From 8e31736b0a60919cc1bfc5dc22c395b09243484a Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Thu, 16 Jul 2020 00:01:17 +0200 Subject: guix system: 'reconfigure' disallows downgrades by default. This is similar to what 9744cc7b4636fafb772c94adb8f05961b5b39f16 did for 'guix pull'. * guix/scripts/system/reconfigure.scm (ensure-forward-reconfigure) (warn-about-backward-reconfigure, channel-relations) (check-forward-update): New procedures. * guix/scripts/system.scm (perform-action): Add #:validate-reconfigure. Call 'check-forward-update' when ACTION is 'reconfigure. (%options, show-help): Add "--allow-downgrades". (%default-options): Add 'validate-reconfigure' key. (process-action): Pass #:validate-reconfigure to 'perform-action'. * doc/guix.texi (Invoking guix system): Document 'guix system describe' more prominently, and document '--allow-downgrades'. --- doc/guix.texi | 35 +++++++++++++++++++++++++++++++---- 1 file changed, 31 insertions(+), 4 deletions(-) (limited to 'doc') diff --git a/doc/guix.texi b/doc/guix.texi index b0eba017a6..fb1c66dcf4 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -28388,11 +28388,16 @@ an older system generation at boot time should you need it. Upon completion, the new system is deployed under @file{/run/current-system}. This directory contains @dfn{provenance meta-data}: the list of channels in use (@pxref{Channels}) and -@var{file} itself, when available. This information is useful should -you later want to inspect how this particular generation was built. +@var{file} itself, when available. You can view it by running: -In fact, assuming @var{file} is self-contained, you can later rebuild -generation @var{n} of your operating system with: +@example +guix system describe +@end example + +This information is useful should you later want to inspect how this +particular generation was built. In fact, assuming @var{file} is +self-contained, you can later rebuild generation @var{n} of your +operating system with: @example guix time-machine \ @@ -28406,6 +28411,12 @@ system is not just a binary artifact: @emph{it carries its own source}. @xref{Service Reference, @code{provenance-service-type}}, for more information on provenance tracking. +By default, @command{reconfigure} @emph{prevents you from downgrading +your system}, which could (re)introduce security vulnerabilities and +also cause problems with ``stateful'' services such as database +management systems. You can override that behavior by passing +@option{--allow-downgrades}. + @item switch-generation @cindex generations Switch to an existing system generation. This action atomically @@ -28732,6 +28743,22 @@ appear in the @code{operating-system} declaration actually exist needed at boot time are listed in @code{initrd-modules} (@pxref{Initial RAM Disk}). Passing this option skips these tests altogether. +@item --allow-downgrades +Instruct @command{guix system reconfigure} to allow system downgrades. + +By default, @command{reconfigure} prevents you from downgrading your +system. It achieves that by comparing the provenance info of your +system (shown by @command{guix system describe}) with that of your +@command{guix} command (shown by @command{guix describe}). If the +commits for @command{guix} are not descendants of those used for your +system, @command{guix system reconfigure} errors out. Passing +@option{--allow-downgrades} allows you to bypass these checks. + +@quotation Note +Make sure you understand its security implications before using +@option{--allow-downgrades}. +@end quotation + @cindex on-error @cindex on-error strategy @cindex error strategy -- cgit 1.4.1