pull: Protect against downgrade attacks.

* guix/scripts/pull.scm (%default-options): Add 'validate-pull'. (%options, show-help): Add '--allow-downgrades'. (warn-about-backward-updates): New procedure. (guix-pull): Pass #:current-channels and #:validate-pull to 'latest-channel-instances'. * guix/channels.scm (ensure-forward-channel-update): Add hint for when (channel-commit channel) is true. * doc/guix.texi (Invoking guix pull): Document '--allow-downgrades'.
author: Ludovic Courtès <ludo@gnu.org> 2020-05-20 23:18:09 +0200
committer: Ludovic Courtès <ludo@gnu.org> 2020-05-25 00:00:28 +0200
commit: 9744cc7b4636fafb772c94adb8f05961b5b39f16 (patch)
tree: a06d57b21b197ebe1d3f9a85d81d6ecc795146a1 /guix/channels.scm
parent: 872898f768ae6d3b41eb93c5e183624bd1d157ff (diff)
download: guix-patches-9744cc7b4636fafb772c94adb8f05961b5b39f16.tar
guix-patches-9744cc7b4636fafb772c94adb8f05961b5b39f16.tar.gz
1 files changed, 20 insertions, 16 deletions
diff --git a/guix/channels.scm b/guix/channels.scm
index 70e2d7f07c..84c47fc0d0 100644
--- a/guix/channels.scm
+++ b/guix/channels.scm
@@ -246,25 +246,29 @@ This procedure implements a channel update policy meant to be used as a
     ('ancestor #t)
     ('self #t)
     (_
-     (raise (apply make-compound-condition
-                   (condition
-                    (&message (message
-                               (format #f (G_ "\
+     (raise (make-compound-condition
+             (condition
+              (&message (message
+                         (format #f (G_ "\
 aborting update of channel '~a' to commit ~a, which is not a descendant of ~a")
-                                       (channel-name channel)
-                                       (channel-instance-commit instance)
-                                       start))))
-
-                   ;; Don't show the hint when the user explicitly specified a
-                   ;; commit in CHANNEL.
-                   (if (channel-commit channel)
-                       '()
-                       (list (condition
-                              (&fix-hint
-                               (hint (G_ "This could indicate that the channel has
+                                 (channel-name channel)
+                                 (channel-instance-commit instance)
+                                 start))))
+
+             ;; If the user asked for a specific commit, they might want
+             ;; that to happen nevertheless, so tell them about the
+             ;; relevant 'guix pull' option.
+             (if (channel-commit channel)
+                 (condition
+                  (&fix-hint
+                   (hint (G_ "Use @option{--allow-downgrades} to force
+this downgrade."))))
+                 (condition
+                  (&fix-hint
+                   (hint (G_ "This could indicate that the channel has
 been tampered with and is trying to force a roll-back, preventing you from
 getting the latest updates.  If you think this is not the case, explicitly
-allow non-forward updates.")))))))))))
+allow non-forward updates."))))))))))
 
 (define* (latest-channel-instances store channels
                                    #:key
author	Ludovic Courtès <ludo@gnu.org>	2020-05-20 23:18:09 +0200
committer	Ludovic Courtès <ludo@gnu.org>	2020-05-25 00:00:28 +0200
commit	9744cc7b4636fafb772c94adb8f05961b5b39f16 (patch)
tree	a06d57b21b197ebe1d3f9a85d81d6ecc795146a1 /guix/channels.scm
parent	872898f768ae6d3b41eb93c5e183624bd1d157ff (diff)
download	guix-patches-9744cc7b4636fafb772c94adb8f05961b5b39f16.tar guix-patches-9744cc7b4636fafb772c94adb8f05961b5b39f16.tar.gz