[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#59383] [PATCH] doc: Call out potential for downgrade attacks with t
From: |
zimoun |
Subject: |
[bug#59383] [PATCH] doc: Call out potential for downgrade attacks with time-machine. |
Date: |
Mon, 21 Nov 2022 12:19:05 +0100 |
Hi,
On Sat, 19 Nov 2022 at 18:39, "pelzflorian (Florian Pelz)"
<pelzflorian@pelzflorian.de> wrote:
>>> @quotation Note
>>> Naturally, no security fixes can be provided for old versions of Guix
>>> or its channels. This also means that careless use of @command{guix
>>> time-machine} opens the door to downgrade attacks.
>>> @xref{Invoking guix pull, @option{--allow-downgrades}}.
>>> @end quotation
>>
>> ‘Attack’ is a very big word. It should not end a paragraph. What
>> would the downgrade attack—distinct from a downgrade—look like?
Why not something like,
--8<---------------cut here---------------start------------->8---
@quotation Note
The history of Guix is immutable and @command{guix time-machine}
provides the exact same software as they are in a specific Guix
revision. Naturally, no security fixes are provided for old versions
of Guix or its channels. A careless use of @command{guix time-machine}
opens the door to security vulnerabilities @xref{Invoking guix pull,
@option{--allow-downgrades}}.
@end quotation
--8<---------------cut here---------------end--------------->8---
?
Cheers,
simon