From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:bcc0::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id eO3iKir9gGBzFAEAgWs5BA (envelope-from ) for ; Thu, 22 Apr 2021 06:35:54 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id oDVjJir9gGA2IwAAbx9fmQ (envelope-from ) for ; Thu, 22 Apr 2021 04:35:54 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 7594B26EDA for ; Thu, 22 Apr 2021 06:35:54 +0200 (CEST) Received: from localhost ([::1]:42980 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lZR4D-0002qi-GE for larch@yhetil.org; Thu, 22 Apr 2021 00:35:53 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:44414) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lZR3S-0002g2-KN for guix-devel@gnu.org; Thu, 22 Apr 2021 00:35:06 -0400 Received: from world.peace.net ([64.112.178.59]:36476) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lZR3Q-0007pn-LA for guix-devel@gnu.org; Thu, 22 Apr 2021 00:35:06 -0400 Received: from mhw by world.peace.net with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lZR3I-000423-Vd; Thu, 22 Apr 2021 00:34:57 -0400 From: Mark H Weaver To: Raghav Gururajan , Guix Devel Subject: Re: A "cosmetic changes" commit that removes security fixes In-Reply-To: References: <87tunz11mf.fsf@netris.org> Date: Thu, 22 Apr 2021 00:33:07 -0400 Message-ID: <87o8e70wgx.fsf@netris.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=64.112.178.59; envelope-from=mhw@netris.org; helo=world.peace.net X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Leo Prikler Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -4.00 Authentication-Results: aspmx1.migadu.com; none X-Migadu-Queue-Id: 7594B26EDA X-Spam-Score: -4.00 X-Migadu-Scanner: scn0.migadu.com X-TUID: OZS5Zuy7I5xB Hi Raghav, Raghav Gururajan writes: > Okay, I was able to retrace. When Leo and I were working outside=20 > savannah, there was master --> core-updates merge. Leo made these=20 > changes when he committed to his repo=20 > (https://logs.guix.gnu.org/guix/2021-03-26.log#000811), from which I=20 > pulled then format-patched and sent it to guix-patches=20 > (https://issues.guix.gnu.org/42958#64). From guix-patches it was then=20 > pushed to core-updates (https://issues.guix.gnu.org/42958#67), from=20 > where I cherry-picked into wip-gnome. > > It seems Leo made these for ungrafting. I not familiar with ungrafting,=20 > so I have to let Leo explain. > > P.S > The commit title for these commits were initially "Ungraft and make some= =20 > cosmetic changes.", I must have screwed up the tile while moving the=20 > patches. For that my apologies. > > [1]=20 > https://git.sr.ht/~lle-bout/guix/commit/6477daa338fbf1c9edacfc3690aca77ca= cfe0008 > [2]=20 > https://git.sr.ht/~lle-bout/guix/commit/a045a48dd961f0c5c3d536dcc3fd21d9c= 08d2d50 Both of these patches have all of the same problems. The only difference is that their summary lines say "Ungraft and make some cosmetic changes." (1) These original summary lines are still misleading, because "ungraft" means to integrate the fixes from the replacement into the original, but here, the fixes are simply being deleted. (2) These original commit logs are still misleading, for the same reason I gave in my previous reply. (3) The 'cairo' commit still re-introduces security flaws into our 'cairo' package. What worries me as much as anything is that your responses so far seem to indicate that you are failing to understand what you and L=C3=A9o have done wrong here. Mark