From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:bcc0::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id 8Mg9BPHigGC1NwAAgWs5BA (envelope-from ) for ; Thu, 22 Apr 2021 04:44:01 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id uK5iO/DigGASVwAAbx9fmQ (envelope-from ) for ; Thu, 22 Apr 2021 02:44:00 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id CC57B255DE for ; Thu, 22 Apr 2021 04:44:00 +0200 (CEST) Received: from localhost ([::1]:59426 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lZPJw-0001nU-1Q for larch@yhetil.org; Wed, 21 Apr 2021 22:44:00 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:41194) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lZPJn-0001nN-53 for guix-devel@gnu.org; Wed, 21 Apr 2021 22:43:51 -0400 Received: from world.peace.net ([64.112.178.59]:36248) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lZPJl-0000LU-GF for guix-devel@gnu.org; Wed, 21 Apr 2021 22:43:50 -0400 Received: from mhw by world.peace.net with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lZPJc-0004eK-TL; Wed, 21 Apr 2021 22:43:40 -0400 From: Mark H Weaver To: Raghav Gururajan , Guix Devel Subject: Re: A "cosmetic changes" commit that removes security fixes In-Reply-To: References: Date: Wed, 21 Apr 2021 22:41:49 -0400 Message-ID: <87tunz11mf.fsf@netris.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=64.112.178.59; envelope-from=mhw@netris.org; helo=world.peace.net X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Leo Prikler Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -4.00 Authentication-Results: aspmx1.migadu.com; none X-Migadu-Queue-Id: CC57B255DE X-Spam-Score: -4.00 X-Migadu-Scanner: scn0.migadu.com X-TUID: g2QGYYq/eyfE Hi Raghav, Raghav Gururajan writes: >> Raghav Gururajan has pushed another misleading "cosmetic changes" >> commit. [...] >> This one is *far* worse than the examples I gave before. >> This one removes the security fixes for CVE-2018-19876 and >> cairo-CVE-2020-35492 that I had applied in commit >> bc16eacc99e801ac30cbe2aa649a2be3ca5c102a. > > The commit is not new. I cherry-picked from core-updates=20 > (993de472ed3dfe90e1c4110b6b910c1f74d243ff), which was pushed as a part=20 > of #42958. > >> Behold, Raghav's "cosmetic changes" to our 'cairo' package: > The commit is also not new. I cherry-picked from core-updates=20 > (f94cdc86f644984ca83164d40b17e7eed6e22091), which was pushed as a part=20 > of #42958. Those commits on 'core-updates' were digitally signed by L=C3=A9o Le Bouter and have the same problems: they remove security fixes, and yet the summary lines indicate that only "cosmetic changes" were made. I'm sorry to say that your responses have done nothing to allay my concerns. Mark