From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id p7hgFjT3gGC+9AAAgWs5BA (envelope-from ) for ; Thu, 22 Apr 2021 06:10:28 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id QIoaETT3gGApZAAA1q6Kng (envelope-from ) for ; Thu, 22 Apr 2021 04:10:28 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 1E95926090 for ; Thu, 22 Apr 2021 06:10:28 +0200 (CEST) Received: from localhost ([::1]:52088 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lZQfb-0004yP-9q for larch@yhetil.org; Thu, 22 Apr 2021 00:10:27 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:37888) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lZQfC-0004v0-NC for guix-devel@gnu.org; Thu, 22 Apr 2021 00:10:02 -0400 Received: from world.peace.net ([64.112.178.59]:36436) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lZQfA-0001NW-8J for guix-devel@gnu.org; Thu, 22 Apr 2021 00:10:02 -0400 Received: from mhw by world.peace.net with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lZQf3-0002Kk-P7; Thu, 22 Apr 2021 00:09:53 -0400 From: Mark H Weaver To: Raghav Gururajan , Guix Devel Subject: Re: A "cosmetic changes" commit that removes security fixes In-Reply-To: References: <87tunz11mf.fsf@netris.org> Date: Thu, 22 Apr 2021 00:08:04 -0400 Message-ID: <87r1j30xmo.fsf@netris.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=64.112.178.59; envelope-from=mhw@netris.org; helo=world.peace.net X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Leo Prikler Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -4.00 Authentication-Results: aspmx1.migadu.com; none X-Migadu-Queue-Id: 1E95926090 X-Spam-Score: -4.00 X-Migadu-Scanner: scn0.migadu.com X-TUID: fPiI8j2r8SIv Hi Raghav, Raghav Gururajan writes: >> Those commits on 'core-updates' were digitally signed by L=C3=A9o Le Bou= ter >> and have the same problems: they remove security >> fixes, and yet the summary lines indicate that only "cosmetic changes" >> were made. > > Yeah, the commit title didn't mention the change but the commit message d= id. I'm sorry, but that won't do. There are at least three things wrong with these commits: (1) The summary lines were misleading, because they implied that no functional changes were made. (2) The commit messages were misleading, because they failed to mention that security holes which had previously been fixed were now being re-introduced. That wasn't at all obvious. Commits like these, which remove patches that had fixed security flaws, are fairly common: someone casually looking over the commit log might assume that the patches could be safely removed because a version update was done at the same time, rendering those patches obsolete. (3) Although your 'glib' commit was immediately followed by a 'glib' update, rendering it harmless, your misleading 'cairo' commit left 'cairo' vulnerable to CVE-2018-19876 and CVE-2020-35492 on our 'core-updates' and 'wip-gnome' branches. Those will need to be fixed now. L=C3=A9o Le Bouter is also culpable here, because he digitally signed the misleading 'cairo' commit that's on our 'core-updates' branch, which re-introduced CVE-2018-19876 and CVE-2020-35492. --8<---------------cut here---------------start------------->8--- commit f94cdc86f644984ca83164d40b17e7eed6e22091 gpg: Signature made Fri 26 Mar 2021 05:13:57 PM EDT gpg: using RSA key 148BCB8BD80BFB16B1DE0E9145A8B1E86BCD10A6 gpg: Good signature from "L=C3=A9o Le Bouter " [unknow= n] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owne= r. Primary key fingerprint: 148B CB8B D80B FB16 B1DE 0E91 45A8 B1E8 6BCD 10A6 Author: Raghav Gururajan Date: Fri Dec 4 00:48:43 2020 -0500 gnu: cairo: Make some cosmetic changes. =20=20=20=20 * gnu/packages/patches/cairo-CVE-2018-19876.patch, gnu/packages/patches/cairo-CVE-2020-35492.patch: Remove patches. * gnu/local.mk (dist_patch_DATA): Unregister them. * gnu/packages/gtk.scm (cairo): Make some cosmetic changes. [replacement]: Remove. (cairo/fixed): Remove. =20=20=20=20 Signed-off-by: L=C3=A9o Le Bouter --8<---------------cut here---------------end--------------->8--- https://git.sv.gnu.org/cgit/guix.git/commit/?h=3Dcore-updates&id=3Df94cdc86= f644984ca83164d40b17e7eed6e22091 Even the most superficial skimming of this commit should have immediately raised red flags, because the summary line is clearly inaccurate. It shows a lack of careful review, to put it mildly. Mark