From: "Léo Le Bouter" <lle-bout@zaclys.net>
To: Mark H Weaver <mhw@netris.org>,
Raghav Gururajan <rg@raghavgururajan.name>,
Guix Devel <guix-devel@gnu.org>
Cc: Tobias Geerinckx-Rice <me@tobias.gr>,
Leo Prikler <leo.prikler@student.tugraz.at>,
Leo Famulari <leo@famulari.name>
Subject: Re: A "cosmetic changes" commit that removes security fixes
Date: Thu, 22 Apr 2021 22:01:56 +0200 [thread overview]
Message-ID: <af859e1eeb0963c4e0fe301f877f271b9d39b2a5.camel@zaclys.net> (raw)
In-Reply-To: <87r1j30xmo.fsf@netris.org>
[-- Attachment #1: Type: text/plain, Size: 3662 bytes --]
On Thu, 2021-04-22 at 00:08 -0400, Mark H Weaver wrote:
> Hi Raghav,
>
> Raghav Gururajan <rg@raghavgururajan.name> writes:
>
> > > Those commits on 'core-updates' were digitally signed by Léo Le
> > > Bouter
> > > <lle-bout@zaclys.net> and have the same problems: they remove
> > > security
> > > fixes, and yet the summary lines indicate that only "cosmetic
> > > changes"
> > > were made.
> >
> > Yeah, the commit title didn't mention the change but the commit
> > message did.
>
> I'm sorry, but that won't do. There are at least three things wrong
> with these commits:
>
> (1) The summary lines were misleading, because they implied that no
> functional changes were made.
>
> (2) The commit messages were misleading, because they failed to
> mention
> that security holes which had previously been fixed were now
> being
> re-introduced. That wasn't at all obvious.
>
> Commits like these, which remove patches that had fixed security
> flaws, are fairly common: someone casually looking over the
> commit
> log might assume that the patches could be safely removed because
> a
> version update was done at the same time, rendering those patches
> obsolete.
>
> (3) Although your 'glib' commit was immediately followed by a 'glib'
> update, rendering it harmless, your misleading 'cairo' commit
> left
> 'cairo' vulnerable to CVE-2018-19876 and CVE-2020-35492 on our
> 'core-updates' and 'wip-gnome' branches. Those will need to be
> fixed now.
>
> Léo Le Bouter <lle-bout@zaclys.net> is also culpable here, because he
> digitally signed the misleading 'cairo' commit that's on our
> 'core-updates' branch, which re-introduced CVE-2018-19876 and
> CVE-2020-35492.
>
> --8<---------------cut here---------------start------------->8---
> commit f94cdc86f644984ca83164d40b17e7eed6e22091
> gpg: Signature made Fri 26 Mar 2021 05:13:57 PM EDT
> gpg: using RSA key
> 148BCB8BD80BFB16B1DE0E9145A8B1E86BCD10A6
> gpg: Good signature from "Léo Le Bouter <lle-bout@zaclys.net>"
> [unknown]
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to
> the owner.
> Primary key fingerprint: 148B CB8B D80B FB16 B1DE 0E91 45A8 B1E8
> 6BCD 10A6
> Author: Raghav Gururajan <raghavgururajan@disroot.org>
> Date: Fri Dec 4 00:48:43 2020 -0500
>
> gnu: cairo: Make some cosmetic changes.
>
> * gnu/packages/patches/cairo-CVE-2018-19876.patch,
> gnu/packages/patches/cairo-CVE-2020-35492.patch: Remove patches.
> * gnu/local.mk (dist_patch_DATA): Unregister them.
> * gnu/packages/gtk.scm (cairo): Make some cosmetic changes.
> [replacement]: Remove.
> (cairo/fixed): Remove.
>
> Signed-off-by: Léo Le Bouter <lle-bout@zaclys.net>
> --8<---------------cut here---------------end--------------->8---
>
> https://git.sv.gnu.org/cgit/guix.git/commit/?h=core-updates&id=f94cdc86f644984ca83164d40b17e7eed6e22091
>
> Even the most superficial skimming of this commit should have
> immediately raised red flags, because the summary line is clearly
> inaccurate. It shows a lack of careful review, to put it mildly.
>
> Mark
Hello Mark,
I don't share your analysis, the security fixes werent stripped because
glib/cairo was also updated to latest version in subsequent commits
which were pushed all at once.
Careful review was done, and that's why I signed-off and GPG-signed the
commits. Nobody was put at risk by these commits and no security fixes
were stripped.
Léo
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2021-04-22 20:06 UTC|newest]
Thread overview: 102+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-22 0:58 A "cosmetic changes" commit that removes security fixes Raghav Gururajan
2021-04-22 2:41 ` Mark H Weaver
2021-04-22 3:17 ` Raghav Gururajan
2021-04-22 4:05 ` Raghav Gururajan
2021-04-22 4:33 ` Mark H Weaver
2021-04-22 5:02 ` Raghav Gururajan
2021-04-22 17:21 ` Mark H Weaver
2021-04-22 17:40 ` Another misleading commit log (was Re: A "cosmetic changes" commit that removes security fixes) Mark H Weaver
2021-04-22 20:06 ` Léo Le Bouter
2021-04-22 21:24 ` Ricardo Wurmus
2021-04-22 21:33 ` Mark H Weaver
2021-04-26 17:17 ` Ludovic Courtès
2021-04-28 16:43 ` Criticisms of my "tone" " Mark H Weaver
2021-04-28 17:55 ` Leo Famulari
2021-04-28 20:24 ` Pjotr Prins
2021-04-29 6:54 ` Joshua Branson
2021-04-29 9:26 ` Léo Le Bouter
2021-04-29 15:30 ` Matias Jose Seco Baccanelli
2021-04-30 0:57 ` aviva
2021-05-01 17:02 ` Giovanni Biscuolo
2021-05-01 20:07 ` Leo Prikler
2021-05-01 22:12 ` Mark H Weaver
2021-05-01 22:54 ` Mark H Weaver
2021-05-01 23:15 ` Leo Prikler
2021-05-02 3:13 ` Mark H Weaver
2021-05-02 10:31 ` Leo Prikler
2021-05-03 9:00 ` Mark H Weaver
2021-05-03 9:59 ` Leo Prikler
2021-05-03 17:00 ` Mark H Weaver
2021-05-02 4:17 ` 宋文武
2021-05-02 4:31 ` Leo Famulari
2021-05-02 6:26 ` 宋文武
2021-05-02 15:01 ` Leo Prikler
2021-05-02 19:29 ` Mark H Weaver
2021-05-02 20:09 ` Leo Prikler
2021-05-02 21:02 ` Mark H Weaver
2021-05-02 21:58 ` Leo Prikler
2021-05-02 20:59 ` Ludovic Courtès
2021-05-02 21:23 ` Mark H Weaver
[not found] ` <87czu9sr9k.fsf@outlook.com>
2021-05-02 4:33 ` 宋文武
2021-04-22 21:51 ` Another misleading commit log " Ludovic Courtès
2021-04-22 21:49 ` A "cosmetic changes" commit that removes security fixes Raghav Gururajan
2021-04-24 8:09 ` Mark H Weaver
2021-04-30 0:58 ` aviva
2021-04-22 18:37 ` Leo Famulari
2021-04-22 18:48 ` Mark H Weaver
2021-04-22 21:50 ` Raghav Gururajan
2021-04-22 4:08 ` Mark H Weaver
2021-04-22 11:39 ` 宋文武
2021-04-22 13:28 ` Mark H Weaver
2021-04-22 20:01 ` Léo Le Bouter [this message]
2021-04-22 21:08 ` Christopher Baines
2021-04-22 21:09 ` Leo Prikler
2021-04-22 21:21 ` Mark H Weaver
2021-04-23 17:52 ` Maxim Cournoyer
2021-04-23 18:00 ` Raghav Gururajan
2021-04-23 18:38 ` Maxim Cournoyer
2021-04-23 22:06 ` Raghav Gururajan
2021-04-23 18:50 ` Léo Le Bouter
2021-04-23 19:15 ` Leo Prikler
2021-04-23 19:18 ` Leo Famulari
2021-04-23 19:33 ` Léo Le Bouter
2021-04-23 20:12 ` Leo Famulari
2021-04-26 17:06 ` Giovanni Biscuolo
2021-04-26 17:32 ` Leo Famulari
2021-04-26 21:56 ` Giovanni Biscuolo
2021-04-26 23:01 ` Leo Famulari
2021-04-24 7:46 ` Mark H Weaver
2021-04-26 14:59 ` Léo Le Bouter
2021-04-26 15:23 ` Tobias Geerinckx-Rice
2021-04-26 17:21 ` Ludovic Courtès
2021-04-26 20:07 ` Pjotr Prins
2021-04-26 17:46 ` Léo Le Bouter
2021-04-28 15:52 ` Marius Bakke
2021-04-29 9:13 ` Léo Le Bouter
2021-04-29 11:46 ` Leo Prikler
2021-04-29 11:57 ` Léo Le Bouter
2021-04-29 11:41 ` Arun Isaac
2021-04-29 12:44 ` Pierre Neidhardt
2021-04-29 14:14 ` Pjotr Prins
2021-04-30 17:40 ` Pierre Neidhardt
2021-04-30 19:56 ` Pjotr Prins
2021-05-01 7:23 ` Arun Isaac
2021-05-01 12:40 ` Pjotr Prins
2021-05-01 9:15 ` Pierre Neidhardt
2021-05-01 10:18 ` Yasuaki Kudo
2021-05-03 7:18 ` Pierre Neidhardt
2021-05-01 14:50 ` Giovanni Biscuolo
2021-05-03 7:25 ` Pierre Neidhardt
2021-05-04 2:18 ` Bengt Richter
2021-05-04 6:55 ` Pierre Neidhardt
2021-05-04 15:43 ` Ludovic Courtès
2021-05-06 17:18 ` Pierre Neidhardt
2021-04-29 16:21 ` Arun Isaac
2021-04-26 19:31 ` Léo Le Bouter
2021-04-27 18:10 ` Andreas Enge
-- strict thread matches above, loose matches on Subject: below --
2021-04-21 21:11 Mark H Weaver
2021-04-21 21:24 ` Mark H Weaver
2021-04-21 22:22 ` Tobias Geerinckx-Rice
2021-04-21 23:45 ` Raghav Gururajan
2021-04-21 22:16 ` Leo Prikler
2021-04-21 22:52 ` Leo Famulari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=af859e1eeb0963c4e0fe301f877f271b9d39b2a5.camel@zaclys.net \
--to=lle-bout@zaclys.net \
--cc=guix-devel@gnu.org \
--cc=leo.prikler@student.tugraz.at \
--cc=leo@famulari.name \
--cc=me@tobias.gr \
--cc=mhw@netris.org \
--cc=rg@raghavgururajan.name \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).