[bug#41425] [PATCH 0/5] Have 'guix pull' protect against downgrade attacks

[Ludovic Courtès]

Hi Simon,

zimoun <address@hidden> skribis:

> On Wed, 20 May 2020 at 23:39, Ludovic Courtès <address@hidden> wrote:
>
>> By default ‘guix pull’ would now error out if the target commit of a
>> channel is not a descendant of the currently-used commit, according to
>> the commit graph.  There’s an option to bypass that.  ‘guix
>> time-machine’ behavior is unchanged though: it never complains.
>
> What is the extra time cost of such check?

The problem is not the cost.  ‘guix pull’ compares the target commit(s)
against the commit(s) of the currently-used ‘guix’; it can clearly see
if it’s a forward pull or not.

However, in the case of ‘guix time-machine’, there’s nothing to compare
against (it’s a bit like a fresh ‘git clone’ as opposed to a ‘git pull’,
if you see what I mean.)

Additionally, the purpose of ‘guix time-machine’ is to travel in time,
usually in the past, so it would be inconvenient to get warnings or
errors every time.

> It is not easy -- nor impossible -- to evaluate such cost at the level
> of "guix pull".  And I failed to evaluate it using 'commit-relation'
> with "guix repl" -- Segmentation fault with commit
> c81457a5883ea43950eb2ecdcbb58a5b144bcd11 and
> 4bdf4182fe080c3409f6ef9b410146b67cfa2595; probably because I did used
> correctly the API.

How can I reproduce the issue?

> Well, what will be the timing impact of checking the "fast-fowardness"?

I haven’t measured it, but it’s small compared to the cost of fetching
the new revisions and performing the checkout.  It’s roughly what ‘git
pull’ does, although ‘git pull’ is probably faster because it’s in C and
has been well optimized over the years.

Thanks for your feedback!

Ludo’.