The original patch disabled it only when updating cached checkouts, but the disabling persisted afterwards, making it stateful. To avoid statefulness, it is disabled during with-libgit2 instead.
For compatibility with guile-git versions that do not yet have set-owner-validation!, the setting is skipped when set-owner-validation! does not exist. * guix/git.scm (update-cached-checkout): Disable owner validation checks. Co-Authored-By: André Batista <[email protected]> --- guix/git.scm | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/guix/git.scm b/guix/git.scm index 53e7219c8c..0fe6e65549 100644 --- a/guix/git.scm +++ b/guix/git.scm @@ -4,6 +4,7 @@ ;;; Copyright © 2021 Kyle Meyer <[email protected]> ;;; Copyright © 2021 Marius Bakke <[email protected]> ;;; Copyright © 2022 Maxime Devos <[email protected]> +;;; Copyright © 2022 André Batista <[email protected]> ;;; ;;; This file is part of GNU Guix. ;;; @@ -23,6 +24,7 @@ (define-module (guix git) #:use-module (git) #:use-module (git object) + #:use-module (git settings) #:use-module (git submodule) #:use-module (guix i18n) #:use-module (guix base32) @@ -117,6 +119,16 @@ (define-syntax-rule (with-libgit2 thunk ...) ;; but pointer finalizers used in guile-git may be called after shutdown, ;; resulting in a segfault. Hence, let's skip shutdown call for now. (libgit2-init!) + ;; [email protected] ‘fixed’ a git CVE it never shared, breaking some uses + ;; of Guix channels (see <https://issues.guix.gnu.org/55399>). Disable + ;; the owner validation that does not fit in the security model in Guix. + ;; + ;; For compatibility with old guile-git that do not have + ;; 'set-owner-validation!', do nothing if 'set-owner-validation!' + ;; does not exist. + ((catch 'unbound-variable + (lambda () set-owner-validation!) + (lambda _ identity)) #false) (unless %certificates-initialized? (honor-system-x509-certificates!) (set! %certificates-initialized? #t)) base-commit: d519305d83d08058e4def2c4d72fe62102d9599d prerequisite-patch-id: 62949e6148bb8aae2f792aaf4d54f2a136351d28 prerequisite-patch-id: 72191ec47cb3876c5fcd6233880dea7dfc1b165f prerequisite-patch-id: bbfd96d673e491ddd684e8270c90347547dceaa5 prerequisite-patch-id: fbdac7446d0c3f529f313f89cb9ba975d469d7ac prerequisite-patch-id: d0a5804a92d868c5ee6726e6e0555a8af25e442c -- 2.37.1
