machine: ssh: Check for potential system downgrades.

This is a followup to 8e31736b0a60919cc1bfc5dc22c395b09243484a.

* guix/scripts/system/reconfigure.scm (check-forward-update): Add
 #:current-channels.  Use it instead of OLD.
* gnu/services.scm (sexp->system-provenance): New procedure.
(system-provenance): Use it.
* gnu/machine/ssh.scm (<machine-ssh-configuration>)[allow-downgrades?]:
New field.
(machine-check-forward-update): New procedure.
(check-deployment-sanity)[assertions]: Call it.
* doc/guix.texi (Invoking guix deploy): Document 'allow-downgrades?'
field.

1 files changed, 10 insertions, 0 deletions

diff --git a/doc/guix.texi b/doc/guix.texi
index e2b304ff63..ca96ecc298 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -29033,6 +29033,16 @@ When @code{host-key} is @code{#f}, the server is authenticated against
 the @file{~/.ssh/known_hosts} file, just like the OpenSSH @command{ssh}
 client does.
 
+@item @code{allow-downgrades?} (default: @code{#f})
+Whether to allow potential downgrades.
+
+Like @command{guix system reconfigure}, @command{guix deploy} compares
+the channel commits currently deployed on the remote host (as returned
+by @command{guix system describe}) to those currently in use (as
+returned by @command{guix describe}) to determine whether commits
+currently in use are descendants of those deployed.  When this is not
+the case and @code{allow-downgrades?} is false, it raises an error.
+This ensures you do not accidentally downgrade remote machines.
 @end table
 @end deftp