From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id eK0iMGUJg2DsiAAAgWs5BA (envelope-from ) for ; Fri, 23 Apr 2021 19:52:37 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id QCfHK2UJg2CdFQAAB5/wlQ (envelope-from ) for ; Fri, 23 Apr 2021 17:52:37 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 53A4512450 for ; Fri, 23 Apr 2021 19:52:37 +0200 (CEST) Received: from localhost ([::1]:52906 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lZzym-000785-FM for larch@yhetil.org; Fri, 23 Apr 2021 13:52:36 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:50158) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lZzyd-00077w-VG for guix-devel@gnu.org; Fri, 23 Apr 2021 13:52:27 -0400 Received: from mail-qt1-x82a.google.com ([2607:f8b0:4864:20::82a]:42638) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lZzyb-0003vn-Rk for guix-devel@gnu.org; Fri, 23 Apr 2021 13:52:27 -0400 Received: by mail-qt1-x82a.google.com with SMTP id m16so36358958qtx.9 for ; Fri, 23 Apr 2021 10:52:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version:content-transfer-encoding; bh=6SDtmlkN4jQqoAzO8s5GILAizfZDlruvMXaHFIXi5CY=; b=UWIGa4UopPrdaTXstoH3YeLfZ+krMyRroViT4RHpe39XHVfN9byPK043LkaCxg1bVd A+Y1G/joZxXdwtCJ3p/RpQ1kOvClcl4E7KJH1BJKRqDcENpwOai6Eu7y88KNC1LhNoe/ 85cM5jS9vte/obnwvf4CFbIXzJwCOw+gniMd1c9F+rj2JGDlcoFzlekzsf1mrfZPyKj0 e+pY0UrR1MOfHuoJKi/HMGqwynjqeaOJrXoFAhoZySNa2GjBMPSP7P/qRW3GZGeRQPX0 9pdmqWFjWhKS3Ugrag+scROKVar6r87x0K7a0eBUeh1L8KmSgIF4tlN8874kYOnfgbBy +GjA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version:content-transfer-encoding; bh=6SDtmlkN4jQqoAzO8s5GILAizfZDlruvMXaHFIXi5CY=; b=EJhtqjrsvTClMAisSVzyu2Pd+gtuE4E9myF9+RR/2nSHF/2VTK+01xvYFUYbFlIFPT sC3MphIt5hAE7Tc+GAxIoTFWdR9RQyPWlDhAF5umtL0xF82NkZNhuBV9USAUg3YkCCUk /QwhKJzGPIfGYxZFoiLW1HpPeY7Wi0RBSIvVxctNCyn2iCZuViZiesDCVh1TDMhtxbie VmzGVrZ5UvNY4Gd+pYen7R8VUS5x5hwWpU0+FvAtvWhSxSC6n8GndB/6CpTb6LEyVYF7 ioVtznUVaZCvcpBmYOPnbqNgfDX4fX0ueRZLZyaycYYrQuaezfhyYjSz+g+syW4jC4W9 W9Dg== X-Gm-Message-State: AOAM532FBq9IhbXSXtEsdN8IHoJ5qqwDd+RlftDbIU15kd1yuK7QU5QN gdkppZj6i1xcIIkqMscplQQ= X-Google-Smtp-Source: ABdhPJyZQImwxad8Ekyn5xD8mI3etW0Qx6NFXOWBH7AcY9tVezD7Z70qWu+JeBET2paS5hXzZUGMgg== X-Received: by 2002:a05:622a:18a:: with SMTP id s10mr4823466qtw.237.1619200344614; Fri, 23 Apr 2021 10:52:24 -0700 (PDT) Received: from hurd ([207.35.95.120]) by smtp.gmail.com with ESMTPSA id b23sm4911957qtp.17.2021.04.23.10.52.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 23 Apr 2021 10:52:24 -0700 (PDT) From: Maxim Cournoyer To: =?utf-8?Q?L=C3=A9o?= Le Bouter Subject: Re: A "cosmetic changes" commit that removes security fixes References: <87tunz11mf.fsf@netris.org> <87r1j30xmo.fsf@netris.org> <87czumypz3.fsf@netris.org> Date: Fri, 23 Apr 2021 13:52:23 -0400 In-Reply-To: <87czumypz3.fsf@netris.org> (Mark H. Weaver's message of "Thu, 22 Apr 2021 17:21:41 -0400") Message-ID: <87o8e4zy5k.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=2607:f8b0:4864:20::82a; envelope-from=maxim.cournoyer@gmail.com; helo=mail-qt1-x82a.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Guix Devel , Leo Prikler , "Sou Bunnbu \(=?utf-8?B?5a6L5paH5q2m?=\)" , Raghav Gururajan Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1619200357; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=6SDtmlkN4jQqoAzO8s5GILAizfZDlruvMXaHFIXi5CY=; b=JOz1SqkoRk1xYHqpfYiaUOMQkQgzXyWAbf0Ufr99wdZm+D0W+Bxqkbf1+dUwQ45i6DOvMb 5UJfc2iOM57aNn0jThxLJCcnSze+WdiTzz1wC4/0SwJL759zosntx7P75SRpCt6DaZhOMN pSg6aQCMhM/SQWoxfC3WGeqTgwVLdZeIaL0BWmhmtf9wmkYZl9AiOetLqR/lznJpqntx13 XhY+6nLEA2pvT1f++VWptR74FGHGAZKccvKmrgSHKQwz9HkAYGrEXRMeqsOV/V9/71g1gr 0tk0x+DXigcVDeRpIs3EkAp8R2ojU7GPGNFhu7TUoHLz6QRdl3uC6NwKjYd7rw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1619200357; a=rsa-sha256; cv=none; b=i8d5TXTvc86lyfBznwpSJHH70kmjvfl4YEd+HPJTFzfwBNpT9fA4NjfC5nduj3cXsWCVG4 nuzr4Ux6NfM2Fq0ohf7LVgTufvSI9S8br+xVjK5R5QPk7tOgVNFn6ioDIYIfEqJ/TaUqva a+yeXCk6MyWZEr+Eb6GJPP44iJo6Dh8GITqcES5AfH4MRxIevfEAMT+JgBuVfoBlw9/8KP ileocw7G3Uu6jlGkft9Gzb7ciuHm25NQc1Q4qxEvSPbbIr+obR8M6oFXW5EM7TuUt5zxwF Rl0a0HkVeXbGGzBP+Oya//9b0fsEnPZGkOkOQfI6kylRScVK3mw6mz3YjMu0tA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20161025 header.b=UWIGa4Uo; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -1.34 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20161025 header.b=UWIGa4Uo; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 53A4512450 X-Spam-Score: -1.34 X-Migadu-Scanner: scn0.migadu.com X-TUID: 5ZnvC4bnOLWe Hi, Mark H Weaver writes: > Hi L=C3=A9o, > > L=C3=A9o Le Bouter writes: > >> I don't share your analysis, the security fixes werent stripped because >> glib/cairo was also updated to latest version in subsequent commits >> which were pushed all at once. > > 'glib' was updated, but 'cairo' wasn't, presumably because there's no > newer stable release of 'cairo' to update to. Actually, there *is* a "new" stable release available on their release page, 1.17.2 [0] According to NVD [1], that latest version has no known CVE [1]. L=C3=A9o, could it be that you had planned to do this update, but it somehow fell into the cracks? In any case I agree with the others that it'd have been better to ungraft/remove patches in the same commit that updates the software to a version that incorporates the fixes, as I'm sure you already know: it'd have prevented this kind of situation. I also urge you to remain calm and collaborative even in the face of criticism; as Ricardo said, escalating things will lead us nowhere good. Honest mistakes are made and that's no problem so long as we stand ready to apologize for them and work together for a resolution. I see that =E5=AE=8B=E6=96=87=E6=AD=A6 has pushed a commit (2ab4f4c950ffa7ca40271a534cb3bed997672138) to core-updates reinstating the security patches; thanks! Thank you, Maxim [0] https://www.cairographics.org/releases/ [1] https://nvd.nist.gov/vuln/search/results?form_type=3DAdvanced&results_= type=3Doverview&seach_type=3Dall&query=3Dcpe:2.3:a:cairographics:cairo:-:*:= *:*:*:*:*:*