From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:8:6d80::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id 8DWgAlmkgGBGmwAAgWs5BA (envelope-from ) for ; Thu, 22 Apr 2021 00:16:57 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id cGjPOVikgGCgUgAAB5/wlQ (envelope-from ) for ; Wed, 21 Apr 2021 22:16:56 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 80B0B271DA for ; Thu, 22 Apr 2021 00:16:56 +0200 (CEST) Received: from localhost ([::1]:51238 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lZL9R-0004jd-BE for larch@yhetil.org; Wed, 21 Apr 2021 18:16:55 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:48072) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lZL96-0004g7-Tm for guix-devel@gnu.org; Wed, 21 Apr 2021 18:16:32 -0400 Received: from mailrelay.tugraz.at ([129.27.2.202]:32574) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lZL8z-0005Hq-Sf for guix-devel@gnu.org; Wed, 21 Apr 2021 18:16:32 -0400 Received: from cadenzavna.local (194-96-9-9.adsl.highway.telekom.at [194.96.9.9]) by mailrelay.tugraz.at (Postfix) with ESMTPSA id 4FQZdX0k8Zz3wph; Thu, 22 Apr 2021 00:16:15 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tugraz.at; s=mailrelay; t=1619043376; bh=3HccecBJBkWDjfxfrqlnulgz8HwfwLUWjFZy89uXoPw=; h=Subject:From:To:Date:In-Reply-To:References; b=DPf+z/1goGik8YjADr4C/2naIMpTejQdINoutxDTtUaREncb1O9t83Y3qOlWjvbao K8C6/yZ6SUukY6Wv/ogdMR4nl16unx3fNNnSCk7mO3Fdb8wflKTBC4T9YAXTox99Oe TpA7M0QbL5psb2JDrnBjnOjUf14QHJ8UyFJkpKCk= Message-ID: Subject: Re: A "cosmetic changes" commit that removes security fixes From: Leo Prikler To: Mark H Weaver , guix-devel@gnu.org Date: Thu, 22 Apr 2021 00:16:13 +0200 In-Reply-To: <877dkv2vi5.fsf@netris.org> References: <877dkv2vi5.fsf@netris.org> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-TUG-Backscatter-control: bt4lQm5Tva3SBgCuw0EnZw X-Spam-Scanner: SpamAssassin 3.003001 X-Spam-Score-relay: -1.9 X-Scanned-By: MIMEDefang 2.74 on 129.27.10.117 Received-SPF: pass client-ip=129.27.2.202; envelope-from=leo.prikler@student.tugraz.at; helo=mailrelay.tugraz.at X-Spam_score_int: -42 X-Spam_score: -4.3 X-Spam_bar: ---- X-Spam_report: (-4.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1619043416; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=3HccecBJBkWDjfxfrqlnulgz8HwfwLUWjFZy89uXoPw=; b=rt+Q/gWdPyIb14SUxCn44Kcv2M3e96aU921PAwjbdE3vgB4+XaK5uaupZBiZgsHAOsQjpA 89YA31sDSqF4lcC4D4dl6b3FqCE+Ugl6seJowXPvvvgg1evbPL5aJdkOcojHU+bJPoJMba MtNXuKHUNN3A3TG+aOju9LoxptUVESdM4eM2D4zp5KJqb0/UMCNGOakc1VVjJD00yZYhwx OQxm6UJUO7nMXZOViQkOey7GNK0RwFqROt6o+7o6PXte0kPDLnxHxsbOPFj7XaB4VGbZ/o mZGOvrd5EzPswshY4bWA6+UDcOaUwVzsKh0rPJBW7LtKrTo6R5fRwPT1x4ToMw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1619043416; a=rsa-sha256; cv=none; b=Jcx330JJ6E+ctgx3mcIBMVet3xpHwf7zGXFZuXl8EI+5XPbl3AhjZUfMCXDHKj7QPt2TD3 EwhTu3t7KQKaWNcktAenHFED9sdA78iSZVqgnFlC9yZd6YI07vStnk1GlXSblNQmETKEWp cH7vVIFyvugMBC4E1Gn0StgPLqzHjGwwUsmyEuWJDU68OPfwmAFsrCNiUjSHWC6h7k4O1J pKmoJLQSP7KLVg//Bvia1fr1+Tv2cInymNYdDQvXp8MFlmzkSJUia7EAMlE/Bq6ZSjWmWo Tt8wtnGkreHNXAWvexJ8QMBvnZcZYh5TnMIT4v13VKFiVA2SxpOsHVgTkeiT0g== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=tugraz.at header.s=mailrelay header.b="DPf+z/1g"; dmarc=pass (policy=none) header.from=student.tugraz.at; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -3.14 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=tugraz.at header.s=mailrelay header.b="DPf+z/1g"; dmarc=pass (policy=none) header.from=student.tugraz.at; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 80B0B271DA X-Spam-Score: -3.14 X-Migadu-Scanner: scn0.migadu.com X-TUID: YuKIhrrJFqiw Hi Mark, Am Mittwoch, den 21.04.2021, 17:11 -0400 schrieb Mark H Weaver: > Hello Guix, > > Raghav Gururajan has pushed another misleading "cosmetic changes" > commit. This one is *far* worse than the examples I gave before. > This one removes the security fixes for CVE-2018-19876 and > cairo-CVE-2020-35492 that I had applied in commit > bc16eacc99e801ac30cbe2aa649a2be3ca5c102a. > > Behold, Raghav's "cosmetic changes" to our 'cairo' package: In particular, it is also worse than the glib example you've used, since at least the glib one is followed up by an update. This one is not, at least as far as I can tell. https://git.savannah.gnu.org/cgit/guix.git/commit/?h=wip-gnome&id=d975ed975456a2c8e855eb024b5487c4c460684a > > With this in mind, does anyone else find it worrisome that Raghav has > commit access? > > Mark It is indeed worrying, that those patches seem to have made it to wip- gnome with little review. I believe we inherited this from before work was done on savannah, as I can't seem to find them within our mailing lists. As a side note, that's why I make it a habit not to push any patches, that I've edited too heavily, instead sending them back to the mailing list in hope for another reviewer. Even if those changes seem merely cosmetic to me, they might have a larger impact than I can imagine. However, in taking more time to let patches sit on the mailing list, I fear that I might come off as "unwilling" to those contributors, whose work I help review, including Raghav, and also that my involvement in some patch discussion tells other committers "don't worry, I got this, do something else". I don't think we need to strip Raghav's commit rights yet, but at the same time we ought to more closely monitor what's going on in wip- gnome. Being 3 GNOME releases and one c-u merge late, there isn't much room to allow for fuck-ups, and as we all know, that's when most of them happen. Regards, Leo