guix-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Security-Enhancement: Fine Control for guix pull --allow-downgrades

From: Rostislav Svoboda
Subject: Security-Enhancement: Fine Control for guix pull --allow-downgrades
Date: Thu, 11 Apr 2024 00:08:12 +0200 
Hi geeks,

I've wrote a patch aimed at improving security by introducing
fine-grained control over the `guix pull --allow-downgrades`. This
allows for precise management of channel downgrades during `guix
pull`. Examples:

$ guix pull --allow-downgrades           # same behavior as before -
all current channels can be downgraded (backward compatible)
Updating channel 'foo'; validate-pull 'warn-about-backward-updates'
from Git repository at 'https://foo.domain.org/foo-repo'...
Updating channel 'bar'; validate-pull 'warn-about-backward-updates'
from Git repository at 'https://bar.domain.org/bar-repo'...
Updating channel 'guix'; validate-pull 'warn-about-backward-updates''
from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
[...]

$ guix pull --allow-downgrades=foo       # only the 'foo' channel can
be downgraded
Updating channel 'bar'; validate-pull 'warn-about-backward-updates'
from Git repository at 'https://bar.domain.org/bar-repo'...
Updating channel 'foo'; validate-pull 'ensure-forward-channel-update'
from Git repository at 'https://foo.domain.org/foo-repo'...
Updating channel 'guix'; validate-pull 'ensure-forward-channel-update'
from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
[...]

$ guix pull --allow-downgrades=foo,bar  # same as: guix pull
--allow-downgrades=foo --allow-downgrades=bar
Updating channel 'foo'; validate-pull 'warn-about-backward-updates'
from Git repository at 'https://foo.domain.org/foo-repo'...
Updating channel 'bar'; validate-pull 'warn-about-backward-updates'
from Git repository at 'https://bar.domain.org/bar-repo'...
Updating channel 'guix'; validate-pull 'ensure-forward-channel-update'
from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
[...]


The patch is just a starting point and doesn't have docs yet. If you
see value in this idea, I'll write them.

I’d love to know what you think.

Cheers, Bost

Attachment: 0001-Fine-Control-guix-pull-allow-downgrades-CHANNELS.patch
Description: Text Data

reply via email to
[Prev in Thread] Current Thread [Next in Thread]