From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:bcc0::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id mPfzME/KgGDiJwEAgWs5BA (envelope-from ) for ; Thu, 22 Apr 2021 02:58:55 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id YGWaLE/KgGD9RwAAB5/wlQ (envelope-from ) for ; Thu, 22 Apr 2021 00:58:55 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 6D9D423DA0 for ; Thu, 22 Apr 2021 02:58:55 +0200 (CEST) Received: from localhost ([::1]:37288 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lZNgE-0008SX-Lu for larch@yhetil.org; Wed, 21 Apr 2021 20:58:54 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43594) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lZNg1-0008Rw-MW for guix-devel@gnu.org; Wed, 21 Apr 2021 20:58:41 -0400 Received: from out1.migadu.com ([2001:41d0:2:863f::]:36442) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lZNfy-0001c2-1X for guix-devel@gnu.org; Wed, 21 Apr 2021 20:58:41 -0400 To: Guix Devel DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=raghavgururajan.name; s=key1; t=1619053113; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: references:references; bh=2zdyIN/4PUMemslHmPP/c41aIvsAWaUtCDmiRDBM3WM=; b=EjVARmO6DEY/vz2P8/1a5esWhSiX5ED3tV/bnXvCh54IkrvW/6iKB9HooB8ZqSqOu+Ji8s cbPBnrKyvckWhZGpYq8BsZVOuV1XjQgj3R3p7XfsapqzBmK+nC6gqoCD8vmx5pKSfPiKaW 8c6793hqjSletGIDIeyxScksdnEWqHphzKBJwJu4+72ZZZYYIvGVWJGn8wM57iabMaWz/T SjEVCuWY8FOEu5vE2DpnpiBiTPrWk5d26zw6PKw8QESfMDJBKlEMwO+n8JWAWZPssMXhPw BlB6+u3xftYfyTi9XDMSluEQt0UenZIAxvAuQF/Cx+B47Vp0oA5C7l8WePxVbg== References: Cc: mhw@netris.org, Tobias Geerinckx-Rice , Leo Prikler , Leo Famulari , =?UTF-8?Q?L=c3=a9o_Le_Bouter?= X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Raghav Gururajan Subject: Re: A "cosmetic changes" commit that removes security fixes Message-ID: Date: Wed, 21 Apr 2021 20:58:30 -0400 MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="ot6FSnlYdSMEiW9W78mz5Efx6GoeKtdMh" X-Migadu-Auth-User: rg@raghavgururajan.name Received-SPF: pass client-ip=2001:41d0:2:863f::; envelope-from=rg@raghavgururajan.name; helo=out1.migadu.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1619053135; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=2zdyIN/4PUMemslHmPP/c41aIvsAWaUtCDmiRDBM3WM=; b=NYC4f13VF+/wDx//wFy4cManmJXU9TyqIysZqWDXlR+WD6BWWPh0OcgUHYG7eljZFjR4uY ttvFduN6hne4tS9j3DxujdqUyNshiH8+y4Y4dmiTv0Cf+8YWgQC7XEkFWcpHIFFyO3qeWr Ksk+PTuvuJAyWJHiR1lGe9mrclbYzOsyDF8RLci/OrX0flPfcpWuRB1guPLwLY7lwcC2hg TGBDzlU97hS9IRt+182ImeWLI85X1foTTWMAT101JkvNoVpACnE1lOg6lYMC/ddGVo/4lF 5K0iqlnum/mCmszjtqvuHOvnTU9Ya+EvOoPMsF3Pq+6jt8H+/6vmnje8X21WfA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1619053135; a=rsa-sha256; cv=none; b=RvdzD3+ZE+cYUDo5rFtB+foyN3scNu1dQIWmvSHAInD0XH/RjKtwcMj8PNdVVQinh7FeSi ggnvRqwocei0XpYwfPNoFDwdGzXWufJkxXasadkCCQeEnUSJ+Yo+RD5nCOWN2FWs1aEP16 6zk+MqaEiHO1hYIqkPM+eiZ3OIzDaUllSNNPTunSeRemgI32ZDDygNH3ztmf19HpcgLpEk l2s/udvE16bo73qc+mrylfJarYP/NtLl+WVKXLiIrDr+j6I+9tuzW9m2nywD4KaGNKUvm3 CQVCV313iH/Qb68bC/SZZYDYrOIF77USln53mLU1Yjd04w8023V+cGNwU7/Knw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=raghavgururajan.name header.s=key1 header.b=EjVARmO6; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -3.74 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=raghavgururajan.name header.s=key1 header.b=EjVARmO6; dmarc=pass (policy=quarantine) header.from=raghavgururajan.name; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 6D9D423DA0 X-Spam-Score: -3.74 X-Migadu-Scanner: scn0.migadu.com X-TUID: 9ymWIg0KvsO1 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --ot6FSnlYdSMEiW9W78mz5Efx6GoeKtdMh Content-Type: multipart/mixed; boundary="T53ZTKsCI4dAbdZeMsfkTMkdQYne0O4Dg"; protected-headers="v1" From: Raghav Gururajan To: Guix Devel Cc: mhw@netris.org, Tobias Geerinckx-Rice , Leo Prikler , Leo Famulari , =?UTF-8?Q?L=c3=a9o_Le_Bouter?= Message-ID: Subject: Re: A "cosmetic changes" commit that removes security fixes --T53ZTKsCI4dAbdZeMsfkTMkdQYne0O4Dg Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: quoted-printable Hi Mark! > Raghav Gururajan has pushed another misleading "cosmetic changes" > commit. When you brought-up the concern=20 (https://lists.gnu.org/archive/html/guix-devel/2020-12/msg00008.html),=20 which I am grateful for, I have worked myself to prevent that from=20 happening. It was so hard for me provided that I suffer from OCD=20 (clinically-diagnosed and being treated for). I never made single "Make=20 cosmetic changes" patches after that discussion. These two patches you=20 are referring to, was made even before our discussion, as a part of=20 wip-desktop work. The patches were pushed to core-updates as a part of=20 #42958. Also, during review, I clearly stated about these two cosmetic=20 changes patches, in this message (https://issues.guix.gnu.org/42958#64). > This one is *far* worse than the examples I gave before. > This one removes the security fixes for CVE-2018-19876 and > cairo-CVE-2020-35492 that I had applied in commit > bc16eacc99e801ac30cbe2aa649a2be3ca5c102a. The commit is not new. I cherry-picked from core-updates=20 (993de472ed3dfe90e1c4110b6b910c1f74d243ff), which was pushed as a part=20 of #42958. > Behold, Raghav's "cosmetic changes" to our 'cairo' package: The commit is also not new. I cherry-picked from core-updates=20 (f94cdc86f644984ca83164d40b17e7eed6e22091), which was pushed as a part=20 of #42958. NOTE: When I format-patched these patches, initially (42958), did not contain=20 changes to remove CVE. IIRC, when Leo and I were working outside of=20 savannah, this change was probably added when we updated glib to latest=20 version. > With this in mind, does anyone else find it worrisome that Raghav has > commit access? I wish you had given me the benefit of the doubt. Regards, RG. --T53ZTKsCI4dAbdZeMsfkTMkdQYne0O4Dg-- --ot6FSnlYdSMEiW9W78mz5Efx6GoeKtdMh Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature" -----BEGIN PGP SIGNATURE----- wnsEABYIACMWIQTNLV6qqYzLN9qR1rBfWBZkf4vlUQUCYIDKNgUDAAAAAAAKCRBfWBZkf4vlUXwS AQD7H5iv2+llDvigQh+J6ejBiMLt/D6c8xzdCJnNNX6/JAD/TUa/P3T73BPBzL61u71BcBKTt3Ip PcwYm8/n63sMhQc= =CfEV -----END PGP SIGNATURE----- --ot6FSnlYdSMEiW9W78mz5Efx6GoeKtdMh--