From b8d4c323f5d089dd800b358143d5bae26c965404 Mon Sep 17 00:00:00 2001 From: "pelzflorian (Florian Pelz)" Date: Sat, 19 Nov 2022 13:09:31 +0100 Subject: [PATCH] doc: Call out potential for security vulnerabilities in old software. * doc/guix.texi (Invoking guix time-machine): Add a note. Co-authored by: Simon Tournier --- doc/guix.texi | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/doc/guix.texi b/doc/guix.texi index 9155b605f2..c0cb24d709 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -60,7 +60,7 @@ Copyright @copyright{} 2018, 2021 Oleg Pykhalov@* Copyright @copyright{} 2018 Mike Gerwitz@* Copyright @copyright{} 2018 Pierre-Antoine Rouby@* Copyright @copyright{} 2018, 2019 Gábor Boskovits@* -Copyright @copyright{} 2018, 2019, 2020 Florian Pelz@* +Copyright @copyright{} 2018, 2019, 2020, 2022 Florian Pelz@* Copyright @copyright{} 2018 Laura Lazzati@* Copyright @copyright{} 2018 Alex Vong@* Copyright @copyright{} 2019 Josh Holland@* @@ -4834,6 +4834,15 @@ invocation can be expensive: it may have to download or even build a large number of packages; the result is cached though and subsequent commands targeting the same commit are almost instantaneous. +@quotation Note +The history of Guix is immutable and @command{guix time-machine} +provides the exact same software as they are in a specific Guix +revision. Naturally, no security fixes are provided for old versions +of Guix or its channels. A careless use of @command{guix time-machine} +opens the door to security vulnerabilities. @xref{Invoking guix pull, +@option{--allow-downgrades}}. +@end quotation + The general syntax is: @example