From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-devel-bounces+larch=yhetil.org@gnu.org>
Received: from mp1 ([2001:41d0:2:bcc0::])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	by ms0.migadu.com with LMTPS
	id eO3iKir9gGBzFAEAgWs5BA
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Thu, 22 Apr 2021 06:35:54 +0200
Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp1 with LMTPS
	id oDVjJir9gGA2IwAAbx9fmQ
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Thu, 22 Apr 2021 04:35:54 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 7594B26EDA
	for <larch@yhetil.org>; Thu, 22 Apr 2021 06:35:54 +0200 (CEST)
Received: from localhost ([::1]:42980 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	id 1lZR4D-0002qi-GE
	for larch@yhetil.org; Thu, 22 Apr 2021 00:35:53 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:44414)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mhw@netris.org>) id 1lZR3S-0002g2-KN
 for guix-devel@gnu.org; Thu, 22 Apr 2021 00:35:06 -0400
Received: from world.peace.net ([64.112.178.59]:36476)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mhw@netris.org>) id 1lZR3Q-0007pn-LA
 for guix-devel@gnu.org; Thu, 22 Apr 2021 00:35:06 -0400
Received: from mhw by world.peace.net with esmtpsa
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92)
 (envelope-from <mhw@netris.org>)
 id 1lZR3I-000423-Vd; Thu, 22 Apr 2021 00:34:57 -0400
From: Mark H Weaver <mhw@netris.org>
To: Raghav Gururajan <rg@raghavgururajan.name>, Guix Devel <guix-devel@gnu.org>
Subject: Re: A "cosmetic changes" commit that removes security fixes
In-Reply-To: <f455b64e-0adc-b422-b667-a19c14ac76e9@raghavgururajan.name>
References: <ce4433a6-949d-4bd2-0343-5a7d640403fd@raghavgururajan.name>
 <87tunz11mf.fsf@netris.org>
 <b2b037d1-3acf-fdb6-aab1-c85e36c747a1@raghavgururajan.name>
 <f455b64e-0adc-b422-b667-a19c14ac76e9@raghavgururajan.name>
Date: Thu, 22 Apr 2021 00:33:07 -0400
Message-ID: <87o8e70wgx.fsf@netris.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass client-ip=64.112.178.59; envelope-from=mhw@netris.org;
 helo=world.peace.net
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: guix-devel@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Cc: Leo Prikler <leo.prikler@student.tugraz.at>
Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+larch=yhetil.org@gnu.org>
X-Migadu-Flow: FLOW_IN
X-Migadu-Spam-Score: -4.00
Authentication-Results: aspmx1.migadu.com;
	none
X-Migadu-Queue-Id: 7594B26EDA
X-Spam-Score: -4.00
X-Migadu-Scanner: scn0.migadu.com
X-TUID: OZS5Zuy7I5xB

Hi Raghav,

Raghav Gururajan <rg@raghavgururajan.name> writes:

> Okay, I was able to retrace. When Leo and I were working outside=20
> savannah, there was master --> core-updates merge. Leo made these=20
> changes when he committed to his repo=20
> (https://logs.guix.gnu.org/guix/2021-03-26.log#000811), from which I=20
> pulled then format-patched and sent it to guix-patches=20
> (https://issues.guix.gnu.org/42958#64). From guix-patches it was then=20
> pushed to core-updates (https://issues.guix.gnu.org/42958#67), from=20
> where I cherry-picked into wip-gnome.
>
> It seems Leo made these for ungrafting. I not familiar with ungrafting,=20
> so I have to let Leo explain.
>
> P.S
> The commit title for these commits were initially "Ungraft and make some=
=20
> cosmetic changes.", I must have screwed up the tile while moving the=20
> patches. For that my apologies.
>
> [1]=20
> https://git.sr.ht/~lle-bout/guix/commit/6477daa338fbf1c9edacfc3690aca77ca=
cfe0008
> [2]=20
> https://git.sr.ht/~lle-bout/guix/commit/a045a48dd961f0c5c3d536dcc3fd21d9c=
08d2d50

Both of these patches have all of the same problems.  The only
difference is that their summary lines say "Ungraft and make some
cosmetic changes."

(1) These original summary lines are still misleading, because "ungraft"
    means to integrate the fixes from the replacement into the original,
    but here, the fixes are simply being deleted.

(2) These original commit logs are still misleading, for the same reason
    I gave in my previous reply.

(3) The 'cairo' commit still re-introduces security flaws into our
    'cairo' package.

What worries me as much as anything is that your responses so far seem
to indicate that you are failing to understand what you and L=C3=A9o have
done wrong here.

       Mark