From patchwork Wed Jul 15 23:18:57 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 23241 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 9598527BBE3; Thu, 16 Jul 2020 00:20:12 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL autolearn=unavailable autolearn_force=no version=3.4.2 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTP id 00F3527BBE1 for ; Thu, 16 Jul 2020 00:20:11 +0100 (BST) Received: from localhost ([::1]:57488 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jvqh8-0003vr-GL for patchwork@mira.cbaines.net; Wed, 15 Jul 2020 19:20:10 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:36488) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jvqh0-0003ul-Vp for guix-patches@gnu.org; Wed, 15 Jul 2020 19:20:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:42443) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jvqh0-000345-M2 for guix-patches@gnu.org; Wed, 15 Jul 2020 19:20:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1jvqh0-0007IW-IH for guix-patches@gnu.org; Wed, 15 Jul 2020 19:20:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#42381] [PATCH 2/3] git: 'update-cached-checkout' has a new #:check-out? parameter. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 15 Jul 2020 23:20:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 42381 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 42381@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 42381-submit@debbugs.gnu.org id=B42381.159485516527990 (code B ref 42381); Wed, 15 Jul 2020 23:20:02 +0000 Received: (at 42381) by debbugs.gnu.org; 15 Jul 2020 23:19:25 +0000 Received: from localhost ([127.0.0.1]:53986 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jvqgP-0007HJ-Cr for submit@debbugs.gnu.org; Wed, 15 Jul 2020 19:19:25 -0400 Received: from eggs.gnu.org ([209.51.188.92]:50776) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jvqgL-0007Gq-Qe for 42381@debbugs.gnu.org; Wed, 15 Jul 2020 19:19:24 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:38494) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jvqgG-0002um-9K; Wed, 15 Jul 2020 19:19:16 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=49700 helo=gnu.org) by fencepost.gnu.org with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1jvqgF-0002z2-Qk; Wed, 15 Jul 2020 19:19:16 -0400 From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Thu, 16 Jul 2020 01:18:57 +0200 Message-Id: <20200715231858.10201-2-ludo@gnu.org> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200715231858.10201-1-ludo@gnu.org> References: <20200715231858.10201-1-ludo@gnu.org> MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" X-getmail-retrieved-from-mailbox: Patches * guix/git.scm (update-cached-checkout): Add #:check-out? parameter and honor it. --- guix/git.scm | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/guix/git.scm b/guix/git.scm index ca67b1d37c..7f8f9addfb 100644 --- a/guix/git.scm +++ b/guix/git.scm @@ -292,6 +292,7 @@ definitely available in REPOSITORY, false otherwise." #:key (ref '(branch . "master")) recursive? + (check-out? #t) starting-commit (log-port (%make-void-port "w")) (cache-directory @@ -306,7 +307,10 @@ provided) as returned by 'commit-relation'. REF is pair whose key is [branch | commit | tag | tag-or-commit ] and value the associated data: [ | | | ]. -When RECURSIVE? is true, check out submodules as well, if any." +When RECURSIVE? is true, check out submodules as well, if any. + +When CHECK-OUT? is true, reset the cached working tree to REF; otherwise leave +it unchanged." (define canonical-ref ;; We used to require callers to specify "origin/" for each branch, which ;; made little sense since the cache should be transparent to them. So @@ -337,7 +341,10 @@ When RECURSIVE? is true, check out submodules as well, if any." ;; Note: call 'commit-relation' from here because it's more efficient ;; than letting users re-open the checkout later on. - (let* ((oid (switch-to-ref repository canonical-ref)) + (let* ((oid (if check-out? + (switch-to-ref repository canonical-ref) + (object-id + (resolve-reference repository canonical-ref)))) (new (and starting-commit (commit-lookup repository oid))) (old (and starting-commit From patchwork Wed Jul 15 23:18:58 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 23242 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id A6FD727BBE1; Thu, 16 Jul 2020 00:20:13 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL autolearn=unavailable autolearn_force=no version=3.4.2 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTP id 3F3F027BBE4 for ; Thu, 16 Jul 2020 00:20:11 +0100 (BST) Received: from localhost ([::1]:57498 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jvqh8-0003wA-PY for patchwork@mira.cbaines.net; Wed, 15 Jul 2020 19:20:10 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:36490) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jvqh1-0003vM-DN for guix-patches@gnu.org; Wed, 15 Jul 2020 19:20:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:42444) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jvqh1-00034V-2m for guix-patches@gnu.org; Wed, 15 Jul 2020 19:20:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1jvqh0-0007Id-UX for guix-patches@gnu.org; Wed, 15 Jul 2020 19:20:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#42381] [PATCH 3/3] guix system: 'reconfigure' disallows downgrades by default. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 15 Jul 2020 23:20:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 42381 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 42381@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 42381-submit@debbugs.gnu.org id=B42381.159485516928002 (code B ref 42381); Wed, 15 Jul 2020 23:20:02 +0000 Received: (at 42381) by debbugs.gnu.org; 15 Jul 2020 23:19:29 +0000 Received: from localhost ([127.0.0.1]:53988 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jvqgS-0007HZ-Lc for submit@debbugs.gnu.org; Wed, 15 Jul 2020 19:19:29 -0400 Received: from eggs.gnu.org ([209.51.188.92]:50788) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jvqgM-0007Gs-8d for 42381@debbugs.gnu.org; Wed, 15 Jul 2020 19:19:24 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:38495) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jvqgH-0002uy-1j; Wed, 15 Jul 2020 19:19:17 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=49700 helo=gnu.org) by fencepost.gnu.org with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1jvqgG-0002z2-Iz; Wed, 15 Jul 2020 19:19:16 -0400 From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Thu, 16 Jul 2020 01:18:58 +0200 Message-Id: <20200715231858.10201-3-ludo@gnu.org> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200715231858.10201-1-ludo@gnu.org> References: <20200715231858.10201-1-ludo@gnu.org> MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" X-getmail-retrieved-from-mailbox: Patches This is similar to what 9744cc7b4636fafb772c94adb8f05961b5b39f16 did for 'guix pull'. * guix/scripts/system/reconfigure.scm (ensure-forward-reconfigure) (warn-about-backward-reconfigure, channel-relations) (check-forward-update): New procedures. * guix/scripts/system.scm (perform-action): Add #:validate-reconfigure. Call 'check-forward-update' when ACTION is 'reconfigure. (%options, show-help): Add "--allow-downgrades". (%default-options): Add 'validate-reconfigure' key. (process-action): Pass #:validate-reconfigure to 'perform-action'. * doc/guix.texi (Invoking guix system): Document 'guix system describe' more prominently, and document '--allow-downgrades'. --- doc/guix.texi | 35 +++++++++-- guix/scripts/system.scm | 15 ++++- guix/scripts/system/reconfigure.scm | 97 ++++++++++++++++++++++++++++- 3 files changed, 141 insertions(+), 6 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 17338ed764..4398e533d2 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -27677,11 +27677,16 @@ an older system generation at boot time should you need it. Upon completion, the new system is deployed under @file{/run/current-system}. This directory contains @dfn{provenance meta-data}: the list of channels in use (@pxref{Channels}) and -@var{file} itself, when available. This information is useful should -you later want to inspect how this particular generation was built. +@var{file} itself, when available. You can view it by running: -In fact, assuming @var{file} is self-contained, you can later rebuild -generation @var{n} of your operating system with: +@example +guix system describe +@end example + +This information is useful should you later want to inspect how this +particular generation was built. In fact, assuming @var{file} is +self-contained, you can later rebuild generation @var{n} of your +operating system with: @example guix time-machine \ @@ -27695,6 +27700,12 @@ system is not just a binary artifact: @emph{it carries its own source}. @xref{Service Reference, @code{provenance-service-type}}, for more information on provenance tracking. +By default, @command{reconfigure} @emph{prevents you from downgrading +your system}, which could (re)introduce security vulnerabilities and +also cause problems with ``stateful'' services such as database +management systems. You can override that behavior by passing +@option{--allow-downgrades}. + @item switch-generation @cindex generations Switch to an existing system generation. This action atomically @@ -28021,6 +28032,22 @@ appear in the @code{operating-system} declaration actually exist needed at boot time are listed in @code{initrd-modules} (@pxref{Initial RAM Disk}). Passing this option skips these tests altogether. +@item --allow-downgrades +Instruct @command{guix system reconfigure} to allow system downgrades. + +By default, @command{reconfigure} prevents you from downgrading your +system. It achieves that by comparing the provenance info of your +system (shown by @command{guix system describe}) with that of your +@command{guix} command (shown by @command{guix describe}). If the +commits for @command{guix} are not descendants of those used for your +system, @command{guix system reconfigure} errors out. Passing +@option{--allow-downgrades} allows you to bypass these checks. + +@quotation Note +Make sure you understand its security implications before using +@option{--allow-downgrades}. +@end quotation + @cindex on-error @cindex on-error strategy @cindex error strategy diff --git a/guix/scripts/system.scm b/guix/scripts/system.scm index f2b4367094..79bfcd7db2 100644 --- a/guix/scripts/system.scm +++ b/guix/scripts/system.scm @@ -736,6 +736,7 @@ and TARGET arguments." (define* (perform-action action os #:key + (validate-reconfigure ensure-forward-reconfigure) save-provenance? skip-safety-checks? install-bootloader? @@ -778,7 +779,8 @@ static checks." (operating-system-bootcfg os menu-entries))) (when (eq? action 'reconfigure) - (maybe-suggest-running-guix-pull)) + (maybe-suggest-running-guix-pull) + (check-forward-update validate-reconfigure)) ;; Check whether the declared file systems exist. This is better than ;; instantiating a broken configuration. Assume that we can only check if @@ -926,6 +928,9 @@ Some ACTIONS support additional ARGS.\n")) (display (G_ " -e, --expression=EXPR consider the operating-system EXPR evaluates to instead of reading FILE, when applicable")) + (display (G_ " + --allow-downgrades for 'reconfigure', allow downgrades to earlier + channel revisions")) (display (G_ " --on-error=STRATEGY apply STRATEGY (one of nothing-special, backtrace, @@ -981,6 +986,11 @@ Some ACTIONS support additional ARGS.\n")) (option '(#\d "derivation") #f #f (lambda (opt name arg result) (alist-cons 'derivations-only? #t result))) + (option '("allow-downgrades") #f #f + (lambda (opt name arg result) + (alist-cons 'validate-reconfigure + warn-about-backward-reconfigure + result))) (option '("on-error") #t #f (lambda (opt name arg result) (alist-cons 'on-error (string->symbol arg) @@ -1053,6 +1063,7 @@ Some ACTIONS support additional ARGS.\n")) (graft? . #t) (debug . 0) (verbosity . #f) ;default + (validate-reconfigure . ,ensure-forward-reconfigure) (file-system-type . "ext4") (image-size . guess) (install-bootloader? . #t))) @@ -1138,6 +1149,8 @@ resulting from command-line parsing." #:use-substitutes? (assoc-ref opts 'substitutes?) #:skip-safety-checks? (assoc-ref opts 'skip-safety-checks?) + #:validate-reconfigure + (assoc-ref opts 'validate-reconfigure) #:file-system-type (assoc-ref opts 'file-system-type) #:image-size (assoc-ref opts 'image-size) #:full-boot? (assoc-ref opts 'full-boot?) diff --git a/guix/scripts/system/reconfigure.scm b/guix/scripts/system/reconfigure.scm index 7885c33457..9013e035f7 100644 --- a/guix/scripts/system/reconfigure.scm +++ b/guix/scripts/system/reconfigure.scm @@ -34,9 +34,18 @@ #:use-module (guix monads) #:use-module (guix store) #:use-module ((guix self) #:select (make-config.scm)) + #:autoload (guix describe) (current-profile) + #:use-module (guix channels) + #:autoload (guix git) (update-cached-checkout) + #:use-module (guix i18n) + #:use-module (guix diagnostics) + #:use-module ((guix utils) #:select (&fix-hint)) #:use-module (ice-9 match) #:use-module (srfi srfi-1) #:use-module (srfi srfi-11) + #:use-module (srfi srfi-34) + #:use-module (srfi srfi-35) + #:use-module ((guix config) #:select (%guix-package-name)) #:export (switch-system-program switch-to-system @@ -44,7 +53,11 @@ upgrade-shepherd-services install-bootloader-program - install-bootloader)) + install-bootloader + + check-forward-update + ensure-forward-reconfigure + warn-about-backward-reconfigure)) ;;; Commentary: ;;; @@ -266,3 +279,85 @@ additional configurations specified by MENU-ENTRIES can be selected." bootcfg-file device target)))))) + + +;;; +;;; Downgrade detection. +;;; + +(define (ensure-forward-reconfigure channel start commit relation) + "Raise an error if RELATION is not 'ancestor, meaning that START is not an +ancestor of COMMIT, unless CHANNEL specifies a commit." + (match relation + ('ancestor #t) + ('self #t) + (_ + (raise (make-compound-condition + (condition + (&message (message + (format #f (G_ "\ +aborting reconfiguration because commit ~a of channel '~a' is not a descendant of ~a") + commit (channel-name channel) + start))) + (&fix-hint + (hint (G_ "Use @option{--allow-downgrades} to force +this downgrade."))))))))) + +(define (warn-about-backward-reconfigure channel start commit relation) + "Warn about non-forward updates of CHANNEL from START to COMMIT, without +aborting." + (match relation + ((or 'ancestor 'self) + #t) + ('descendant + (warning (G_ "rolling back channel '~a' from ~a to ~a~%") + (channel-name channel) start commit)) + ('unrelated + (warning (G_ "moving channel '~a' from ~a to unrelated commit ~a~%") + (channel-name channel) start commit)))) + +(define (channel-relations old new) + "Return a list of channel/relation pairs, where each relation is a symbol as +returned by 'commit-relation' denoting how commits of channels in OLD relate +to commits of channels in NEW." + (filter-map (lambda (old) + (let ((new (find (lambda (channel) + (eq? (channel-name channel) + (channel-name old))) + new))) + (and new + (let-values (((checkout commit relation) + (update-cached-checkout + (channel-url new) + #:ref + `(commit . ,(channel-commit new)) + #:starting-commit + (channel-commit old) + #:check-out? #f))) + (list new + (channel-commit old) (channel-commit new) + relation))))) + old)) + +(define* (check-forward-update #:optional + (validate-reconfigure ensure-forward-reconfigure)) + "Call VALIDATE-RECONFIGURE passing it, for each channel, the channel, the +currently-deployed commit (as returned by 'guix system describe') and the +target commit (as returned by 'guix describe')." + ;; TODO: Make that functionality available to 'guix deploy'. + (define new + (or (and=> (current-profile) profile-channels) + '())) + + (define old + (system-provenance "/run/current-system")) + + (when (null? old) + (warning (G_ "cannot determine provenance for /run/current-system~%"))) + (when (and (null? new) (not (getenv "GUIX_UNINSTALLED"))) + (warning (G_ "cannot determine provenance of ~a~%") %guix-package-name)) + + (for-each (match-lambda + ((channel old new relation) + (validate-reconfigure channel old new relation))) + (channel-relations old new)))