From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:8:6d80::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id wNpHCTkXg2ADxwAAgWs5BA (envelope-from ) for ; Fri, 23 Apr 2021 20:51:37 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id OBn/BDkXg2DPPwAAB5/wlQ (envelope-from ) for ; Fri, 23 Apr 2021 18:51:37 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id C86A11CC00 for ; Fri, 23 Apr 2021 20:51:36 +0200 (CEST) Received: from localhost ([::1]:58076 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1la0ts-000728-0s for larch@yhetil.org; Fri, 23 Apr 2021 14:51:36 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:32770) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1la0tB-00070f-Gv for guix-devel@gnu.org; Fri, 23 Apr 2021 14:50:53 -0400 Received: from mail.zaclys.net ([178.33.93.72]:41727) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1la0t3-0008JB-Dr for guix-devel@gnu.org; Fri, 23 Apr 2021 14:50:51 -0400 Received: from guix-xps.local (lsl43-1_migr-78-195-19-20.fbx.proxad.net [78.195.19.20] (may be forged)) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 13NIoeEe002241 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 23 Apr 2021 20:50:41 +0200 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 13NIoeEe002241 Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1619203842; bh=SFet9IxEk0jMX7UxlzXh8nOdmQzapWoQJ9C71W9QwmE=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=OH+twoTnpZMgEza7qRULG1iERXyNEUGlDtgeYZbcOqP6OFveVBsYQyTipOSvNCOH8 3O3qncu3EdUnhfGvR0hQRI+fTYyhQ7SPmBZdw1nLYh4ClzxkOiYijXIpAvEdsPatdC 5POj4E5MS28PWwri5OJmtb/E+vVzrwvp41Gypfco= Message-ID: <5cbbfa9b258fb28beb9288685ccc85b4d015cd8a.camel@zaclys.net> Subject: Re: A "cosmetic changes" commit that removes security fixes From: =?ISO-8859-1?Q?L=E9o?= Le Bouter To: Maxim Cournoyer Cc: Mark H Weaver , Raghav Gururajan , Guix Devel , Leo Prikler , Sou Bunnbu Date: Fri, 23 Apr 2021 20:50:37 +0200 In-Reply-To: <87o8e4zy5k.fsf@gmail.com> References: <87tunz11mf.fsf@netris.org> <87r1j30xmo.fsf@netris.org> <87czumypz3.fsf@netris.org> <87o8e4zy5k.fsf@gmail.com> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-6QRFhaCB3Vf/3REjoM7r" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net; helo=mail.zaclys.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1619203896; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=SFet9IxEk0jMX7UxlzXh8nOdmQzapWoQJ9C71W9QwmE=; b=gdcaIeW08VpaoPgOC4Tp1KttaorZU0Z9kP1gOyayapYwOmAm3I+278+Yrc2aoqNklCNvB6 JsITMrKWoeo3kLZoiCiq01dSjVERaX8X1+N/uT1Xs8xkAE/9jeOJMN5MQfPRbmrMq8Qfo+ +XxSCEmTt0mnEZPAjbogEjop7Jy7rrvy/Vge4YkBK8U/IillmYh+j0ILsMr+YISulXsOr4 R4vHpaP1KF9TCZjlRmmSt6/f93i6sQQHzeDRIG03T6Q5BA8nkIZVnr5qTmAQmdYybaxoJe cg8oxONJXkWbRd3faq/CcdEQZ7Cl+b7pX+zBooagcfpV8469ELIjv323/jYy7g== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1619203896; a=rsa-sha256; cv=none; b=LBNUMXe+cG2QucGKIcstqrty2Qak024RU7FyHhvVPAy/V6VG7wK8U+1zMUlqA2IRaTMpcG SMaJaI7UfgVm7uwGyRhMLjapOkjYlyQ+xadYm4hco22CrNLVMVmTOfNKF6/IFEEwPDmnpl ZvcyUk+xCSclGMBFhYgQVtcGGTkaSYDfK+xkKcfpETkoOBqi/bUHUejVAybDHjZNOyLooA CzpI2Li/voC/8dszX+/63nUECvx2gtNFcrkQ4ECByWg4YesGdDEOWc0GNu7NFTKpa0P7Lq 3Rg+xkdfxOqI0uLBud7XvqVvgSFNIvgwEDTMz7yH/VefLpPsWzAxnxT7Q98o7g== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=zaclys.net header.s=default header.b=OH+twoTn; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -3.74 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=zaclys.net header.s=default header.b=OH+twoTn; dmarc=pass (policy=reject) header.from=zaclys.net; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: C86A11CC00 X-Spam-Score: -3.74 X-Migadu-Scanner: scn0.migadu.com X-TUID: ascsT8AvSS8L --=-6QRFhaCB3Vf/3REjoM7r Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Fri, 2021-04-23 at 13:52 -0400, Maxim Cournoyer wrote: > Actually, there *is* a "new" stable release available on their > release > page, 1.17.2 [0] >=20 > According to NVD [1], that latest version has no known CVE [1]. >=20 > L=C3=A9o, could it be that you had planned to do this update, but it > somehow > fell into the cracks? In any case I agree with the others that it'd > have been better to ungraft/remove patches in the same commit that > updates the software to a version that incorporates the fixes, as I'm > sure you already know: it'd have prevented this kind of situation. Considering the GNOME upgrade is not finished yet, this is indeed ongoing work. I would've never done this on master. >=20 > I also urge you to remain calm and collaborative even in the face of > criticism; as Ricardo said, escalating things will lead us nowhere > good. > Honest mistakes are made and that's no problem so long as we stand > ready > to apologize for them and work together for a resolution. >=20 I think there is no problem in accepting criticism but there is a certain way Mark presents criticism and I don't feel like I can respond to it when it is written in such way. Over several emails Mark was looking to point to people who were somehow responsible for whatever "damage" for changes that happened on a branch nobody uses and always contains ongoing work (core-updates), so maintaining it security-wise is not as much of a question. The result is that we have a long thread of people responding etc. causing a fuss over something that just needs to be fixed rather than find whoever is somehow "responsible". I feel like we're collectively responsible. We try our best at all times, during this GNOME upgrade I also tried to take into account Raghav's feelings so they do not give up and have a rewarding review experience, I knew these commits werent great, I have written about it here: < https://issues.guix.gnu.org/42958#67>. > I see that =E5=AE=8B=E6=96=87=E6=AD=A6 has pushed a commit > (2ab4f4c950ffa7ca40271a534cb3bed997672138) to core-updates > reinstating > the security patches; thanks! >=20 Great! Thanks for figuring this out. > Thank you, >=20 > Maxim >=20 > [0] https://www.cairographics.org/releases/ > [1] =20 > https://nvd.nist.gov/vuln/search/results?form_type=3DAdvanced&results_typ= e=3Doverview&seach_type=3Dall&query=3Dcpe:2.3:a:cairographics:cairo:-:*:*:*= :*:*:*:* L=C3=A9o --=-6QRFhaCB3Vf/3REjoM7r Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmCDFv0ACgkQRaix6GvN EKbN4w/6Alho0vEhduxd7tOf5ihKDEC6E/kseughqKbhdJVdUPrfuJUlpVXsHkRq bu3t9XCuR8eYBZZou6E4uvJDA9aOGpJfBVpTqKvQUMyW3ggHn3zrwQLAmQggEg5v zan8dyTKjWdmy8eAULQSOdjlE/VBFXd/2HalitrwfYBPik7pd7rY/8KO/Hzc0BXx IqKxNPmiDPZFESzEpKfDGIJfMWUFY+Pi/25n0n1PK6dkfKXVmYBE2Ag7nRDguK+x fOhXAEAuxgqn5kLerdDgu8cK2v1qsJqoHffxZhuKLZlts2bPY5XTEEJihZ0iuw0/ oH2dwSCZyrrCojRaBPDdMNVnsyLNW109Okvhxdc7EBqAT6Rp7zrUHOf5r8A8nYL8 GESMkRM9bJGgH11jr3wgwf1qk9UadOL/IllbHtk235KS2OT4CQgn5lXrxc9F01PZ fg2ipfr0CNzpevg71Ijr0+KTljo4C9No6AhlcY45Fz2K3N3hxE+sKS2v6B//VCRY 5C2xopNllLfKbOTOO7QhB+TOGb1LM91VXZZ/a5tM3ag2dW17P6hX+A2eDiBE3trm QNZ041uVg80m5uxrXPHS6yuIKhHWcIhkmViU0tlgcRXnCCuDfgGDf2ZU5LlNaKrn vUebbzCpJ02SS2BhNW5Tzbr+FNl5s7HdUpkzCbMMQFLkYQFHJZU= =mhhL -----END PGP SIGNATURE----- --=-6QRFhaCB3Vf/3REjoM7r--