-dir "caf3cabba9e" #f))
                (_      (values (channel-instance-checkout instance--no-deps)
-                               "abcde1234")))))
+                               "abcde1234" #f)))))
           (with-store store
             (let ((instances (latest-channel-instances store (list channel))))
               (and (eq? 2 (length instances))
@@ -155,11 +155,11 @@
                    (url "test")))
          (test-dir (channel-instance-checkout instance--with-dupes)))
     (mock ((guix git) update-cached-checkout
-           (lambda* (url #:key ref)
+           (lambda* (url #:key ref starting-commit)
              (match url
-               ("test" (values test-dir "caf3cabba9e"))
+               ("test" (values test-dir "caf3cabba9e" #f))
                (_      (values (channel-instance-checkout instance--no-deps)
-                               "abcde1234")))))
+                               "abcde1234" #f)))))
           (with-store store
             (let ((instances (latest-channel-instances store (list channel))))
               (and (= 2 (length instances))
-- 
2.26.2





Information forwarded to guix-patches@HIDDEN:
bug#41425; Package guix-patches. Full text available.

Message received at 41425 <at> debbugs.gnu.org:


Received: (at 41425) by debbugs.gnu.org; 20 May 2020 21:47:51 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed May 20 17:47:51 2020
Received: from localhost ([127.0.0.1]:54544 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1jbWZ4-00062c-Si
	for submit <at> debbugs.gnu.org; Wed, 20 May 2020 17:47:51 -0400
Received: from eggs.gnu.org ([209.51.188.92]:43970)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1jbWZ0-00061r-UV
 for 41425 <at> debbugs.gnu.org; Wed, 20 May 2020 17:47:47 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:59461)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <ludo@HIDDEN>)
 id 1jbWYv-0003Lz-Js; Wed, 20 May 2020 17:47:41 -0400
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=56656 helo=gnu.org)
 by fencepost.gnu.org with esmtpsa
 (TLS1.2:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.82)
 (envelope-from <ludo@HIDDEN>)
 id 1jbWYu-0007cZ-3e; Wed, 20 May 2020 17:47:40 -0400
From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@HIDDEN>
To: 41425 <at> debbugs.gnu.org
Subject: [PATCH 4/5] channels: 'latest-channel-instances' guards against
 non-forward updates.
Date: Wed, 20 May 2020 23:47:24 +0200
Message-Id: <20200520214725.2437-4-ludo@HIDDEN>
X-Mailer: git-send-email 2.26.2
In-Reply-To: <20200520214725.2437-1-ludo@HIDDEN>
References: <20200520214725.2437-1-ludo@HIDDEN>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 41425
Cc: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

* guix/channels.scm (latest-channel-instance): Add #:starting-commit and
pass it to 'update-cached-checkout'.  Return the commit relation as a
second value.
(ensure-forward-channel-update): New procedure.
(latest-channel-instances): Add #:current-channels and #:validate-pull.
[current-commit]: New procedure.
Pass #:starting-commit to 'latest-channel-instance'.  When the returned
relation is true, call VALIDATE-PULL.
(latest-channel-derivation): Add #:current-channels and #:validate-pull.
Pass them to 'latest-channel-instances*'.
* tests/channels.scm ("latest-channel-instances #:validate-pull"): New
test.
---
 guix/channels.scm  | 89 ++++++++++++++++++++++++++++++++++++++++------
 tests/channels.scm | 35 ++++++++++++++++++
 2 files changed, 114 insertions(+), 10 deletions(-)

diff --git a/guix/channels.scm b/guix/channels.scm
index 75b767a94c..70e2d7f07c 100644
--- a/guix/channels.scm
+++ b/guix/channels.scm
@@ -73,6 +73,7 @@
             channel-instances->manifest
             %channel-profile-hooks
             channel-instances->derivation
+            ensure-forward-channel-update
 
             profile-channels
 
@@ -212,15 +213,18 @@ result is unspecified."
        (loop rest)))))
 
 (define* (latest-channel-instance store channel
-                                  #:key (patches %patches))
-  "Return the latest channel instance for CHANNEL."
+                                  #:key (patches %patches)
+                                  starting-commit)
+  "Return two values: the latest channel instance for CHANNEL, and its
+relation to STARTING-COMMIT when provided."
   (define (dot-git? file stat)
     (and (string=? (basename file) ".git")
          (eq? 'directory (stat:type stat))))
 
   (let-values (((checkout commit relation)
                 (update-cached-checkout (channel-url channel)
-                                        #:ref (channel-reference channel))))
+                                        #:ref (channel-reference channel)
+                                        #:starting-commit starting-commit)))
     (when (guix-channel? channel)
       ;; Apply the relevant subset of PATCHES directly in CHECKOUT.  This is
       ;; safe to do because 'switch-to-ref' eventually does a hard reset.
@@ -229,11 +233,51 @@ result is unspecified."
     (let* ((name     (url+commit->name (channel-url channel) commit))
            (checkout (add-to-store store name #t "sha256" checkout
                                    #:select? (negate dot-git?))))
-      (channel-instance channel commit checkout))))
+      (values (channel-instance channel commit checkout)
+              relation))))
 
-(define* (latest-channel-instances store channels)
+(define (ensure-forward-channel-update channel start instance relation)
+  "Raise an error if RELATION is not 'ancestor, meaning that START is not an
+ancestor of the commit in INSTANCE, unless CHANNEL specifies a commit.
+
+This procedure implements a channel update policy meant to be used as a
+#:validate-pull argument."
+  (match relation
+    ('ancestor #t)
+    ('self #t)
+    (_
+     (raise (apply make-compound-condition
+                   (condition
+                    (&message (message
+                               (format #f (G_ "\
+aborting update of channel '~a' to commit ~a, which is not a descendant of ~a")
+                                       (channel-name channel)
+                                       (channel-instance-commit instance)
+                                       start))))
+
+                   ;; Don't show the hint when the user explicitly specified a
+                   ;; commit in CHANNEL.
+                   (if (channel-commit channel)
+                       '()
+                       (list (condition
+                              (&fix-hint
+                               (hint (G_ "This could indicate that the channel has
+been tampered with and is trying to force a roll-back, preventing you from
+getting the latest updates.  If you think this is not the case, explicitly
+allow non-forward updates.")))))))))))
+
+(define* (latest-channel-instances store channels
+                                   #:key
+                                   (current-channels '())
+                                   (validate-pull
+                                    ensure-forward-channel-update))
   "Return a list of channel instances corresponding to the latest checkouts of
-CHANNELS and the channels on which they depend."
+CHANNELS and the channels on which they depend.
+
+CURRENT-CHANNELS is the list of currently used channels.  It is compared
+against the newly-fetched instances of CHANNELS, and VALIDATE-PULL is called
+for each channel update and can choose to emit warnings or raise an error,
+depending on the policy it implements."
   ;; Only process channels that are unique, or that are more specific than a
   ;; previous channel specification.
   (define (ignore? channel others)
@@ -244,6 +288,13 @@ CHANNELS and the channels on which they depend."
                        (not (or (channel-commit a)
                                 (channel-commit b))))))))
 
+  (define (current-commit name)
+    ;; Return the current commit for channel NAME.
+    (any (lambda (channel)
+           (and (eq? (channel-name channel) name)
+                (channel-commit channel)))
+         current-channels))
+
   (let loop ((channels channels)
              (previous-channels '()))
     ;; Accumulate a list of instances.  A list of processed channels is also
@@ -257,7 +308,15 @@ CHANNELS and the channels on which they depend."
                              (G_ "Updating channel '~a' from Git repository at '~a'...~%")
                              (channel-name channel)
                              (channel-url channel))
-                     (let ((instance (latest-channel-instance store channel)))
+                     (let*-values (((current)
+                                    (current-commit (channel-name channel)))
+                                   ((instance relation)
+                                    (latest-channel-instance store channel
+                                                             #:starting-commit
+                                                             current)))
+                       (when relation
+                         (validate-pull channel current instance relation))
+
                        (let-values (((new-instances new-channels)
                                      (loop (channel-instance-dependencies instance)
                                            previous-channels)))
@@ -617,10 +676,20 @@ channel instances."
 (define latest-channel-instances*
   (store-lift latest-channel-instances))
 
-(define* (latest-channel-derivation #:optional (channels %default-channels))
+(define* (latest-channel-derivation #:optional (channels %default-channels)
+                                    #:key
+                                    (current-channels '())
+                                    (validate-pull
+                                     ensure-forward-channel-update))
   "Return as a monadic value the derivation that builds the profile for the
-latest instances of CHANNELS."
-  (mlet %store-monad ((instances (latest-channel-instances* channels)))
+latest instances of CHANNELS.  CURRENT-CHANNELS and VALIDATE-PULL are passed
+to 'latest-channel-instances'."
+  (mlet %store-monad ((instances
+                       (latest-channel-instances* channels
+                                                  #:current-channels
+                                                  current-channels
+                                                  #:validate-pull
+                                                  validate-pull)))
     (channel-instances->derivation instances)))
 
 (define (profile-channels profile)
diff --git a/tests/channels.scm b/tests/channels.scm
index 3578b57204..3b141428c8 100644
--- a/tests/channels.scm
+++ b/tests/channels.scm
@@ -37,6 +37,7 @@
   #:use-module (srfi srfi-34)
   #:use-module (srfi srfi-35)
   #:use-module (srfi srfi-64)
+  #:use-module (ice-9 control)
   #:use-module (ice-9 match))
 
 (test-begin "channels")
@@ -178,6 +179,40 @@
                                           "abc1234")))
                          instances)))))))
 
+(unless (which (git-command)) (test-skip 1))
+(test-equal "latest-channel-instances #:validate-pull"
+  'descendant
+
+  ;; Make sure the #:validate-pull procedure receives the right values.
+  (let/ec return
+    (with-temporary-git-repository directory
+        '((add "a.txt" "A")
+          (commit "first commit")
+          (add "b.scm" "#t")
+          (commit "second commit"))
+      (with-repository directory repository
+        (let* ((commit1 (find-commit repository "first"))
+               (commit2 (find-commit repository "second"))
+               (spec    (channel (url (string-append "file://" directory))
+                                 (name 'foo)))
+               (new     (channel (inherit spec)
+                                 (commit (oid->string (commit-id commit2)))))
+               (old     (channel (inherit spec)
+                                 (commit (oid->string (commit-id commit1))))))
+          (define (validate-pull channel current instance relation)
+            (return (and (eq? channel old)
+                         (string=? (oid->string (commit-id commit2))
+                                   current)
+                         (string=? (oid->string (commit-id commit1))
+                                   (channel-instance-commit instance))
+                         relation)))
+
+          (with-store store
+            ;; Attempt a downgrade from NEW to OLD.
+            (latest-channel-instances store (list old)
+                                      #:current-channels (list new)
+                                      #:validate-pull validate-pull)))))))
+
 (test-assert "channel-instances->manifest"
   ;; Compute the manifest for a graph of instances and make sure we get a
   ;; derivation graph that mirrors the instance graph.  This test also ensures
-- 
2.26.2





Information forwarded to guix-patches@HIDDEN:
bug#41425; Package guix-patches. Full text available.

Message received at 41425 <at> debbugs.gnu.org:


Received: (at 41425) by debbugs.gnu.org; 20 May 2020 21:47:45 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed May 20 17:47:45 2020
Received: from localhost ([127.0.0.1]:54540 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1jbWYz-000629-GC
	for submit <at> debbugs.gnu.org; Wed, 20 May 2020 17:47:45 -0400
Received: from eggs.gnu.org ([209.51.188.92]:43942)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1jbWYx-00061k-7A
 for 41425 <at> debbugs.gnu.org; Wed, 20 May 2020 17:47:43 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:59454)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <ludo@HIDDEN>)
 id 1jbWYr-0003L9-TZ; Wed, 20 May 2020 17:47:37 -0400
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=56656 helo=gnu.org)
 by fencepost.gnu.org with esmtpsa
 (TLS1.2:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.82)
 (envelope-from <ludo@HIDDEN>)
 id 1jbWYr-0007cZ-9V; Wed, 20 May 2020 17:47:37 -0400
From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@HIDDEN>
To: 41425 <at> debbugs.gnu.org
Subject: [PATCH 2/5] channels: 'latest-channel-instances' doesn't leak
 internal state.
Date: Wed, 20 May 2020 23:47:22 +0200
Message-Id: <20200520214725.2437-2-ludo@HIDDEN>
X-Mailer: git-send-email 2.26.2
In-Reply-To: <20200520214725.2437-1-ludo@HIDDEN>
References: <20200520214725.2437-1-ludo@HIDDEN>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 41425
Cc: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

* guix/channels.scm (latest-channel-instances): Remove
'previous-channels' argument.  Introduce 'loop' and use it.
---
 guix/channels.scm | 67 +++++++++++++++++++++++------------------------
 1 file changed, 33 insertions(+), 34 deletions(-)

diff --git a/guix/channels.scm b/guix/channels.scm
index f0174de767..e0a7a84f55 100644
--- a/guix/channels.scm
+++ b/guix/channels.scm
@@ -231,10 +231,9 @@ result is unspecified."
                                    #:select? (negate dot-git?))))
       (channel-instance channel commit checkout))))
 
-(define* (latest-channel-instances store channels #:optional (previous-channels '()))
+(define* (latest-channel-instances store channels)
   "Return a list of channel instances corresponding to the latest checkouts of
-CHANNELS and the channels on which they depend.  PREVIOUS-CHANNELS is a list
-of previously processed channels."
+CHANNELS and the channels on which they depend."
   ;; Only process channels that are unique, or that are more specific than a
   ;; previous channel specification.
   (define (ignore? channel others)
@@ -245,38 +244,38 @@ of previously processed channels."
                        (not (or (channel-commit a)
                                 (channel-commit b))))))))
 
-  ;; Accumulate a list of instances.  A list of processed channels is also
-  ;; accumulated to decide on duplicate channel specifications.
-  (define-values (resulting-channels instances)
-    (fold2 (lambda (channel previous-channels instances)
-             (if (ignore? channel previous-channels)
-                 (values previous-channels instances)
-                 (begin
-                   (format (current-error-port)
-                           (G_ "Updating channel '~a' from Git repository at '~a'...~%")
-                           (channel-name channel)
-                           (channel-url channel))
-                   (let ((instance (latest-channel-instance store channel)))
-                     (let-values (((new-instances new-channels)
-                                   (latest-channel-instances
-                                    store
-                                    (channel-instance-dependencies instance)
-                                    previous-channels)))
-                       (values (append (cons channel new-channels)
-                                       previous-channels)
-                               (append (cons instance new-instances)
-                                       instances)))))))
-           previous-channels
-           '()                                    ;instances
-           channels))
+  (let loop ((channels channels)
+             (previous-channels '()))
+    ;; Accumulate a list of instances.  A list of processed channels is also
+    ;; accumulated to decide on duplicate channel specifications.
+    (define-values (resulting-channels instances)
+      (fold2 (lambda (channel previous-channels instances)
+               (if (ignore? channel previous-channels)
+                   (values previous-channels instances)
+                   (begin
+                     (format (current-error-port)
+                             (G_ "Updating channel '~a' from Git repository at '~a'...~%")
+                             (channel-name channel)
+                             (channel-url channel))
+                     (let ((instance (latest-channel-instance store channel)))
+                       (let-values (((new-instances new-channels)
+                                     (loop (channel-instance-dependencies instance)
+                                           previous-channels)))
+                         (values (append (cons channel new-channels)
+                                         previous-channels)
+                                 (append (cons instance new-instances)
+                                         instances)))))))
+             previous-channels
+             '()                                  ;instances
+             channels))
 
-  (let ((instance-name (compose channel-name channel-instance-channel)))
-    ;; Remove all earlier channel specifications if they are followed by a
-    ;; more specific one.
-    (values (delete-duplicates instances
-                               (lambda (a b)
-                                 (eq? (instance-name a) (instance-name b))))
-            resulting-channels)))
+    (let ((instance-name (compose channel-name channel-instance-channel)))
+      ;; Remove all earlier channel specifications if they are followed by a
+      ;; more specific one.
+      (values (delete-duplicates instances
+                                 (lambda (a b)
+                                   (eq? (instance-name a) (instance-name b))))
+              resulting-channels))))
 
 (define* (checkout->channel-instance checkout
                                      #:key commit
-- 
2.26.2





Information forwarded to guix-patches@HIDDEN:
bug#41425; Package guix-patches. Full text available.

Message received at 41425 <at> debbugs.gnu.org:


Received: (at 41425) by debbugs.gnu.org; 20 May 2020 21:47:45 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed May 20 17:47:45 2020
Received: from localhost ([127.0.0.1]:54537 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1jbWYz-000627-64
	for submit <at> debbugs.gnu.org; Wed, 20 May 2020 17:47:45 -0400
Received: from eggs.gnu.org ([209.51.188.92]:43938)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1jbWYw-00061i-U3
 for 41425 <at> debbugs.gnu.org; Wed, 20 May 2020 17:47:43 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:59451)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <ludo@HIDDEN>)
 id 1jbWYq-0003L1-E3; Wed, 20 May 2020 17:47:37 -0400
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=56656 helo=gnu.org)
 by fencepost.gnu.org with esmtpsa
 (TLS1.2:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.82)
 (envelope-from <ludo@HIDDEN>)
 id 1jbWYp-0007cZ-D7; Wed, 20 May 2020 17:47:35 -0400
From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@HIDDEN>
To: 41425 <at> debbugs.gnu.org
Subject: [PATCH 1/5] git: Add 'commit-relation'.
Date: Wed, 20 May 2020 23:47:21 +0200
Message-Id: <20200520214725.2437-1-ludo@HIDDEN>
X-Mailer: git-send-email 2.26.2
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 41425
Cc: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

* guix/git.scm (commit-relation): New procedure.
* tests/git.scm ("commit-relation"): New test.
---
 guix/git.scm  | 16 ++++++++++++++++
 tests/git.scm | 42 +++++++++++++++++++++++++++++++++++++++++-
 2 files changed, 57 insertions(+), 1 deletion(-)

diff --git a/guix/git.scm b/guix/git.scm
index 92121156cf..249d622756 100644
--- a/guix/git.scm
+++ b/guix/git.scm
@@ -43,6 +43,7 @@
             url+commit->name
             latest-repository-commit
             commit-difference
+            commit-relation
 
             git-checkout
             git-checkout?
@@ -405,6 +406,21 @@ that of OLD."
                  (cons head result)
                  (set-insert head visited)))))))
 
+(define (commit-relation old new)
+  "Return a symbol denoting the relation between OLD and NEW, two commit
+objects: 'ancestor (meaning that OLD is an ancestor of NEW), 'descendant, or
+'unrelated, or 'self (OLD and NEW are the same commit)."
+  (if (eq? old new)
+      'self
+      (let ((newest (commit-closure new)))
+        (if (set-contains? newest old)
+            'ancestor
+            (let* ((seen   (list->setq (commit-parents new)))
+                   (oldest (commit-closure old seen)))
+              (if (set-contains? oldest new)
+                  'descendant
+                  'unrelated))))))
+
 
 ;;;
 ;;; Checkouts.
diff --git a/tests/git.scm b/tests/git.scm
index 052f8a79c4..4a806abcc3 100644
--- a/tests/git.scm
+++ b/tests/git.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2019 Ludovic Courtès <ludo@HIDDEN>
+;;; Copyright © 2019, 2020 Ludovic Courtès <ludo@HIDDEN>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -122,4 +122,44 @@
              (lset= eq? (commit-difference commit4 commit1 (list commit5))
                     (list commit2 commit3 commit4)))))))
 
+(unless (which (git-command)) (test-skip 1))
+(test-equal "commit-relation"
+  '(self                                          ;master3 master3
+    ancestor                                      ;master1 master3
+    descendant                                    ;master3 master1
+    unrelated                                     ;master2 branch1
+    unrelated                                     ;branch1 master2
+    ancestor                                      ;branch1 merge
+    descendant                                    ;merge branch1
+    ancestor                                      ;master1 merge
+    descendant)                                   ;merge master1
+  (with-temporary-git-repository directory
+      '((add "a.txt" "A")
+        (commit "first commit")
+        (branch "hack")
+        (checkout "hack")
+        (add "1.txt" "1")
+        (commit "branch commit")
+        (checkout "master")
+        (add "b.txt" "B")
+        (commit "second commit")
+        (add "c.txt" "C")
+        (commit "third commit")
+        (merge "hack" "merge"))
+    (with-repository directory repository
+      (let ((master1 (find-commit repository "first"))
+            (master2 (find-commit repository "second"))
+            (master3 (find-commit repository "third"))
+            (branch1 (find-commit repository "branch"))
+            (merge   (find-commit repository "merge")))
+        (list (commit-relation master3 master3)
+              (commit-relation master1 master3)
+              (commit-relation master3 master1)
+              (commit-relation master2 branch1)
+              (commit-relation branch1 master2)
+              (commit-relation branch1 merge)
+              (commit-relation merge branch1)
+              (commit-relation master1 merge)
+              (commit-relation merge master1))))))
+
 (test-end "git")
-- 
2.26.2





Information forwarded to guix-patches@HIDDEN:
bug#41425; Package guix-patches. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 20 May 2020 21:38:16 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed May 20 17:38:16 2020
Received: from localhost ([127.0.0.1]:54516 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1jbWPo-0005mQ-J1
	for submit <at> debbugs.gnu.org; Wed, 20 May 2020 17:38:16 -0400
Received: from lists.gnu.org ([209.51.188.17]:50122)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1jbWPn-0005mJ-4T
 for submit <at> debbugs.gnu.org; Wed, 20 May 2020 17:38:15 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:49986)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@HIDDEN>) id 1jbWPm-0003SJ-Tw
 for guix-patches@HIDDEN; Wed, 20 May 2020 17:38:14 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:59142)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <ludo@HIDDEN>)
 id 1jbWPm-00014T-L5; Wed, 20 May 2020 17:38:14 -0400
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=56646 helo=gnu.org)
 by fencepost.gnu.org with esmtpsa
 (TLS1.2:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.82)
 (envelope-from <ludo@HIDDEN>)
 id 1jbWPl-0006fi-Mt; Wed, 20 May 2020 17:38:13 -0400
From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@HIDDEN>
To: guix-patches@HIDDEN
Subject: [PATCH 0/5] Have 'guix pull' protect against downgrade attacks
Date: Wed, 20 May 2020 23:38:02 +0200
Message-Id: <20200520213802.2170-1-ludo@HIDDEN>
X-Mailer: git-send-email 2.26.2
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: submit
Cc: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Hello!

This patch series aims to protect against “downgrade attacks”, whereby
a “guix pull” command would in fact deploy an older or an unrelated
revision of Guix, potentially leading you to install vulnerable or
malicious software.

By default ‘guix pull’ would now error out if the target commit of a
channel is not a descendant of the currently-used commit, according to
the commit graph.  There’s an option to bypass that.  ‘guix
time-machine’ behavior is unchanged though: it never complains.

This is generally useful and it’s a requirement for authenticated
checkouts as discussed in <https://issues.guix.gnu.org/22883>,
otherwise one could easily escape the intended authentication scheme
by branching and providing a different ‘.guix-authorizations’ file.

Feedback welcome!

Ludo’.

Ludovic Courtès (5):
  git: Add 'commit-relation'.
  channels: 'latest-channel-instances' doesn't leak internal state.
  git: 'update-cached-checkout' returns the commit relation.
  channels: 'latest-channel-instances' guards against non-forward
    updates.
  pull: Protect against downgrade attacks.

 doc/guix.texi         |  15 ++++
 guix/channels.scm     | 156 ++++++++++++++++++++++++++++++------------
 guix/git.scm          |  37 ++++++++--
 guix/import/opam.scm  |   2 +-
 guix/scripts/pull.scm |  35 +++++++++-
 tests/channels.scm    |  47 +++++++++++--
 tests/git.scm         |  42 +++++++++++-
 7 files changed, 276 insertions(+), 58 deletions(-)

-- 
2.26.2





Acknowledgement sent to Ludovic Courtès <ludo@HIDDEN>:
New bug report received and forwarded. Copy sent to guix-patches@HIDDEN. Full text available.
Report forwarded to guix-patches@HIDDEN:
bug#41425; Package guix-patches. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Mon, 25 May 2020 14:45:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.