From: Brian Zwahr <echosa@echosa.net>
To: 47644@debbugs.gnu.org
Subject: bug#47644: guix on foreign distro won't upgrade, stuck on old commits
Date: Wed, 07 Apr 2021 15:19:54 -0500 [thread overview]
Message-ID: <65N7RQ.W0VO8QJ1XR662@echosa.net> (raw)
[-- Attachment #1.1: Type: text/plain, Size: 4108 bytes --]
Hi! It was suggested I email this in by someone in the IRC channel. I'm
having an issue where guix always tells me it is "X days old" and that
I should run guix pull/guix upgrade. However, running these commands
does not fix the issue.
guix describe shows:
```
$ guix describe
Generation 9 Mar 25 2021 08:36:11 (current)
guix 3f1b2bd
repository URL: <https://git.savannah.gnu.org/git/guix.git>
branch: master
commit: 3f1b2bd322b6cdba99a43d08e5e8464f7424cbc5
```
Which is, indeed, out of date. IRC folks recommended checking the git
status, so I did:
```
~/.cache/guix/checkouts/pjmkglp4t7znuugeurpurzikxq3tnlaywmisyr27shj7apsnalwq
(master) $ git status
On branch master
Your branch is behind 'origin/master' by 474 commits, and can be
fast-forwarded.
(use "git pull" to update your local branch)
nothing to commit, working tree clean
```
It is, indeed, out of date, but after a guix pull:
```
$ guix pull
Updating channel 'guix' from Git repository at
'<https://git.savannah.gnu.org/git/guix.git>'...
Building from this channel:
guix <https://git.savannah.gnu.org/git/guix.git> 3f1b2bd
Computing Guix derivation for 'x86_64-linux'... |
nothing to be done
```
It doesn't update and still tells me I'm out of date:
```
$ guix upgrade
guix upgrade: warning: Your Guix installation is 13 days old.
guix upgrade: warning: Consider running 'guix pull' followed by
'guix package -u' to get up-to-date packages and security updates.
```
It was suggested that I should run this command:
```
guix pull --commit=02297d3fe680371a4b97b9c1b770932cbdd55615
```
and after doing so, I was then only 1 commit behind instead:
```
~/.cache/guix/checkouts/pjmkglp4t7znuugeurpurzikxq3tnlaywmisyr27shj7apsnalwq
(master) $ git status
On branch master
Your branch is behind 'origin/master' by 1 commit, and can be
fast-forwarded.
(use "git pull" to update your local branch)
nothing to commit, working tree clean
```
However, `guix pull` now gives me a new error about needing to
downgrade:
```
$ guix pull
Updating channel 'guix' from Git repository at
'<https://git.savannah.gnu.org/git/guix.git>'...
guix pull: error: aborting update of channel 'guix' to commit
3f1b2bd322b6cdba99a43d08e5e8464f7424cbc5, which is not a descendant of
02297d3fe680371a4b97b9c1b770932cbdd55615
hint: Use `--allow-downgrades' to force this downgrade.
```
and for some reason, I'm back to being almost 500 commits behind again:
```
~/.cache/guix/checkouts/pjmkglp4t7znuugeurpurzikxq3tnlaywmisyr27shj7apsnalwq
(master) $ git status
On branch master
Your branch is behind 'origin/master' by 477 commits, and can be
fast-forwarded.
(use "git pull" to update your local branch)
nothing to commit, working tree clean
```
even though `guix describe` now seems to be more up-to-date (apr 7
instead or mar 25)
```
$ guix describe
Generation 10 Apr 07 2021 14:38:16 (current)
guix 02297d3
repository URL: <https://git.savannah.gnu.org/git/guix.git>
commit: 02297d3fe680371a4b97b9c1b770932cbdd55615
```
As a final attempt to solve this, it was suggested that I run `guix
pull -l 2>&1 | tee pull-generations.log` and email it to this list. I'm
attaching that file here.
Also, after running that command, I'm back to being only 1 commit
behind and still get the downgrade error from `guix pull`:
```
~/.cache/guix/checkouts/pjmkglp4t7znuugeurpurzikxq3tnlaywmisyr27shj7apsnalwq
(master) $ git status
On branch master
Your branch is behind 'origin/master' by 1 commit, and can be
fast-forwarded.
(use "git pull" to update your local branch)
nothing to commit, working tree clean
```
```
$ guix pull
Updating channel 'guix' from Git repository at
'<https://git.savannah.gnu.org/git/guix.git>'...
guix pull: error: aborting update of channel 'guix' to commit
3f1b2bd322b6cdba99a43d08e5e8464f7424cbc5, which is not a descendant of
02297d3fe680371a4b97b9c1b770932cbdd55615
hint: Use `--allow-downgrades' to force this downgrade.
```
For now, I'm trying to avoid doing anything else guix-related, so that
my system is in the same state and can hopefully be diagnosed and fixed.
[-- Attachment #1.2: Type: text/html, Size: 6170 bytes --]
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: pull-generations.log --]
[-- Type: text/x-log, Size: 18060 bytes --]
Generation 1 Mar 16 2021 14:50:54
guix 109f584
repository URL: https://git.savannah.gnu.org/git/guix.git
branch: master
commit: 109f58444beecd1b9b7c502f2a687a6b91c62dc0
Generation 2 Mar 16 2021 15:14:10
guix 109f584
repository URL: https://git.savannah.gnu.org/git/guix.git
branch: master
commit: 109f58444beecd1b9b7c502f2a687a6b91c62dc0
Generation 3 Mar 17 2021 09:24:14
guix d79d63e
repository URL: https://git.savannah.gnu.org/git/guix.git
branch: master
commit: d79d63e7829d53f6a501d8df7e264ff70033abca
1 new package: lolcode-lci
5 packages upgraded: emacs-marginalia@0.4, gnome-autoar@0.3.1,
komikku@0.27.0, meson@0.57.1, tig@2.5.3
Generation 4 Mar 19 2021 13:05:15
guix 1ab03fb
repository URL: https://git.savannah.gnu.org/git/guix.git
commit: 1ab03fb74505458e7754dce338a5da29dc754d80
5 new packages: countdown, dragon-drop, emacs-kotlin-mode,
libucl, psi
28 packages upgraded: bind@9.16.13, busybox@1.33.0,
cpupower@5.11.7, dhewm3@1.5.1, di@4.49, elixir@1.11.4,
emacs-flymake-shellcheck@0.1-1.ac534e9, emacs-leaf@4.4.4, freefall@5.11.7,
goffice@0.10.49, guile2.2-guix@1.2.0-17.ec7fb66, guix@1.2.0-17.ec7fb66,
java-openmpi@4.1.0, linux-libre-bpf@5.11.7, linux-libre-headers@5.11.7,
linux-libre@5.11.7, openmpi-thread-multiple@4.1.0, openmpi@4.1.0,
perf@5.11.7, ruby-kramdown@2.3.1, srt2vtt@0.2, swi-prolog@8.3.20,
tmon@5.11.7, turbostat@5.11.7, ungoogled-chromium-wayland@89.0.4389.90-1,
ungoogled-chromium@89.0.4389.90-1, vis@0.7, x86-energy-perf-policy@5.11.7
News for channel 'guix'
Update on previous `guix-daemon' local privilege escalation
commit 9ade2b720af91acecf76278b4d9b99ace406781e
The previous news item described a potential local privilege escalation in
`guix-daemon', and claimed that systems with the Linux ``protected
hardlink'' (https://www.kernel.org/doc/Documentation/sysctl/fs.txt) feature
enabled were unaffected by the vulnerability.
This is not entirely correct. Exploiting the bug on such systems is harder,
but not impossible. To avoid unpleasant surprises, all users are advised to
upgrade `guix-daemon'. Run `info "(guix) Upgrading Guix"' for info on how
to do that. See
`https://guix.gnu.org/en/blog/2021/risk-of-local-privilege-escalation-via-gu
ix-daemon/' for more information on this bug.
Risk of local privilege escalation via `guix-daemon'
commit ec7fb669945bfb47c5e1fdf7de3a5d07f7002ccf
A security vulnerability that can lead to local privilege escalation has
been found in `guix-daemon'. It affects multi-user setups in which
`guix-daemon' runs locally.
It does _not_ affect multi-user setups where `guix-daemon' runs on a
separate machine and is accessed over the network, via `GUIX_DAEMON_SOCKET',
as is customary on cluster setups. Machines where the Linux ``protected
hardlink'' (https://www.kernel.org/doc/Documentation/sysctl/fs.txt) feature
is enabled, which is common, are also unaffected---this is the case when the
contents of `/proc/sys/fs/protected_hardlinks' are `1'.
The attack consists in having an unprivileged user spawn a build process,
for instance with `guix build', that makes its build directory
world-writable. The user then creates a hardlink within the build directory
to a root-owned file from outside of the build directory, such as
`/etc/shadow'. If the user passed the `--keep-failed' option and the build
eventually fails, the daemon changes ownership of the whole build tree,
including the hardlink, to the user. At that point, the user has write
access to the target file.
You are advised to upgrade `guix-daemon'. Run `info "(guix) Upgrading
Guix"', for info on how to do that. See `https://issues.guix.gnu.org/47229'
for more information on this bug.
Generation 5 Mar 22 2021 09:17:16
guix ee4fc3b
repository URL: https://git.savannah.gnu.org/git/guix.git
branch: master
commit: ee4fc3b662994e9d041027c4d0799a173a12d35a
30 new packages: fzf, git2cl, go-github-com-akosmarton-papipes,
go-github-com-kisielk-gotool, go-github-com-mesilliac-pulse-simple,
go-github-com-pborman-getopt, go-go-uber-org-atomic,
go-go-uber-org-multierr, go-go-uber-org-zap, go-golang-org-x-lint,
go-honnef-co-go-tools, guile-quickcheck, julia-benchmarktools,
julia-bufferedstreams, julia-http, julia-inifile, julia-jllwrappers,
julia-mbedtls, julia-mbedtls-jll, julia-uris, kappanhang, movim-desktop,
psi-plus, qhttp, qite, r-chromstar, r-chromstardata, r-lsa, r-signac,
usrsctp
48 packages upgraded: abseil-cpp@20200923.3, balsa@2.6.2,
cpupower@5.11.8, drumkv1@0.9.21, emacs-ebuild-mode@1.52, emilua@0.3.0,
fet@5.49.1, fluidsynth@2.1.8, freefall@5.11.8, gnumeric@1.12.49,
guile-lib@0.2.7, guile2.0-lib@0.2.7, guile2.2-lib@0.2.7, haveged@1.9.14,
inxi-minimal@3.3.03-1, inxi@3.3.03-1, jasper@2.0.27, linux-libre-bpf@5.11.8,
linux-libre-headers@5.11.8, linux-libre@5.11.8, mbpfan@2.2.1, msmtp@1.8.15,
nyxt@2-pre-release-6, oil@0.8.8, openresolv@3.12.0, padthv1@0.9.21,
perf@5.11.8, perl-net-http@6.21, poke@1.1, python-httpretty@1.0.5,
python-pikepdf@2.9.1, python-pygithub@1.54.1, qtractor@0.9.21,
rng-tools@6.12, rust-syn@1.0.64, samplv1@0.9.21, sbcl@2.1.2, synthv1@0.9.21,
tmon@5.11.8, turbostat@5.11.8, vim-full@8.2.2632, vim@8.2.2632, wcslib@7.5,
webkitgtk@2.30.6, x86-energy-perf-policy@5.11.8, xfsprogs@5.11.0,
xxd@8.2.2632, youtube-dl@2021.03.14
Generation 6 Mar 23 2021 10:44:55
guix 5802858
repository URL: https://git.savannah.gnu.org/git/guix.git
branch: master
commit: 5802858be335c945a80eb4d3528cc3cd55f2bbbe
4 new packages: disarchive, emacs-ivy-avy, emacs-ivy-hydra,
emacs-password-store-otp
24 packages upgraded: borg@1.1.16, celluloid@0.21, cgal@5.2.1,
cuirass@1.0.0-2.6f4a203, diffoscope@170, efibootmgr@17, emacs-auctex@13.0.5,
fcitx5-qt@5.0.5, gtk-layer-shell@0.6.0, libime@1.0.5, man-pages@5.11,
minetest-mineclone@0.71.0, minetest@5.4.0, mpg123@1.26.5,
perl-moosex-getopt@0.75, python-duniterpy@0.62.0, rpm@4.16.1.3,
rust-env-logger@0.8.3, wesnoth-server@1.14.16, wesnoth@1.14.16,
wildmidi@0.4.4, xcb-imdkit@1.0.3, xchm@1.32, yggdrasil@0.3.16
Generation 7 Mar 23 2021 16:34:52
guix aa13529
repository URL: https://git.savannah.gnu.org/git/guix.git
branch: master
commit: aa13529baf498362b5d0c2310d1349692f71a260
2 new packages: libheif, snapcast
7 packages upgraded: giac@1.7.0-1,
icecat@78.9.0-guix0-preview1, parallel@20210322, rust-beef@0.5.0,
rust-time@0.2.23, rust-tuikit@0.4.5, skim@0.9.4
Generation 8 Mar 24 2021 09:25:27
guix 55685e4
repository URL: https://git.savannah.gnu.org/git/guix.git
branch: master
commit: 55685e45be072b8b688f5a2bda4fc68147febd3f
5 new packages: cbonsai, java-mxparser, java-xmlpull-api-v1,
libdecaf, python-pylibacl
7 packages upgraded: bcunit@3.0.2-0.74021cc,
bitcoin-core@0.21.0, ccache@4.2, gnuradio-iqbalance@0.38.2-0.fbee239,
gnuradio-osmosdr@0.2.3-0.a100eb0, gnuradio@3.9.0.0, java-xstream@1.4.16
Generation 9 Mar 25 2021 08:36:11
guix 3f1b2bd
repository URL: https://git.savannah.gnu.org/git/guix.git
branch: master
commit: 3f1b2bd322b6cdba99a43d08e5e8464f7424cbc5
9 new packages: cl-html-template, cl-quickproject, drawing,
ecl-html-template, ecl-quickproject, emacs-vterm-toggle, gsequencer,
sbcl-html-template, sbcl-quickproject
15 packages upgraded: cpupower@5.11.9, emacs-git-gutter@0.91,
exo@4.16.1, freefall@5.11.9, linux-libre-bpf@5.11.9,
linux-libre-headers@5.11.9, linux-libre@5.11.9, perf@5.11.9, thunar@4.16.6,
tmon@5.11.9, turbostat@5.11.9, x86-energy-perf-policy@5.11.9,
xfce4-battery-plugin@1.1.4, xfce4-netload-plugin@1.4.0,
xfce4-systemload-plugin@1.3.1
Generation 10 Apr 07 2021 14:38:16 (current)
guix 02297d3
repository URL: https://git.savannah.gnu.org/git/guix.git
commit: 02297d3fe680371a4b97b9c1b770932cbdd55615
106 new packages: build, camlidl, cfm, cl-bodge-math,
cl-bodge-utilities, cl-conspack, cl-cpus, cl-opengl, cl-rtg-math, cl-shadow,
cl-umbra, cli, dream, ecl-bodge-math, ecl-bodge-utilities, ecl-cl-conspack,
ecl-cl-cpus, ecl-cl-opengl, ecl-rtg-math, ecl-shadow, ecl-umbra,
emacs-cascading-dir-locals, emacs-julia-repl, emacs-julia-snail,
emacs-nice-citation, emacs-relative-buffers, emacs-sdcv, emacs-showtip,
entt, go-gitlab.com-shackra-goimapnotify, gpart, guile-imanifest, hikari,
interception-dual-function-keys, interception-tools, jami-gnome, jami-qt,
julia-abstractffts, julia-calculus, julia-chainrules, julia-chainrulescore,
julia-chainrulestestutils, julia-colors, julia-colortypes,
julia-commonsubexpressions, julia-compilersupportlibraries-jll,
julia-constructionbase, julia-diffresults, julia-diffrules, julia-difftests,
julia-example, julia-fillarrays, julia-finitedifferences, julia-forwarddiff,
julia-irtools, julia-macrotools, julia-nanmath, julia-openspecfun-jll,
julia-reexport, julia-requires, julia-richardson, julia-specialfunctions,
julia-staticarrays, julia-unitful, julia-zygote, julia-zygoterules, libcutl,
librasterlite2, libxlsxwriter, libxsd-frontend, lime, linphone-desktop,
mandoc, node-wrappy, opensmtpd-filter-rspamd, pt-scotch-shared,
python-flake8-continuation, python-flake8-quotes, python-matrix-client,
python-smartypants, python-typogrify, python-urwid-readline, python-zulip,
r-gsa, r-samr, rust-endian-type, rust-hamcrest2, rust-nibble-vec,
rust-radix-trie, sbcl-bodge-math, sbcl-bodge-utilities, sbcl-cl-conspack,
sbcl-cl-cpus, sbcl-cl-opengl, sbcl-rtg-math, sbcl-shadow, sbcl-umbra,
scotch-shared, texlive-bera, texlive-fontaxes, texlive-fourier,
texlive-mathdesign, texlive-utopia, welle-io, xsd, zulip-term
270 packages upgraded: american-fuzzy-lop@2.57b, asio@1.18.1,
autocutsel@0.10.1, autofs@5.1.7, avidemux@2.7.8, babl@0.1.86,
bcachefs-static@0.1-4.bb6eccc, bcachefs-tools-static@0.1-4.bb6eccc,
bcachefs-tools@0.1-4.bb6eccc, bctoolbox@4.4.34, belcard@4.4.34,
belle-sip@4.4.34, belr@4.4.34, bitcoin-unlimited@1.9.1.1, butt@0.1.29,
bzrtp@4.4.34, ccls@0.20201219, cl-golden-utils@0.0.0-2.62a5cb9,
cl-ironclad@0.55, cl-postmodern@1.32.9, cl-webkit@2.4-13.db85563,
containerd@1.4.4, corkscrew@2.0-0.268b71e, cpupower@5.11.11, crypto++@8.5.0,
cryptsetup-static@2.3.5, cryptsetup@2.3.5, cuirass@1.0.0-7.1b35a77,
curl@7.76.0, di@4.50, diffoscope@172, doctest@2.4.6, drumstick@2.1.1,
ecl-cl-webkit@2.4-13.db85563, ecl-golden-utils@0.0.0-2.62a5cb9,
ecl-ironclad@0.55, ecl-postmodern@1.32.9,
emacs-all-the-icons-dired@1.0-2.fc2dfa1, emacs-auctex@13.0.6,
emacs-ggtags@0.9.0, emacs-gif-screencast@1.2,
emacs-imenu-list@0.9-1.b502223, emacs-minimal@27.2, emacs-no-x-toolkit@27.2,
emacs-no-x@27.2, emacs-ob-sclang@20210329, emacs-org-contrib@20210329,
emacs-org-roam@1.2.3-0.8ad57b1, emacs-org@9.4.5, emacs-posframe@0.9.0,
emacs-tramp@2.5.0.3, emacs-wide-int@27.2, emacs-xwidgets@27.2, emacs@27.2,
facter@4.0.52, fetchmail@6.4.18, flite@2.2, foo2zjs@20200610.1,
freefall@5.11.11, gegl@0.4.28, git-annex@8.20210330, git-lfs@2.13.3,
git-minimal@2.31.1, git@2.31.1, gnu-efi@3.0.13,
go-github-com-sirupsen-logrus@1.8.1, gphoto2@2.5.27, gptfdisk@1.0.7,
gramps@5.1.3, grokmirror@2.0.8, guile2.2-guix@1.2.0-19.8f9052d,
guix-build-coordinator@0-21.6e7e63f, guix-data-service@0.0.1-26.410f58c,
guix@1.2.0-19.8f9052d, hnsd@1.0.0, icedove-wayland@78.9.0, icedove@78.9.0,
ilmbase@2.5.5, imagemagick@6.9.12-4, ircii@20210314, knot-resolver@5.3.1,
knot@3.0.5, krita@4.4.3, libaom@3.0.0, libgphoto2@2.5.27,
libinstpatch@1.1.6, liblinphone@4.4.34, libpano13@2.9.20_rc3,
libring@20210326.1.cfba013, libringclient@20210326.1.cfba013,
librsvg@2.50.3, libupnp@1.14.4, libvirt-glib@4.0.0, libvirt@7.2.0,
links@2.22, linux-libre-bpf@5.11.11, linux-libre-headers@5.11.11,
linux-libre@5.11.11, lldpd@1.0.9, mame@0.230, mediastreamer2@4.4.34,
mgba@0.9.0, minicom@2.8, mousepad@0.5.4, mpop@1.4.13, mpv@0.33.1,
msamr@1.1.3-0.5ab5c09, msopenh264@1.2.1-0.88697cc, mssilk@1.1.1-0.dd0f31e,
mswebrtc@1.1.1-0.946ca70, mumi@0.0.1-5.9f070bd, neomutt@20210205,
nettle@3.7.2, nginx-documentation@1.19.9-2696-f85798c1c70a, nginx@1.19.9,
nnn@3.6, node@14.16.0, nq@0.4, ntl@11.4.4, nushell@0.29.0, nyacc@1.03.6,
opendht@2.2.0rc4, openexr@2.5.5, openssl@1.1.1k, ortp@4.4.34,
pam-mount@2.18, perf@5.11.11, perl-crypt-rijndael@1.16,
perl-data-validate-ip@0.30, perl-digest-hmac@1.04, perl-moose@2.2015,
perl-net-cidr-lite@0.22, perl-net-dns@1.30, perl-params-util@1.102,
perl-path-tiny@0.118, perl-pdf-api2@2.039, perl-scalar-list-utils@1.56,
perl-test-output@1.033, pidgin@2.14.2, pjproject@2.11, plink-ng@2.00a2.3,
psm2@11.2.185, python-astor@0.8.1, python-backcall@0.2.0,
python-beautifulsoup4@4.9.3, python-django@3.1.8, python-dropbox@11.5.0,
python-flake8@3.9.0, python-icalendar@4.0.7, python-ipaddress@1.0.23,
python-libvirt@7.2.0, python-pikepdf@2.10.0, python-poppler-qt5@21.1.0,
python-pycodestyle@2.7.0, python-pyflakes@2.3.1, python-pyserial@3.5,
python-pytest-flake8@1.0.7, python-pytz@2021.1, python-pytzdata@2020.1,
python-pyzmq@22.0.3, python-soupsieve@2.2.1, python-tabulate@0.8.9,
python-toml@0.10.2, python-tornado@6.1, python-urwid@2.1.2,
python2-astor@0.8.1, python2-beautifulsoup4@4.9.3, python2-flake8@3.9.0,
python2-ipaddress@1.0.23, python2-libvirt@7.2.0, python2-pycodestyle@2.7.0,
python2-pyflakes@2.3.1, python2-pyserial@3.5, python2-pytz@2021.1,
python2-pytzdata@2020.1, python2-pyzmq@22.0.3, python2-tabulate@0.8.9,
qrencode@4.1.1, quickjs@2021-03-27, restbed@4.7, restinio@0.6.13,
rtl8812au-aircrack-ng-linux-module@5.6.4.2-4.059e06a, runc@1.0.0-rc93,
rust-lopdf@0.26.0, rust-nix@0.20.0, rust-nu-ansi-term@0.29.0,
rust-nu-cli@0.29.0, rust-nu-command@0.29.0, rust-nu-data@0.29.0,
rust-nu-engine@0.29.0, rust-nu-errors@0.29.0, rust-nu-json@0.29.0,
rust-nu-parser@0.29.0, rust-nu-plugin-binaryview@0.29.0,
rust-nu-plugin-chart@0.29.0, rust-nu-plugin-fetch@0.29.0,
rust-nu-plugin-from-bson@0.29.0, rust-nu-plugin-from-sqlite@0.29.0,
rust-nu-plugin-inc@0.29.0, rust-nu-plugin-match@0.29.0,
rust-nu-plugin-post@0.29.0, rust-nu-plugin-ps@0.29.0,
rust-nu-plugin-s3@0.29.0, rust-nu-plugin-selector@0.29.0,
rust-nu-plugin-start@0.29.0, rust-nu-plugin-sys@0.29.0,
rust-nu-plugin-textview@0.29.0, rust-nu-plugin-to-bson@0.29.0,
rust-nu-plugin-to-sqlite@0.29.0, rust-nu-plugin-tree@0.29.0,
rust-nu-plugin-xpath@0.29.0, rust-nu-plugin@0.29.0, rust-nu-protocol@0.29.0,
rust-nu-source@0.29.0, rust-nu-stream@0.29.0, rust-nu-table@0.29.0,
rust-nu-test-support@0.29.0, rust-nu-value-ext@0.29.0, rust-rand-core@0.6.2,
rust-rocket-codegen@0.4.7, rust-rocket-http@0.4.7, rust-rocket@0.4.7,
rust-rustyline@8.0.0, rust-smallvec@1.6.1, rust@1.51.0, saga@7.9.0,
sbcl-cl-webkit@2.4-13.db85563, sbcl-golden-utils@0.0.0-2.62a5cb9,
sbcl-ironclad@0.55, sbcl-postmodern@1.32.9, sbcl@2.1.3, sg3-utils@1.46,
skopeo@1.2.2, spatialite-gui@2.1.0-beta1, spdlog@1.8.5, sqlite@3.32.3,
strawberry@0.9.2, stunnel@5.59, suitesparse@5.9.0, svt-hevc@1.5.0,
synapse@1.29.0, terminator@2.1.1, tippecanoe@1.36.0, tmon@5.11.11,
turbostat@5.11.11, txr@255, tzdata@2021a, ugrep@3.1.11, umoci@0.4.7,
urlscan@0.9.6, vim-asyncrun@2.8.5, vim-full@8.2.2689, vim@8.2.2689,
vips@8.10.6, virt-manager@3.2.0, vmpk@0.8.2, vsftpd@3.0.3-32.el8, vtk@9.0.1,
wavpack@5.4.0, waybar@0.9.5, webkitgtk@2.32.0, wireguard-tools@1.0.20210315,
wla-dx@9.12, wsjtx@2.3.1, x86-energy-perf-policy@5.11.11, xscreensaver@5.45,
xxd@8.2.2689, youtube-dl@2021.04.01, zabbix-agentd@5.2.6,
zabbix-server@5.2.6
News for channel 'guix'
Risk of local privilege escalation during user account creation
commit 2161820ebbbab62a5ce76c9101ebaec54dc61586
A security vulnerability that can lead to local privilege escalation has
been found in the code that creates user accounts on Guix System---Guix on
other distros is unaffected. The system is only vulnerable during the
activation of user accounts that do not already exist.
This bug is fixed and Guix System users are advised to upgrade their system,
with a command along the lines of:
guix system reconfigure /run/current-system/configuration.scm
The attack can happen when `guix system reconfigure' is running. Running
`guix system reconfigure' can trigger the creation of new user accounts if
the configuration specifies new accounts. If a user whose account is being
created manages to log in after the account has been created but before
``skeleton files'' copied to its home directory have the right ownership,
they may, by creating an appropriately-named symbolic link in the home
directory pointing to a sensitive file, such as `/etc/shadow', get root
privileges.
See `https://issues.guix.gnu.org/47584' for more information on this bug.
New supported platform: powerpc64le-linux
commit e52ec6c64a17a99ae4bb6ff02309067499915b06
A new platform, powerpc64le-linux, has been added for little-endian 64-bit
Power ISA processors using the Linux-Libre kernel. This includes POWER9
systems such as the RYF Talos II mainboard
(https://www.fsf.org/news/talos-ii-mainboard-and-talos-ii-lite-mainboard-now
-fsf-certified-to-respect-your-freedom). This platform is available as a
"technology preview": although it is supported, substitutes are not yet
available from the build farm, and some packages may fail to build. In
addition, Guix System is not yet available on this platform. That said, the
Guix community is actively working on improving this support, and now is a
great time to try it and get involved!
next reply other threads:[~2021-04-07 20:21 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-07 20:19 Brian Zwahr [this message]
[not found] ` <handler.47644.B.161782682519455.ack@debbugs.gnu.org>
2021-04-09 1:43 ` bug#47644: Acknowledgement (guix on foreign distro won't upgrade, stuck on old commits) Brian Zwahr
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=65N7RQ.W0VO8QJ1XR662@echosa.net \
--to=echosa@echosa.net \
--cc=47644@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).