From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:8:6d80::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id kB19Aln9hmAtHQAAgWs5BA (envelope-from ) for ; Mon, 26 Apr 2021 19:50:17 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id sAu6OVj9hmCMPgAAB5/wlQ (envelope-from ) for ; Mon, 26 Apr 2021 17:50:16 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 527161E2BB for ; Mon, 26 Apr 2021 19:50:15 +0200 (CEST) Received: from localhost ([::1]:59130 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lb5N8-0008M0-CX for larch@yhetil.org; Mon, 26 Apr 2021 13:50:14 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:60288) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lb5Jv-0005ND-BZ for guix-devel@gnu.org; Mon, 26 Apr 2021 13:46:55 -0400 Received: from mail.zaclys.net ([178.33.93.72]:50639) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lb5Jq-0007MN-Td for guix-devel@gnu.org; Mon, 26 Apr 2021 13:46:55 -0400 Received: from [192.168.1.115] (lsl43-1_migr-78-195-19-20.fbx.proxad.net [78.195.19.20] (may be forged)) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 13QHkeaY035737 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 26 Apr 2021 19:46:41 +0200 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 13QHkeaY035737 Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1619459201; bh=8dd0KzQuiEtiKJAo+RLMMZ/fOknlQCJHJJKOFEu0BPA=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=ZzuUwGGBbyupvs/QR/vSCtio3T9sewLcRC/LCpYXNFv1j58H8/6xTxw1VaZwP1k0C ioVIdAbQ5HT/drbA0Bvq4Gvcdz5m4/FyFu3Q5JedgpWW55ych3LHSMk8lm31DHhtC8 G8gfyxZMSt7wTjX/xCa2OKP/efKPefcJiH51Alsc= Message-ID: Subject: Re: A "cosmetic changes" commit that removes security fixes From: =?ISO-8859-1?Q?L=E9o?= Le Bouter To: Tobias Geerinckx-Rice Cc: Mark H Weaver , Leo Famulari , Maxim Cournoyer , Raghav Gururajan , Leo Prikler , Sou Bunnbu , guix-devel@gnu.org Date: Mon, 26 Apr 2021 19:46:34 +0200 In-Reply-To: <87eeext6h4.fsf@nckx> References: <87tunz11mf.fsf@netris.org> <87r1j30xmo.fsf@netris.org> <87czumypz3.fsf@netris.org> <87o8e4zy5k.fsf@gmail.com> <5cbbfa9b258fb28beb9288685ccc85b4d015cd8a.camel@zaclys.net> <8735vgkttf.fsf@netris.org> <475c152f2e4bf0b566324223f2f5e3598279b87f.camel@zaclys.net> <87eeext6h4.fsf@nckx> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-DLxulmWyZJcd1nrkFtpR" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net; helo=mail.zaclys.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1619459415; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=8dd0KzQuiEtiKJAo+RLMMZ/fOknlQCJHJJKOFEu0BPA=; b=Ie+GiXk4JUWZJJfNOCq02kVR3ni9oNNgeNvuxPkJi6stXh33i3M3l6esDyrAKQtuTnbOT4 aMKqgWJO/Rk1t4OGIGJ4MxLS2XR52d4ziWwP8PCVmyYagK60I7tNDMI2YRsLW+Pm6hbh5r 5AJDAV61w1XloMT7d+KW9FHnAwDVrgufaGNAniqmiK96Ft1Ddr2od2jTyoIYzkk1UNNUwW CMn2iZGUBFRNTfNLnz5Wwc9T+4I/kH8g24v1i50aivjnHh/+cDxe4NZix1wxX7uZb8pCVq fhpH0umSQV86YksrS896+tpIw3Vsggypyc0Jc90ACDksn179L1SMJRhebfCnOw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1619459415; a=rsa-sha256; cv=none; b=EEsTheLeRo4v7+S3Kb3pdW2a5egSuBdbvqURJFu4Ft6eAWaDDkpyoifFVifweHYOqzhE3N AA/pduyhr80YcH3tsZoJI9sVaiekU79vkynSlrE5JgwHCWieGBO/7OD3jNnWiyVtG+hEdP 78/kp33pGbv0Vy1R/+9hbSLUKyvP+8nAJakXtLMyri7pl3fzBbTmHQz2JElr3WeFjk+Kpj +cimMwm3eIDQ2FkE6R1t69Okot/dz6Q1ltxYTU9GLTGuZfx9EhLCcurVvtpdiVq0bXe5aR UcHbxghy2e/I2EuMtFxVWnlofkZs+SzIIRyT90p2bO1lIHTtop4ck3vo2XXX9g== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=zaclys.net header.s=default header.b=ZzuUwGGB; dmarc=pass (policy=reject) header.from=zaclys.net; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -3.75 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=zaclys.net header.s=default header.b=ZzuUwGGB; dmarc=pass (policy=reject) header.from=zaclys.net; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 527161E2BB X-Spam-Score: -3.75 X-Migadu-Scanner: scn0.migadu.com X-TUID: cGSjNI9t5XVm --=-DLxulmWyZJcd1nrkFtpR Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, 2021-04-26 at 17:23 +0200, Tobias Geerinckx-Rice wrote: > Hi L=C3=A9o, >=20 > > https://git.sr.ht/~lle-bout/guix/commit/a045a48dd961f0c5c3d536dcc3fd21d= 9c08d2d50 > > https://git.sr.ht/~lle-bout/guix/commit/6477daa338fbf1c9edacfc3690aca77= cacfe0008 > >=20 > > Can you please explain what went wrong here? >=20 > Is a reasonable question, shared by all of us, not just Mark. The=20 > constructive way forward is to answer it fully. It's in your best=20 > interest to do so. >=20 > Kind regards, >=20 > T G-R I am sorry, I will not. It's evident nothing went wrong and Mark is not asking questions that are beneficial to anyone here besides contributing to public shaming of people. The fix is already pushed and thank you to the person that made it and Mark for identifying the issue, however I don't say thank you for trying to publicly shame people on the mailing list, both Raghav and me. At best there was an oversight (like there's many in various commits made everyday to GNU Guix) where I assumed the latest version of software would contain all security fixes (as I tend to consider GNONE software such as cairo is well maintained upstream security-wise, seems not), I don't think there's anything more to add. I find Mark's way of communicating about these issues not constructive and unfriendly. I think that if Mark or anyone else's expect me to answer I think they should not phrase criticism in a way that they accuse me or anyone else of having made a mistake. I don't think we should find who is responsible for mistakes, we could however ask advice on what happened to fix the mistake in case the person that introduced it cannot. And to ever think I would act in bad faith towards GNU Guix security when I spent entire weeks checking and patching CVEs full time, I don't think that would make sense. On Mon, 2021-04-26 at 19:21 +0200, Ludovic Court=C3=A8s wrote: > Hi L=C3=A9o, >=20 > Tobias Geerinckx-Rice skribis: >=20 > > >=20 https://git.sr.ht/~lle-bout/guix/commit/a045a48dd961f0c5c3d536dcc3fd21d9c08= d2d50 > > >=20 https://git.sr.ht/~lle-bout/guix/commit/6477daa338fbf1c9edacfc3690aca77cacf= e0008 > > > Can you please explain what went wrong here? > >=20 > > Is a reasonable question, shared by all of us, not just Mark. The > > constructive way forward is to answer it fully. It's in your best=20 > > interest to do so. >=20 > I concur. Please reply as soon as you can so we can understand what > happened, restore trust, and collectively avoid such pitfalls in the > future. >=20 > Thanks in advance, > Ludo=E2=80=99. I don't understand how trust would be lost. L=C3=A9o --=-DLxulmWyZJcd1nrkFtpR Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmCG/HoACgkQRaix6GvN EKYhWxAAm++ALtrxCXOBzRn4r+0qfN63oPkBz7BV5pEURb8CmzGxYozQpCaZdEEb 8iul3av12j0EUvYURtt3pUtJWiT43QCE0J/grY5l78I4R/JDiSvZzhN/4Ul6+Xz2 0Scy2AvJHvFSzM3wZ2IaC8LBef4VvFMuxmGmXARZBb+0qMD00jXJ567fNjin6TgA CiQcUHzOr54HOM38YMmD1ebxBmX1usoxPFGY3qVeEvmhc1eJYZKAWOQe/Sw8x3H2 BxLmO8urYICfhMwOL7mUQV4Zn4F0M9vWB8NHqUHd62VV9VL/HZgjdC/pfvL3IeAN uPQUBfl9h2NPxMs9GG6FSULSGEicVh5+XXbEL1lNA953L/Si6Ub7guK3vG5uhVhJ JIOh4ExzNPJGfNWIZzFiOBd+Ygom4p8ILoS/P5LYH5vH0Bf14Mf8dp7G47AJcK1u HWfxu9cHjcAa6OdL7nBZ9oyfs4u/snxjq+rbwlIseVF/1HN07ykWRaJMQbk5R0Ar Vb0Tv3zFv5oAXMbANdITXekjdM5DrxsGgt9GlT5W7oP2b0EEEqm/j/UrIJWBzaXU VP0ngF2fJMi/6I/2qGHOkoUASvIMz6l2eOTao1ieV4AQ136L3GqZrbzSh3x7Tcgs NiXOSdfNgq0hR7fXUGEH49Cxm9unyabajWIi5Nw/6/f+2BnQv9I= =EnCf -----END PGP SIGNATURE----- --=-DLxulmWyZJcd1nrkFtpR--