* Re: A "cosmetic changes" commit that removes security fixes @ 2021-04-22 0:58 Raghav Gururajan 2021-04-22 2:41 ` Mark H Weaver 0 siblings, 1 reply; 96+ messages in thread From: Raghav Gururajan @ 2021-04-22 0:58 UTC (permalink / raw) To: Guix Devel Cc: mhw, Tobias Geerinckx-Rice, Leo Prikler, Leo Famulari, Léo Le Bouter [-- Attachment #1.1: Type: text/plain, Size: 1758 bytes --] Hi Mark! > Raghav Gururajan has pushed another misleading "cosmetic changes" > commit. When you brought-up the concern (https://lists.gnu.org/archive/html/guix-devel/2020-12/msg00008.html), which I am grateful for, I have worked myself to prevent that from happening. It was so hard for me provided that I suffer from OCD (clinically-diagnosed and being treated for). I never made single "Make cosmetic changes" patches after that discussion. These two patches you are referring to, was made even before our discussion, as a part of wip-desktop work. The patches were pushed to core-updates as a part of #42958. Also, during review, I clearly stated about these two cosmetic changes patches, in this message (https://issues.guix.gnu.org/42958#64). > This one is *far* worse than the examples I gave before. > This one removes the security fixes for CVE-2018-19876 and > cairo-CVE-2020-35492 that I had applied in commit > bc16eacc99e801ac30cbe2aa649a2be3ca5c102a. The commit is not new. I cherry-picked from core-updates (993de472ed3dfe90e1c4110b6b910c1f74d243ff), which was pushed as a part of #42958. > Behold, Raghav's "cosmetic changes" to our 'cairo' package: The commit is also not new. I cherry-picked from core-updates (f94cdc86f644984ca83164d40b17e7eed6e22091), which was pushed as a part of #42958. NOTE: When I format-patched these patches, initially (42958), did not contain changes to remove CVE. IIRC, when Leo and I were working outside of savannah, this change was probably added when we updated glib to latest version. > With this in mind, does anyone else find it worrisome that Raghav has > commit access? I wish you had given me the benefit of the doubt. Regards, RG. [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 236 bytes --] ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-22 0:58 A "cosmetic changes" commit that removes security fixes Raghav Gururajan @ 2021-04-22 2:41 ` Mark H Weaver 2021-04-22 3:17 ` Raghav Gururajan 0 siblings, 1 reply; 96+ messages in thread From: Mark H Weaver @ 2021-04-22 2:41 UTC (permalink / raw) To: Raghav Gururajan, Guix Devel; +Cc: Leo Prikler Hi Raghav, Raghav Gururajan <rg@raghavgururajan.name> writes: >> Raghav Gururajan has pushed another misleading "cosmetic changes" >> commit. [...] >> This one is *far* worse than the examples I gave before. >> This one removes the security fixes for CVE-2018-19876 and >> cairo-CVE-2020-35492 that I had applied in commit >> bc16eacc99e801ac30cbe2aa649a2be3ca5c102a. > > The commit is not new. I cherry-picked from core-updates > (993de472ed3dfe90e1c4110b6b910c1f74d243ff), which was pushed as a part > of #42958. > >> Behold, Raghav's "cosmetic changes" to our 'cairo' package: > The commit is also not new. I cherry-picked from core-updates > (f94cdc86f644984ca83164d40b17e7eed6e22091), which was pushed as a part > of #42958. Those commits on 'core-updates' were digitally signed by Léo Le Bouter <lle-bout@zaclys.net> and have the same problems: they remove security fixes, and yet the summary lines indicate that only "cosmetic changes" were made. I'm sorry to say that your responses have done nothing to allay my concerns. Mark ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-22 2:41 ` Mark H Weaver @ 2021-04-22 3:17 ` Raghav Gururajan 2021-04-22 4:05 ` Raghav Gururajan 2021-04-22 4:08 ` Mark H Weaver 0 siblings, 2 replies; 96+ messages in thread From: Raghav Gururajan @ 2021-04-22 3:17 UTC (permalink / raw) To: Mark H Weaver, Guix Devel Cc: Tobias Geerinckx-Rice, Leo Prikler, Leo Famulari, Léo Le Bouter [-- Attachment #1.1: Type: text/plain, Size: 683 bytes --] Hi Mark! > Those commits on 'core-updates' were digitally signed by Léo Le Bouter > <lle-bout@zaclys.net> and have the same problems: they remove security > fixes, and yet the summary lines indicate that only "cosmetic changes" > were made. Yeah, the commit title didn't mention the change but the commit message did. > I'm sorry to say that your responses have done nothing to allay my > concerns. For glib, IIRC, we updated package to latest version and guix lint didn't show any more CVEs. Also, I think the change was added as part of the cosmetic change commit, to cleanly apply succeeding patches. For cairo, let me get back to you. Regards, RG. [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 236 bytes --] ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-22 3:17 ` Raghav Gururajan @ 2021-04-22 4:05 ` Raghav Gururajan 2021-04-22 4:33 ` Mark H Weaver ` (2 more replies) 2021-04-22 4:08 ` Mark H Weaver 1 sibling, 3 replies; 96+ messages in thread From: Raghav Gururajan @ 2021-04-22 4:05 UTC (permalink / raw) To: Mark H Weaver, Guix Devel Cc: Tobias Geerinckx-Rice, Leo Prikler, Leo Famulari, Léo Le Bouter [-- Attachment #1.1: Type: text/plain, Size: 1246 bytes --] Hi Mark! > For glib, IIRC, we updated package to latest version and guix lint > didn't show any more CVEs. Also, I think the change was added as part of > the cosmetic change commit, to cleanly apply succeeding patches. > > For cairo, let me get back to you. Okay, I was able to retrace. When Leo and I were working outside savannah, there was master --> core-updates merge. Leo made these changes when he committed to his repo (https://logs.guix.gnu.org/guix/2021-03-26.log#000811), from which I pulled then format-patched and sent it to guix-patches (https://issues.guix.gnu.org/42958#64). From guix-patches it was then pushed to core-updates (https://issues.guix.gnu.org/42958#67), from where I cherry-picked into wip-gnome. It seems Leo made these for ungrafting. I not familiar with ungrafting, so I have to let Leo explain. P.S The commit title for these commits were initially "Ungraft and make some cosmetic changes.", I must have screwed up the tile while moving the patches. For that my apologies. [1] https://git.sr.ht/~lle-bout/guix/commit/6477daa338fbf1c9edacfc3690aca77cacfe0008 [2] https://git.sr.ht/~lle-bout/guix/commit/a045a48dd961f0c5c3d536dcc3fd21d9c08d2d50 Regards, RG. [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 236 bytes --] ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-22 4:05 ` Raghav Gururajan @ 2021-04-22 4:33 ` Mark H Weaver 2021-04-22 5:02 ` Raghav Gururajan 2021-04-22 17:21 ` Mark H Weaver 2021-04-22 18:37 ` Leo Famulari 2 siblings, 1 reply; 96+ messages in thread From: Mark H Weaver @ 2021-04-22 4:33 UTC (permalink / raw) To: Raghav Gururajan, Guix Devel; +Cc: Leo Prikler Hi Raghav, Raghav Gururajan <rg@raghavgururajan.name> writes: > Okay, I was able to retrace. When Leo and I were working outside > savannah, there was master --> core-updates merge. Leo made these > changes when he committed to his repo > (https://logs.guix.gnu.org/guix/2021-03-26.log#000811), from which I > pulled then format-patched and sent it to guix-patches > (https://issues.guix.gnu.org/42958#64). From guix-patches it was then > pushed to core-updates (https://issues.guix.gnu.org/42958#67), from > where I cherry-picked into wip-gnome. > > It seems Leo made these for ungrafting. I not familiar with ungrafting, > so I have to let Leo explain. > > P.S > The commit title for these commits were initially "Ungraft and make some > cosmetic changes.", I must have screwed up the tile while moving the > patches. For that my apologies. > > [1] > https://git.sr.ht/~lle-bout/guix/commit/6477daa338fbf1c9edacfc3690aca77cacfe0008 > [2] > https://git.sr.ht/~lle-bout/guix/commit/a045a48dd961f0c5c3d536dcc3fd21d9c08d2d50 Both of these patches have all of the same problems. The only difference is that their summary lines say "Ungraft and make some cosmetic changes." (1) These original summary lines are still misleading, because "ungraft" means to integrate the fixes from the replacement into the original, but here, the fixes are simply being deleted. (2) These original commit logs are still misleading, for the same reason I gave in my previous reply. (3) The 'cairo' commit still re-introduces security flaws into our 'cairo' package. What worries me as much as anything is that your responses so far seem to indicate that you are failing to understand what you and Léo have done wrong here. Mark ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-22 4:33 ` Mark H Weaver @ 2021-04-22 5:02 ` Raghav Gururajan 0 siblings, 0 replies; 96+ messages in thread From: Raghav Gururajan @ 2021-04-22 5:02 UTC (permalink / raw) To: Mark H Weaver, Guix Devel Cc: Tobias Geerinckx-Rice, Leo Prikler, Leo Famulari, Léo Le Bouter [-- Attachment #1.1: Type: text/plain, Size: 1006 bytes --] Hi Mark! > (1) These original summary lines are still misleading, because "ungraft" > means to integrate the fixes from the replacement into the original, > but here, the fixes are simply being deleted. I see. Now I get the idea. Thanks for explaining this. > (2) These original commit logs are still misleading, for the same reason > I gave in my previous reply. Agreed. > (3) The 'cairo' commit still re-introduces security flaws into our > 'cairo' package. Agreed. > What worries me as much as anything is that your responses so far seem > to indicate that you are failing to understand what you and Léo have > done wrong here. I never said nothing wrong was done. I was trying to retrace the steps and putting all the information out. I was not sure why Leo added these changes and I failed to elicit questions at that time. Let us try to fix it. I don't know what else to say. @Leo, Shall we add a new commit to fix this? Regards, RG. [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 236 bytes --] ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-22 4:05 ` Raghav Gururajan 2021-04-22 4:33 ` Mark H Weaver @ 2021-04-22 17:21 ` Mark H Weaver 2021-04-22 17:40 ` Another misleading commit log (was Re: A "cosmetic changes" commit that removes security fixes) Mark H Weaver 2021-04-22 21:49 ` A "cosmetic changes" commit that removes security fixes Raghav Gururajan 2021-04-22 18:37 ` Leo Famulari 2 siblings, 2 replies; 96+ messages in thread From: Mark H Weaver @ 2021-04-22 17:21 UTC (permalink / raw) To: Raghav Gururajan, Guix Devel; +Cc: Leo Prikler Hi Raghav, Raghav Gururajan <rg@raghavgururajan.name> writes: > Okay, I was able to retrace. When Leo and I were working outside > savannah, there was master --> core-updates merge. Leo made these > changes when he committed to his repo > (https://logs.guix.gnu.org/guix/2021-03-26.log#000811), from which I > pulled then format-patched and sent it to guix-patches > (https://issues.guix.gnu.org/42958#64). From guix-patches it was then > pushed to core-updates (https://issues.guix.gnu.org/42958#67), from > where I cherry-picked into wip-gnome. Thank you for these links. From the IRC log cited above, it now appears that Léo Le Bouter <lle-bout@zaclys.net> bears primary responsibility for these mistakes. In particular, according to the IRC logs, Léo wrote: <lle-bout> raghavgururajan: the main issues on the rebasing were about security fixes on cairo, gdk-pixbuf and glib <lle-bout> I modified the cosmetic commits to remove the graft and patches etc. <https://logs.guix.gnu.org/guix/2021-03-26.log#000950> > It seems Leo made these for ungrafting. I not familiar with ungrafting, > so I have to let Leo explain. Yes, I would very much like to hear an explanation from Léo about how this happened. Nonetheless, you (Raghav) also bear some responsibility for digitally signing and pushing these misleading commits to the 'wip-gnome' branch. At least one of the problems (the misleading summary line) should have been obvious from a cursory glance at the commit log. Mark -- Support Richard Stallman against the vicious misinformation campaign against him and the FSF. See <https://stallmansupport.org> for more. ^ permalink raw reply [flat|nested] 96+ messages in thread
* Another misleading commit log (was Re: A "cosmetic changes" commit that removes security fixes) 2021-04-22 17:21 ` Mark H Weaver @ 2021-04-22 17:40 ` Mark H Weaver 2021-04-22 20:06 ` Léo Le Bouter 2021-04-22 21:49 ` A "cosmetic changes" commit that removes security fixes Raghav Gururajan 1 sibling, 1 reply; 96+ messages in thread From: Mark H Weaver @ 2021-04-22 17:40 UTC (permalink / raw) To: Raghav Gururajan, Guix Devel; +Cc: Leo Prikler Here's another commit with a blatantly misleading commit log: https://git.savannah.gnu.org/cgit/guix.git/commit/?h=wip-gnome&id=f5fc3c609e2f38ca1c0523deadb9f77d838fbf32 The summary line is "gnu: gdk-pixbuf: Add missing arguments", but in fact it does all of the following: (1) Ungrafts 'gdk-pixbuf'. (2) Updates 'gdk-pixbuf' from 2.40.0 to 2.42.2. (3) Removes the 'disable-failing-tests' phase. (4) Adds "#:meson ,meson-0.55" and "#:glib-or-gtk? #t" to the arguments. Most of the changes above are not mentioned in the commit log at all, and of course the summary line is extremely misleading. This commit was digitally signed and pushed to the 'wip-gnome' branch by Raghav, but it's also "Signed-off-by: Léo Le Bouter", so I'm not sure who bears primary responsibility for this one. Mark -- Support Richard Stallman against the vicious misinformation campaign against him and the FSF. See <https://stallmansupport.org> for more. ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: Another misleading commit log (was Re: A "cosmetic changes" commit that removes security fixes) 2021-04-22 17:40 ` Another misleading commit log (was Re: A "cosmetic changes" commit that removes security fixes) Mark H Weaver @ 2021-04-22 20:06 ` Léo Le Bouter 2021-04-22 21:24 ` Ricardo Wurmus ` (2 more replies) 0 siblings, 3 replies; 96+ messages in thread From: Léo Le Bouter @ 2021-04-22 20:06 UTC (permalink / raw) To: Mark H Weaver, Raghav Gururajan, Guix Devel Cc: Tobias Geerinckx-Rice, Leo Prikler, Leo Famulari [-- Attachment #1: Type: text/plain, Size: 453 bytes --] On Thu, 2021-04-22 at 13:40 -0400, Mark H Weaver wrote: > This commit was digitally signed and pushed to the 'wip-gnome' branch > by > Raghav, but it's also "Signed-off-by: Léo Le Bouter", so I'm not sure > who bears primary responsibility for this one. It seems you are more focused and spend more time sending accusations here than collaboratively working to improve GNU Guix. I don't feel like that's something great to do at all. Léo [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: Another misleading commit log (was Re: A "cosmetic changes" commit that removes security fixes) 2021-04-22 20:06 ` Léo Le Bouter @ 2021-04-22 21:24 ` Ricardo Wurmus 2021-04-22 21:33 ` Mark H Weaver 2021-04-22 21:51 ` Another misleading commit log " Ludovic Courtès 2 siblings, 0 replies; 96+ messages in thread From: Ricardo Wurmus @ 2021-04-22 21:24 UTC (permalink / raw) To: Léo Le Bouter Cc: guix-maintainers, Raghav Gururajan, Leo Prikler, guix-devel Léo, > On Thu, 2021-04-22 at 13:40 -0400, Mark H Weaver wrote: >> This commit was digitally signed and pushed to the 'wip-gnome' >> branch >> by >> Raghav, but it's also "Signed-off-by: Léo Le Bouter", so I'm >> not sure >> who bears primary responsibility for this one. > > It seems you are more focused and spend more time sending > accusations > here than collaboratively working to improve GNU Guix. I don't > feel > like that's something great to do at all. Please try to deescalate. While I disagree with Mark’s earlier style and harsh tone towards Raghav (who has been trying to get more of his older commits that are relevant for a speedy upgrade of Gnome in shape), it seems obvious now that Mark attempts to understand what signing off on the changed commit means in this case – what motivated the expansion of the scope of the commit, what resulted in not declaring all of the significant changes. I do think it is reasonable to expect an explanation, so that we can collectively address the potential issue (patches removed without upgrade), and prevent it from happening again. Escalating the situation by insinuating bad faith does not serve any constructive purpose. Obstructing the investigation into what happened will only make it harder to prevent it from happening again. It is in our shared interest to prevent problems like this. Also note that Guix has a pretty good track record when it comes to clear commits, so it is not unusual for long term contributors to be at the very least confused by what has happened here. -- Ricardo ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: Another misleading commit log (was Re: A "cosmetic changes" commit that removes security fixes) 2021-04-22 20:06 ` Léo Le Bouter 2021-04-22 21:24 ` Ricardo Wurmus @ 2021-04-22 21:33 ` Mark H Weaver 2021-04-26 17:17 ` Ludovic Courtès 2021-04-22 21:51 ` Another misleading commit log " Ludovic Courtès 2 siblings, 1 reply; 96+ messages in thread From: Mark H Weaver @ 2021-04-22 21:33 UTC (permalink / raw) To: Léo Le Bouter, Raghav Gururajan, Guix Devel; +Cc: Leo Prikler Léo Le Bouter <lle-bout@zaclys.net> writes: > On Thu, 2021-04-22 at 13:40 -0400, Mark H Weaver wrote: >> This commit was digitally signed and pushed to the 'wip-gnome' branch >> by >> Raghav, but it's also "Signed-off-by: Léo Le Bouter", so I'm not sure >> who bears primary responsibility for this one. > > It seems you are more focused and spend more time sending accusations > here than collaboratively working to improve GNU Guix. I don't feel > like that's something great to do at all. I feel an obligation to protect our users, and among other things that means calling attention to Guix committers that are doing things like pushing commits with misleading commit logs (which evade proper review) and pushing "cosmetic changes" that remove security fixes. I've given evidence to back up these claims, evidence that anyone who cares to look in our git repository can plainly see. If you believe my conclusions are erroneous, please make your case. Mark -- Support Richard Stallman against the vicious misinformation campaign against him and the FSF. See <https://stallmansupport.org> for more. ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: Another misleading commit log (was Re: A "cosmetic changes" commit that removes security fixes) 2021-04-22 21:33 ` Mark H Weaver @ 2021-04-26 17:17 ` Ludovic Courtès 2021-04-28 16:43 ` Criticisms of my "tone" " Mark H Weaver 0 siblings, 1 reply; 96+ messages in thread From: Ludovic Courtès @ 2021-04-26 17:17 UTC (permalink / raw) To: Mark H Weaver; +Cc: Guix Devel, Raghav Gururajan, Leo Prikler Hi Mark, Mark H Weaver <mhw@netris.org> skribis: > Léo Le Bouter <lle-bout@zaclys.net> writes: > >> On Thu, 2021-04-22 at 13:40 -0400, Mark H Weaver wrote: >>> This commit was digitally signed and pushed to the 'wip-gnome' branch >>> by >>> Raghav, but it's also "Signed-off-by: Léo Le Bouter", so I'm not sure >>> who bears primary responsibility for this one. >> >> It seems you are more focused and spend more time sending accusations >> here than collaboratively working to improve GNU Guix. I don't feel >> like that's something great to do at all. > > I feel an obligation to protect our users, and among other things that > means calling attention to Guix committers that are doing things like > pushing commits with misleading commit logs (which evade proper review) > and pushing "cosmetic changes" that remove security fixes. That you called attention on these issues is a great service to all of us, Mark. But I have to agree with Ricardo: the harsh accusatory tone towards Raghav and Léo was not warranted; please assume good faith. Thanks, Ludo’. ^ permalink raw reply [flat|nested] 96+ messages in thread
* Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes) 2021-04-26 17:17 ` Ludovic Courtès @ 2021-04-28 16:43 ` Mark H Weaver 2021-04-28 17:55 ` Leo Famulari ` (3 more replies) 0 siblings, 4 replies; 96+ messages in thread From: Mark H Weaver @ 2021-04-28 16:43 UTC (permalink / raw) To: Ludovic Courtès; +Cc: Guix Devel, Raghav Gururajan, Leo Prikler Hi Ludovic, Ludovic Courtès <ludo@gnu.org> writes: > Mark H Weaver <mhw@netris.org> skribis: > >> Léo Le Bouter <lle-bout@zaclys.net> writes: >> >>> It seems you are more focused and spend more time sending accusations >>> here than collaboratively working to improve GNU Guix. I don't feel >>> like that's something great to do at all. >> >> I feel an obligation to protect our users, and among other things that >> means calling attention to Guix committers that are doing things like >> pushing commits with misleading commit logs (which evade proper review) >> and pushing "cosmetic changes" that remove security fixes. > > That you called attention on these issues is a great service to all of > us, Mark. But I have to agree with Ricardo: the harsh accusatory tone > towards Raghav and Léo was not warranted; please assume good faith. I'm sorry if this comes off as obtuse, but having now re-read all of my messages in this thread, I honestly do not see what I did wrong here. I will need some help to understand. With very few exceptions, almost every sentence that I wrote was purely factual. It seems to me that the facts speak for themselves, and those facts naturally cast Raghav and Léo in a bad light. I don't see how to avoid that while still presenting the facts. You, and a couple of others, have criticized my "tone". This is very subjective, especially over email where we must *imagine* the tone of the speaker. Is it possible that you read more in my messages than I actually wrote? It would be very helpful if you could point out specific messages or quotes of mine to illustrate your criticisms, and to clearly explain what's wrong with them. I'm not trying to be obstructionist here. I honestly don't understand, and I cannot improve without understanding. Thanks, Mark -- Disinformation flourishes because many people care deeply about injustice but very few check the facts. Ask me about <https://stallmansupport.org>. ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes) 2021-04-28 16:43 ` Criticisms of my "tone" " Mark H Weaver @ 2021-04-28 17:55 ` Leo Famulari 2021-04-28 20:24 ` Pjotr Prins 2021-04-29 9:26 ` Léo Le Bouter ` (2 subsequent siblings) 3 siblings, 1 reply; 96+ messages in thread From: Leo Famulari @ 2021-04-28 17:55 UTC (permalink / raw) To: Mark H Weaver; +Cc: Guix Devel On Wed, Apr 28, 2021 at 12:43:53PM -0400, Mark H Weaver wrote: > I'm sorry if this comes off as obtuse, but having now re-read all of my > messages in this thread, I honestly do not see what I did wrong here. > I will need some help to understand. It's common advice that managers and leaders should "praise in public and criticize in private". Assuming that the goal of the criticism is to improve somebody's work, and it must be done in public, then criticism must be carefully calibrated to avoid making them feel defensive, humiliated, and angry. It was correct to point out these mistakes in public but, based on the result, I conclude that your message was not calibrated well. The beginning of this email discussion began by naming a perpretrator and pointing out that it was part of a pattern of mistakes, rather than focusing on the mistake. The next part said, "Behold [...]". As a native USA English speaker, I claim that we only use "Behold" ironically and sarcastically. The message ended by casting aspersions on Raghav's status in Guix. At no point did you concretely describe the problem, or try to teach Raghav what the solution was, or try to explain the correct workflow regarding security updates. You should have sent a message that explained the problem and tried to teach the solution. I've seen you do it many times before; I don't know why you sent that sarcastic and mean message instead. ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes) 2021-04-28 17:55 ` Leo Famulari @ 2021-04-28 20:24 ` Pjotr Prins 2021-04-29 6:54 ` Joshua Branson 0 siblings, 1 reply; 96+ messages in thread From: Pjotr Prins @ 2021-04-28 20:24 UTC (permalink / raw) To: Leo Famulari; +Cc: Guix Devel Dear Leo, On Wed, Apr 28, 2021 at 01:55:25PM -0400, Leo Famulari wrote: > You should have sent a message that explained the problem and tried to > teach the solution. I've seen you do it many times before; That is perhaps fair comment. It is always best to be constructive and not too personal. The latter is probably what rubs people the wrong way, especially in public. Good advice, in other words. Going by my experience in Guix - if we were to meet personally we would all be impressed by each other, that includes the other Leo and Mark. I think Guix developers are special and all have made interesting journeys to get here. Lisp is an great filter. I wonder how we end up with more Leos than Marks, however ;) But let me defend Mark here (a little). I'll only do this once. I don't think it was malicious even if it did not look nice. Truth is we should also try to look a little beyond the surface. The intention matters. What I read was exasperation. But really, partly to prevent character assassination, I think that if anyone crosses a line the accuser should use our complaints channels. That is what they are for. We should not accuse each other about behaviour in a public channel. Mostly because it is very hard to defend oneself against opinion (of a majority). Pj. ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes) 2021-04-28 20:24 ` Pjotr Prins @ 2021-04-29 6:54 ` Joshua Branson 0 siblings, 0 replies; 96+ messages in thread From: Joshua Branson @ 2021-04-29 6:54 UTC (permalink / raw) To: Pjotr Prins; +Cc: Leo Famulari, Guix Devel If you'll allow me to comment Mark, I would say that I valued your commitment to discover how to avoid a repeat of the problem. It is nice to see someone truly care about a project and insist a problem does not repeat itself. In practical terms, putting a few smiley faces in emails probably helps. Especially near any criticisms of others. May I mention two book recommendations that I've loved? (Leaders are readers, so I read a lot!) Crucial Conversations is a fantastic book that argues that you can talk about ANYTHING with anyone AND be completely respectful. A crucial conversation is something like "Honey, I don't think we make love enough. May we talk about that?" THAT'S a CRUCIAL CONVERSATION. Everybody is emotionally invested in the outcome of the conversation. So how do you have a good conversation? 1) Focus on your goal. Remind yourself that your goal is to be SUPER respectful to all parties and also to show your point of view and also to believe that you do not know everything and your solution may not be the best one. It is easy in crucial conversations to be silent or violent. To either SCREAM your view or not to express your view. This is a false choice. You CAN be respectful AND persuasive AND open to be persuaded. :) 2) Create dialog. Dialog happens when there is free flow of information. This happens when both people are adding information to the pool of shared meaning. Dialog comes before the decision. I like to say something like, "Let's both honestly add information to our pool of shared meaning. Before we make a decision what are some objective facts that we both should know? Having more facts will help us reach a better decision. Please be completely honest. What am I missing here? What do you know that I don't?" You can read more about some of the tips in crucial conversations. But that is perhaps one of the greatest books I've ever read. Another great book is How to Win Friends and Influence People. It's in the public domain. You can download it now. Here are a couple of principles that are super interesting. - Never criticize. "I have spent the best years of my life giving people the lighter pleasures, helping them have a good time, and all I get is abuse, the existence of a hunted man." - Al Capone. Almost no one thinks of themselves as a bad person. Criticizing almost never gets the result that you want. Lincoln was considered to be one of America's greatest leaders. He learned the hard way that criticizing is a terrible idea. It almost cost him his life. "In the autumn of 1842 he ridiculed a vain, pugnacious politician by the name of James Shields. Lincoln lampooned him through an anonymous letter published in the Springfield Journal. The town roared with laughter. Shields, sensitive and proud, boiled with indignation. He found out who wrote the letter, leaped on his horse, started after Lincoln, and challenged him to fight a duel. Lincoln didn't want to fight. He was opposed to dueling, but he couldn't get out of it and save his honor. He was given the choice of weapons. Since he had very long arms, he chose cavalry broadswords and took lessons in sword fighting from a West Point graduate; and on the appointed day, he and Shields met on a sandbar in the Mississippi River, prepared to fight to the death; but at the last minute, their seconds interrupted and stopped the duel. That was the most lurid personal incident in Lincoln's life. It taught him an invaluable lesson in the art of dealing with people. Never again did he write an insulting letter. Never again did he ridicule anyone. And from that time on, he never criticized anybody for anything." - Lavish people in praise (publicly if possible) "One of the first people in American business to be paid a salary of over a million dollars a year (when there was no income take and a person earning fifty dollars a week was considered well off) was Charles Schwab. He had been picked by Andrew Carnegie to become the first president of the newly formed United States Steel Company in 1921, when Schwab was only 38 years old. (Schwab later left U.S. Steel to take over the then-troubled Bethlehem Steel Company, and he rebuilt it into one of the most profitable companies in America). Why did Andrew Carnegie pay a million dollars a year, or more than three thousand dollars a day, to Charles Schwab? Why? Because Schwab was a genius? No. Because he know more about the manufacture of steel than other people? Nonsense. Charles Schwab told me himself that he had many men working for him who knew more about the manufacture of steel that he did. Schwab says that he was paid this salary largely because of his ability to deal with people. I asked him how he did it. Here is his secret set down in his own words --words that ought to be cast in eternal bronze and hung in every home and school, every shop and office in the land--words that children ought to memorize instead of wasting their time memorizing the conjugation of latin verbs or the amount of the annual rainfall in Brazil-- words that will all but transform your life and mine if we will only live by them: 'I consider my ability to arouse enthusiasm among my people, said Schwab, 'the greastest asset I possess, and the way to develop the best that is in a person is by appreciation and encouragement.' 'There is nothing else that so kills the ambitions of a person as criticisms from superiors. I never criticize anyone. I believe in giving a person incentive to work. So I am anxious to praise but loath to find fault. If I like anything, I am hearty in my approbation and lavish in my praise.' If you'll let me brag a little...I actually put Mr. Schwab's principle to the test. I made a mailing list post on guix-devel entitled "Thank you for your leadership Ludo." It was quite a thrill to have a pleasant public chat with Ludo: https://lists.gnu.org/archive/html/guix-devel/2020-04/msg00021.html To see Ludo suggest that I may influence him was a real joy. Who am I to suggest anything to Ludo about guix? Am I a genius? No. Frequent guix developer? No. I just happen to be lavish in my praise. I hope the above novel was worth the read. :) I really think you are a fantastic, brilliant, and crucial part of guix's development team Mark. And I hope the above encouraged you! Your friend! 143*, Joshua -- Joshua Branson (joshuaBPMan in #guix) Sent from Emacs and Gnus https://gnucode.me https://video.hardlimit.com/accounts/joshua_branson/video-channels https://propernaming.org "You can have whatever you want, as long as you help enough other people get what they want." - Zig Ziglar 143* is Mr. Rogers secret way of saving "I love you." Because there is 1 letter in "I", four letters in "love", and three letters in "you". ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes) 2021-04-28 16:43 ` Criticisms of my "tone" " Mark H Weaver 2021-04-28 17:55 ` Leo Famulari @ 2021-04-29 9:26 ` Léo Le Bouter 2021-04-29 15:30 ` Matias Jose Seco Baccanelli 2021-04-30 0:57 ` aviva 2021-05-01 17:02 ` Giovanni Biscuolo 3 siblings, 1 reply; 96+ messages in thread From: Léo Le Bouter @ 2021-04-29 9:26 UTC (permalink / raw) To: Mark H Weaver, Ludovic Courtès Cc: Raghav Gururajan, Guix Devel, Leo Prikler [-- Attachment #1: Type: text/plain, Size: 1251 bytes --] On Wed, 2021-04-28 at 12:43 -0400, Mark H Weaver wrote: > I'm sorry if this comes off as obtuse, but having now re-read all of > my > messages in this thread, I honestly do not see what I did wrong here. > I will need some help to understand. > > With very few exceptions, almost every sentence that I wrote was > purely > factual. It seems to me that the facts speak for themselves, and > those > facts naturally cast Raghav and Léo in a bad light. I don't see how > to > avoid that while still presenting the facts. > > You, and a couple of others, have criticized my "tone". This is very > subjective, especially over email where we must *imagine* the tone of > the speaker. Is it possible that you read more in my messages than I > actually wrote? > > It would be very helpful if you could point out specific messages or > quotes of mine to illustrate your criticisms, and to clearly explain > what's wrong with them. I'm not trying to be obstructionist here. I > honestly don't understand, and I cannot improve without > understanding. > > Thanks, > Mark > If you really do not understand, I encourage you read https://en.wikipedia.org/wiki/Nonviolent_Communication and associated works. [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes) 2021-04-29 9:26 ` Léo Le Bouter @ 2021-04-29 15:30 ` Matias Jose Seco Baccanelli 0 siblings, 0 replies; 96+ messages in thread From: Matias Jose Seco Baccanelli @ 2021-04-29 15:30 UTC (permalink / raw) To: guix-devel Hello! In Guix i feel there's a precious source that's enriching my experience: mutualism There's a lot of building together, of helping each other out. It's a refreshing opportunity to see how positive cooperation brings a lot of good energy. Have a Happy Thursday! Matias ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes) 2021-04-28 16:43 ` Criticisms of my "tone" " Mark H Weaver 2021-04-28 17:55 ` Leo Famulari 2021-04-29 9:26 ` Léo Le Bouter @ 2021-04-30 0:57 ` aviva 2021-05-01 17:02 ` Giovanni Biscuolo 3 siblings, 0 replies; 96+ messages in thread From: aviva @ 2021-04-30 0:57 UTC (permalink / raw) To: guix-devel On 4/28/21 12:43 PM, Mark H Weaver wrote: > I'm sorry if this comes off as obtuse, but having now re-read all of my > messages in this thread, I honestly do not see what I did wrong here. > I will need some help to understand. please save it ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes) 2021-04-28 16:43 ` Criticisms of my "tone" " Mark H Weaver ` (2 preceding siblings ...) 2021-04-30 0:57 ` aviva @ 2021-05-01 17:02 ` Giovanni Biscuolo 2021-05-01 20:07 ` Leo Prikler 3 siblings, 1 reply; 96+ messages in thread From: Giovanni Biscuolo @ 2021-05-01 17:02 UTC (permalink / raw) To: Mark H Weaver, Ludovic Courtès; +Cc: Guix Devel, GNU Guix maintainers [-- Attachment #1: Type: text/plain, Size: 4175 bytes --] Hello Mark and Ludovic, please forgive me if I'm going forward with this thread but, after some hesitation, I decided to write this message because I /feel/ we could do better in dealing with issues like this one. Please when you'll read "you" consider it a /generic you/ ("you the reader") not Mark, Ludovic or any specific person; please also consider that "we" is a /plurali maiestatis/ :-D Mark H Weaver <mhw@netris.org> writes: > Ludovic Courtès <ludo@gnu.org> writes: [...] >> That you called attention on these issues is a great service to all of >> us, Mark. But I have to agree with Ricardo: the harsh accusatory tone >> towards Raghav and Léo was not warranted; please assume good faith. > > I'm sorry if this comes off as obtuse, but having now re-read all of my > messages in this thread, I honestly do not see what I did wrong here. > I will need some help to understand. I also spent some time re-reading messages that Mark sent in this thread and, like him, I really don't understand what Mark did wrong. For sure Mark /insisted/ that Raghav and Léo did something wrong with some commits, we can say Mark did it being /direct/ and /accusatory/ but we cannot really say Mark assumed bad faith from them. If you want you can consider Mark used an /harsh/ tone but this is a personal feeling, something one /could/ read "between the lines" even if actually in a written communication I find it hard to read between the lines, it is not something factual. Maybe Mark intended to be harsh, maybe not: who knows? Is /this/ (finding he was harsh) important? As I said above, at most Mark communication should be considered /direct/ and /accusatory/, I say this considering statements like this: «Léo Le Bouter [...] bears primary responsibility for these mistakes.» «I would very much like to hear an explanation from Léo about how this happened.» «Nonetheless, you (Raghav) also bear some responsibility» «blatantly [1] misleading commit log [...] Most of the changes above are not mentioned in the commit log at all, and of course the summary line is extremely misleading.» So: Mark gave responsibilities and complained "loudly" about misleading commits, giving precise explanations of the reasons for how bad he considered the situation, from his point of view (the point of view of a person with competence /and/ previous commints in the domain he was analyzing). You can agree or disagree with him, but /now/ this is not the point. You can call it /accusation/, I call it /asking for responsibility/. You can call it /harsh/, I call it /direct/. Is it really important to find a proper definition for words used by Mark? Is it important to define if some word was proper or improper to in this context? In my opinion we should refrain questioning language here (I mean in Guix mailing lists), especially questioning (perceived) "tone"; /unless/ containing accusations of bad faith or insults, we should be forgiving /each other/ on how people choose how to use [2] language. If we question language usage we risk to shame people for improper use of language and this is bad in my opinion because we risk to isolate or alienate people who - for whatever reason they choose - use direct (or harsh, or accusatory) language to express controversial ideas or report issues, never intending to offend really no one: please respect people /also/ if you find they improperly use language. [...] > It would be very helpful if you could point out specific messages or > quotes of mine to illustrate your criticisms, and to clearly explain > what's wrong with them. I'm not trying to be obstructionist here. I > honestly don't understand, and I cannot improve without understanding. Also, if I overlooked, misinterpreted or missed something please tell me so I can also improve. Thanks! Giovanni. [1] in a way that is very obvious and intentional, when this is a bad thing (from Cambridge Dictionary). [2] or misuse, in case of not native (or not so good) english speakers -- Giovanni Biscuolo Xelera IT Infrastructures [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 849 bytes --] ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes) 2021-05-01 17:02 ` Giovanni Biscuolo @ 2021-05-01 20:07 ` Leo Prikler 2021-05-01 22:12 ` Mark H Weaver 0 siblings, 1 reply; 96+ messages in thread From: Leo Prikler @ 2021-05-01 20:07 UTC (permalink / raw) To: Giovanni Biscuolo, Mark H Weaver, Ludovic Courtès Cc: Guix Devel, GNU Guix maintainers Hello Giovanni, I am not Mark or Ludo, but as a /generic other/, I'd still like to reply. Am Samstag, den 01.05.2021, 19:02 +0200 schrieb Giovanni Biscuolo: > Hello Mark and Ludovic, > > please forgive me if I'm going forward with this thread but, after > some > hesitation, I decided to write this message because I /feel/ we could > do > better in dealing with issues like this one. > > Please when you'll read "you" consider it a /generic you/ ("you the > reader") not Mark, Ludovic or any specific person; please also > consider > that "we" is a /plurali maiestatis/ :-D Nitpick, should be /pluralis/ :P > I also spent some time re-reading messages that Mark sent in this > thread > and, like him, I really don't understand what Mark did wrong. > > For sure Mark /insisted/ that Raghav and Léo did something wrong with > some commits, we can say Mark did it being /direct/ and /accusatory/ > but > we cannot really say Mark assumed bad faith from them. He did wrong insofar as his accusatory message read as though he was assuming bad faith (or at the very least incompetence, which, if you are the party being accused, does not sound too nice either). > If you want you can consider Mark used an /harsh/ tone but this is a > personal feeling, something one /could/ read "between the lines" even > if > actually in a written communication I find it hard to read between > the > lines, it is not something factual. Maybe Mark intended to be harsh, > maybe not: who knows? Is /this/ (finding he was harsh) important? It is definitely of some importance. You want your readers to interpret your message in the same way you interpret them and "sounding pointlessly harsh" is (I would assume) not the way anyone wants to be read. Of course, there is a complex interplay between reader and writer at hand here, but only one variable for the writer to control. In this case, what was read between the lines caused one of the participants to assume a very defensive stance, and might also have been uncomfortable for others, who were involved. While I personally disagree with tone policing (the act of dismissing criticism based solely on issues of tone), I think trying to phrase things in a way you're less likely to be misunderstood is in general a good idea. > As I said above, at most Mark communication should be considered > /direct/ and /accusatory/, I say this considering statements like > this: > > «Léo Le Bouter [...] bears primary responsibility for these > mistakes.» > > «I would very much like to hear an explanation from Léo about how > this > happened.» > > «Nonetheless, you (Raghav) also bear some responsibility» > > «blatantly [1] misleading commit log [...] Most of the changes above > are > not mentioned in the commit log at all, and of course the summary > line > is extremely misleading.» Each of those phrases on their own might not look too bad, but stringing them together like this constructs an image in which Mark is just looking for someone to blame. Of course, with full context, it's slightly less severe, but you can't ignore the possibility, that your conversation partner might choose to get riled up by those alone. > So: Mark gave responsibilities and complained "loudly" about > misleading > commits, giving precise explanations of the reasons for how bad he > considered the situation, from his point of view (the point of view > of a > person with competence /and/ previous commints in the domain he was > analyzing). You can agree or disagree with him, but /now/ this is > not > the point. > > You can call it /accusation/, I call it /asking for responsibility/. > > You can call it /harsh/, I call it /direct/. > > Is it really important to find a proper definition for words used by > Mark? Is it important to define if some word was proper or improper > to > in this context? > > In my opinion we should refrain questioning language here (I mean in > Guix mailing lists), especially questioning (perceived) "tone"; > /unless/ > containing accusations of bad faith or insults, we should be > forgiving > /each other/ on how people choose how to use [2] language. > > If we question language usage we risk to shame people for improper > use > of language and this is bad in my opinion because we risk to isolate > or > alienate people who - for whatever reason they choose - use direct > (or > harsh, or accusatory) language to express controversial ideas or > report > issues, never intending to offend really no one: please respect > people > /also/ if you find they improperly use language. You make a somewhat decent point against tone policing and since I agree on the position, I don't want to take away from your argument. However, I think it'd be better not to consider this as an issue of people "choosing to be harsh" (which could well be avoided), but in terms of inclusivity (not everyone is a native English speaker and we come from different cultural backgrounds; we shouldn't discourage people from contributing just because they aren't part of a queer squat in Paris). > [...] > > Thanks! Giovanni. I think this explains how I see it somewhat well, but remember, that there are as many opinions on this matter as there were participants in the discussion. We might not all reach a consensus here. Leo ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes) 2021-05-01 20:07 ` Leo Prikler @ 2021-05-01 22:12 ` Mark H Weaver 2021-05-01 22:54 ` Mark H Weaver 2021-05-01 23:15 ` Leo Prikler 0 siblings, 2 replies; 96+ messages in thread From: Mark H Weaver @ 2021-05-01 22:12 UTC (permalink / raw) To: Leo Prikler, Giovanni Biscuolo, Ludovic Courtès Cc: Guix Devel, GNU Guix maintainers Hi Leo, Leo Prikler <leo.prikler@student.tugraz.at> writes: > Am Samstag, den 01.05.2021, 19:02 +0200 schrieb Giovanni Biscuolo: >> I also spent some time re-reading messages that Mark sent in this >> thread and, like him, I really don't understand what Mark did wrong. >> >> For sure Mark /insisted/ that Raghav and Léo did something wrong with >> some commits, we can say Mark did it being /direct/ and /accusatory/ >> but we cannot really say Mark assumed bad faith from them. > He did wrong insofar as his accusatory message read as though he was > assuming bad faith Can you please point out which of my words led you to conclude that I was assuming bad faith? For what it's worth, I have *never* assumed bad faith, and I don't think I said anything to imply it either. > (or at the very least incompetence, which, if you are the party being > accused, does not sound too nice either). I pointed out facts. I did not engage in speculation beyond the facts. Here, I think that you are making your own speculations based on the facts that I uncovered, and are attributing those speculations to me. That's unfair. Your speculations are not my responsibility. Moreover, even if it were true that most people would make similar speculations based on the facts I exposed, that's not my responsibility either. >> If you want you can consider Mark used an /harsh/ tone but this is a >> personal feeling, something one /could/ read "between the lines" even >> if actually in a written communication I find it hard to read between >> the lines, it is not something factual. Maybe Mark intended to be >> harsh, maybe not: who knows? Is /this/ (finding he was harsh) >> important? > It is definitely of some importance. I agree that it's of some importance, but it's also a fundamentally hard thing to do. I'm genuinely surprised by some of the claims being made about my messages, especially the claim that I assumed "bad faith". I didn't say anything to imply that, I didn't think it, and I still don't. Thanks for discussing this, Leo. I appreciate your feedback, even where we disagree. Regards, Mark -- Disinformation flourishes because many people care deeply about injustice but very few check the facts. Ask me about <https://stallmansupport.org>. ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes) 2021-05-01 22:12 ` Mark H Weaver @ 2021-05-01 22:54 ` Mark H Weaver 2021-05-01 23:15 ` Leo Prikler 1 sibling, 0 replies; 96+ messages in thread From: Mark H Weaver @ 2021-05-01 22:54 UTC (permalink / raw) To: Leo Prikler, Giovanni Biscuolo, Ludovic Courtès Cc: Guix Devel, GNU Guix maintainers Mark H Weaver <mhw@netris.org> writes: > Leo Prikler <leo.prikler@student.tugraz.at> writes: > >> Am Samstag, den 01.05.2021, 19:02 +0200 schrieb Giovanni Biscuolo: >>> If you want you can consider Mark used an /harsh/ tone but this is a >>> personal feeling, something one /could/ read "between the lines" even >>> if actually in a written communication I find it hard to read between >>> the lines, it is not something factual. Maybe Mark intended to be >>> harsh, maybe not: who knows? Is /this/ (finding he was harsh) >>> important? >> It is definitely of some importance. > > I agree that it's of some importance, but it's also a fundamentally hard > thing to do. Sorry, what I meant to write above was "it's also fundamentally hard to anticipate the 'tone' that others will attribute to my writing." > I'm genuinely surprised by some of the claims being made > about my messages, especially the claim that I assumed "bad faith". I > didn't say anything to imply that, I didn't think it, and I still don't. > > Thanks for discussing this, Leo. I appreciate your feedback, even where > we disagree. Regards, Mark -- Disinformation flourishes because many people care deeply about injustice but very few check the facts. Ask me about <https://stallmansupport.org>. ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes) 2021-05-01 22:12 ` Mark H Weaver 2021-05-01 22:54 ` Mark H Weaver @ 2021-05-01 23:15 ` Leo Prikler 2021-05-02 3:13 ` Mark H Weaver ` (2 more replies) 1 sibling, 3 replies; 96+ messages in thread From: Leo Prikler @ 2021-05-01 23:15 UTC (permalink / raw) To: Mark H Weaver, Giovanni Biscuolo, Ludovic Courtès Cc: Guix Devel, GNU Guix maintainers Hi Mark, Am Samstag, den 01.05.2021, 18:12 -0400 schrieb Mark H Weaver: > Hi Leo, > > Leo Prikler <leo.prikler@student.tugraz.at> writes: > > > Am Samstag, den 01.05.2021, 19:02 +0200 schrieb Giovanni Biscuolo: > > > I also spent some time re-reading messages that Mark sent in this > > > thread and, like him, I really don't understand what Mark did > > > wrong. > > > > > > For sure Mark /insisted/ that Raghav and Léo did something wrong > > > with > > > some commits, we can say Mark did it being /direct/ and > > > /accusatory/ > > > but we cannot really say Mark assumed bad faith from them. > > He did wrong insofar as his accusatory message read as though he > > was > > assuming bad faith > > Can you please point out which of my words led you to conclude that I > was assuming bad faith? I am basing this on the following exchange: Am Montag, den 26.04.2021, 19:17 +0200 schrieb Ludovic Courtès: > > I feel an obligation to protect our users, and among other things > that > > means calling attention to Guix committers that are doing things > like > > pushing commits with misleading commit logs (which evade proper > review) > > and pushing "cosmetic changes" that remove security fixes. > > That you called attention on these issues is a great service to all > of > us, Mark. But I have to agree with Ricardo: the harsh accusatory > tone > towards Raghav and Léo was not warranted; please assume good faith. > To re-iterate, I believe you were (and are) right to call out commits for their misleading messages, but the unique circumstances of this thread led people to think you were assuming ill intent or something along those lines. Again, I might just be reading Ludo's message wrong here (and if not, Ludo might have read Ricardo wrong at the time; the original message seems to be directed towards Léo for insinuating you assumed bad faith when you weren't). That being said, I think it is fair to argue, that some people read your posts as assuming bad faith from Léo and some did the reverse. I can't put hard numbers to that, but given the number of participants an existence "proof" ought to suffice. > For what it's worth, I have *never* assumed bad faith, and I don't > think > I said anything to imply it either. > > > (or at the very least incompetence, which, if you are the party > > being > > accused, does not sound too nice either). > > I pointed out facts. I did not engage in speculation beyond the > facts. Well, you did fumble on those facts a little, because the true history of the misleading commits was only discovered later. So did I in the same thread. Either way, "just pointing out facts" is not an accurate assessment in my opinion; facts are nothing without interpretation, which see. > Here, I think that you are making your own speculations based on the > facts that I uncovered, and are attributing those speculations to me. > That's unfair. Your speculations are not my responsibility. > > Moreover, even if it were true that most people would make similar > speculations based on the facts I exposed, that's not my > responsibility > either. Here, I believe, you are wrong. If your audience is led to a certain view due to your speech, even if it's not something you explicitly stated, you are still the one who made them hold that view (or reinforced it, if they already held it before and you merely made a claim in support of their view). From an utilitarian point of view, it is the effects of your actions, that matter. > > > If you want you can consider Mark used an /harsh/ tone but this > > > is a > > > personal feeling, something one /could/ read "between the lines" > > > even > > > if actually in a written communication I find it hard to read > > > between > > > the lines, it is not something factual. Maybe Mark intended to > > > be > > > harsh, maybe not: who knows? Is /this/ (finding he was harsh) > > > important? > > It is definitely of some importance. > > I agree that it's of some importance, but it's also a fundamentally > hard > thing to do. I'm genuinely surprised by some of the claims being > made > about my messages, especially the claim that I assumed "bad > faith". I > didn't say anything to imply that, I didn't think it, and I still > don't. I agree, it is hard, and it is also not immediately obvious what effects a given statement might have. We can only ever evaluate such things a posteriori and try to learn from them. > Sorry, what I meant to write above was "it's also fundamentally hard > to > anticipate the 'tone' that others will attribute to my writing." Don't worry, that's more or less the way I read it. In case you wonder, the way I read it "reading between lines" is hard, which certainly also holds, especially outside one's first language. Let it be said, that I don't condemn you for starting this thread. Not only did it highlight an issue, that would otherwise have gone unnoticed, I think most of the participants are now more acutely aware of what might go wrong if they evade review. It is sad, that things turned out the way they did, but despite what others might claim you don't bear sole responsibility for that. Regards, Leo ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes) 2021-05-01 23:15 ` Leo Prikler @ 2021-05-02 3:13 ` Mark H Weaver 2021-05-02 10:31 ` Leo Prikler 2021-05-02 4:17 ` 宋文武 [not found] ` <87czu9sr9k.fsf@outlook.com> 2 siblings, 1 reply; 96+ messages in thread From: Mark H Weaver @ 2021-05-02 3:13 UTC (permalink / raw) To: Leo Prikler, Giovanni Biscuolo, Ludovic Courtès Cc: Guix Devel, GNU Guix maintainers Hi Leo, I took the liberty of refilling the quotations in your email to make them more readable. Leo Prikler <leo.prikler@student.tugraz.at> writes: > Am Samstag, den 01.05.2021, 18:12 -0400 schrieb Mark H Weaver: >> Can you please point out which of my words led you to conclude that I >> was assuming bad faith? > > I am basing this on the following exchange: > > Am Montag, den 26.04.2021, 19:17 +0200 schrieb Ludovic Courtès: >> > I feel an obligation to protect our users, and among other things >> > that means calling attention to Guix committers that are doing >> > things like pushing commits with misleading commit logs (which >> > evade proper review) and pushing "cosmetic changes" that remove >> > security fixes. >> >> That you called attention on these issues is a great service to all of >> us, Mark. But I have to agree with Ricardo: the harsh accusatory tone >> towards Raghav and Léo was not warranted; please assume good faith. >> > To re-iterate, I believe you were (and are) right to call out commits > for their misleading messages, but the unique circumstances of this > thread led people to think you were assuming ill intent or something > along those lines. I asked you to point out which of *my* words led you to conclude that I was assuming bad faith, and it seems that you haven't been able to do that, nor has anyone else. Do you see the problem here? > That being said, I think it is fair to argue, that > some people read your posts as assuming bad faith from Léo and some did > the reverse. I can't put hard numbers to that, but given the number of > participants an existence "proof" ought to suffice. It's true that some people have gotten the mistaken impression that I assumed bad faith. The problem is that it's flat wrong. There's *nothing* to back it up, and in fact it's simply false. It's unjust to blame me for other people's bogus, evidence-free claims about what they *imagine* I assumed. >> For what it's worth, I have *never* assumed bad faith, and I don't >> think I said anything to imply it either. >> >> > (or at the very least incompetence, which, if you are the party >> > being accused, does not sound too nice either). >> >> I pointed out facts. I did not engage in speculation beyond the >> facts. > Well, you did fumble on those facts a little, because the true history > of the misleading commits was only discovered later. I don't think I fumbled on the facts at all. It's true that I didn't yet have _all_ of the relevant facts, but as far as I know, every fact that I presented is true. If you disagree, can you please provide a counterexample? > Either way, "just pointing out facts" is not an accurate > assessment in my opinion; facts are nothing without interpretation, > which see. I don't understand what you're getting at here. Can you please elaborate? >> Here, I think that you are making your own speculations based on the >> facts that I uncovered, and are attributing those speculations to me. >> That's unfair. Your speculations are not my responsibility. >> >> Moreover, even if it were true that most people would make similar >> speculations based on the facts I exposed, that's not my >> responsibility either. >> > Here, I believe, you are wrong. If your audience is led to a certain > view due to your speech, even if it's not something you explicitly > stated, you are still the one who made them hold that view (or > reinforced it, if they already held it before and you merely made a > claim in support of their view). From an utilitarian point of view, it > is the effects of your actions, that matter. For purposes of deciding what actions one should take to achieve a certain goal, I certainly agree that what ultimately matters are the predictable effects of one's actions, and not the intent behind them. So, in that context, I agree with much of what you wrote above. However, if you mean to suggest that people should be held accountable for all effects of their actions, I must *strenuously* object. For example, if a speaker at a Black Lives Matter protest gives a speech which recounts the many unjustifiable killings of innocent black people by police, and later that day some of the people attending the protest loot small businesses, I hope that we can agree that it would be unjust to hold the speaker accountable for that. If speakers at a protest can be held accountable for the actions of every person who attends the protest, then protests would *effectively* become illegal, because the opposition can always hire infiltrators to *ensure* that someone does something illegal. In this case, if I cannot point out a "cosmetic changes" commit that removes security fixes without being accused of insinuating that the person was acting in bad faith, then effectively it becomes unsafe for me to point out breaches such as this one. > Let it be said, that I don't condemn you for starting this thread. Not > only did it highlight an issue, that would otherwise have gone > unnoticed, I think most of the participants are now more acutely aware > of what might go wrong if they evade review. It is sad, that things > turned out the way they did, but despite what others might claim you > don't bear sole responsibility for that. Thanks for these words, Leo. Regards, Mark -- Disinformation flourishes because many people care deeply about injustice but very few check the facts. Ask me about <https://stallmansupport.org>. ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes) 2021-05-02 3:13 ` Mark H Weaver @ 2021-05-02 10:31 ` Leo Prikler 2021-05-03 9:00 ` Mark H Weaver 0 siblings, 1 reply; 96+ messages in thread From: Leo Prikler @ 2021-05-02 10:31 UTC (permalink / raw) To: Mark H Weaver, Giovanni Biscuolo, Ludovic Courtès Cc: Guix Devel, GNU Guix maintainers Am Samstag, den 01.05.2021, 23:13 -0400 schrieb Mark H Weaver: > Hi Leo, > > I took the liberty of refilling the quotations in your email to make > them more readable. Please do. > > Leo Prikler <leo.prikler@student.tugraz.at> writes: > > > Am Samstag, den 01.05.2021, 18:12 -0400 schrieb Mark H Weaver: > > > Can you please point out which of my words led you to conclude > > > that I was assuming bad faith? > > > > I am basing this on the following exchange: > > > > Am Montag, den 26.04.2021, 19:17 +0200 schrieb Ludovic Courtès: > > > > I feel an obligation to protect our users, and among other > > > > things > > > > that means calling attention to Guix committers that are doing > > > > things like pushing commits with misleading commit logs (which > > > > evade proper review) and pushing "cosmetic changes" that remove > > > > security fixes. > > > > > > That you called attention on these issues is a great service to > > > all of > > > us, Mark. But I have to agree with Ricardo: the harsh accusatory > > > tone > > > towards Raghav and Léo was not warranted; please assume good > > > faith. > > > > > To re-iterate, I believe you were (and are) right to call out > > commits > > for their misleading messages, but the unique circumstances of this > > thread led people to think you were assuming ill intent or > > something > > along those lines. > > I asked you to point out which of *my* words led you to conclude that > I was assuming bad faith, and it seems that you haven't been able to > do that, nor has anyone else. > > Do you see the problem here? I am not arguing, that you were assuming bad faith, I'm making the much weaker argument, that people were led to believe you were. For me, the root cause of understanding it this was were Léo's defensive attitudes coupled with Ludo's statement. I personally don't think you were assuming bad faith, especially after your clarification, but I can see how people might construct that view. Refer to my response to Giovanni to see how cherry-picking your messages might result in that. When asking more generally, however, I'm afraid I can't give you a definitive answer on this one. Only Léo can tell why they assumed bad faith on your part, but looking at the situation, they are emotionally not able to do so or at the very least not willing. The best advice I can give you is to listen to them when they do respond, but also listen to others when they point out concrete issues with your wording. For instance, someone made the case that "Behold" sounded rather sarcastic, and while I've personally watched enough anime to consider it a completely normal word, they might have a point. > > That being said, I think it is fair to argue, that some people read > > your posts as assuming bad faith from Léo and some did the > > reverse. I can't put hard numbers to that, but given the > > number of participants an existence "proof" ought to suffice. > > It's true that some people have gotten the mistaken impression that I > assumed bad faith. The problem is that it's flat wrong. There's > *nothing* to back it up, and in fact it's simply false. > > It's unjust to blame me for other people's bogus, evidence-free > claims about what they *imagine* I assumed. I don't think I can agree with that. I think it's good practice to preempt misunderstandings and to clarify your intent when they happen. From what I recall, you did do that, but in that clarification lied other problems. For instance: "It seems to me that the facts speak for themselves, and those facts naturally cast Raghav and Léo in a bad light." This phrase only serves to further cast Raghav and Léo in a bad light and should thus be avoided. A better way of phrasing this paragraph (assuming you were focused on the mistake, not who made it): "With very few exceptions, almost every sentence that I wrote was purely factual. I was not aiming to cast Raghav or Léo in a bad light, commits like these are dangerous regardless of who authors or signs them. It is important for us all to learn from this mistake and to not repeat it." The above, though not perfect (and I'd be happy for someone to point out flaws in them), would have taken some emotional weight off of Raghav and Léo and in my opinion made it easier to respond to the facts alone, the fact being that a poorly reviewed commit made it onto an important branch. > > > For what it's worth, I have *never* assumed bad faith, and I > > > don't > > > think I said anything to imply it either. > > > > > > > (or at the very least incompetence, which, if you are the party > > > > being accused, does not sound too nice either). > > > > > > I pointed out facts. I did not engage in speculation beyond the > > > facts. > > Well, you did fumble on those facts a little, because the true > > history > > of the misleading commits was only discovered later. > > I don't think I fumbled on the facts at all. It's true that I didn't > yet have _all_ of the relevant facts, but as far as I know, every > fact that I presented is true. > > If you disagree, can you please provide a counterexample? In your very first message you made it seems as though Raghav single- handedly authored and pushed the changes in question and called into question their reliability as a committer. The former was based on "facts", that turned out half-true – Raghav did push that commit, but they did so thinking that Léo did proper review, which they did not – and the latter was not a factual statement, but instead a "call for action" if you will or at least a point to start discussion. > > Either way, "just pointing out facts" is not an accurate > > assessment in my opinion; facts are nothing without interpretation, > > which see. > > I don't understand what you're getting at here. Can you please > elaborate? "Raghav pushed a misleading commit." This is fact. "This commit casts Raghav in a bad light". This is interpretation. I think it is important to distinguish statements of fact from statements of interpretation, but again, facts don't tell you how to interpret them. Your brain does that for you based on whatever bias you might or might not have. > > > Here, I think that you are making your own speculations based on > > > the facts that I uncovered, and are attributing those > > > speculations to me. That's unfair. Your speculations are not my > > > responsibility. > > > > > > Moreover, even if it were true that most people would make > > > similar speculations based on the facts I exposed, that's not my > > > responsibility either. > > > > > Here, I believe, you are wrong. If your audience is led to a > > certain view due to your speech, even if it's not something you > > explicitly stated, you are still the one who made them hold that > > view (or reinforced it, if they already held it before and you > > merely made a claim in support of their view). From an utilitarian > > point of view, it is the effects of your actions, that matter. > > For purposes of deciding what actions one should take to achieve a > certain goal, I certainly agree that what ultimately matters are the > predictable effects of one's actions, and not the intent behind them. > So, in that context, I agree with much of what you wrote above. > > However, if you mean to suggest that people should be held > accountable for all effects of their actions, I must *strenuously* > object. > > For example, if a speaker at a Black Lives Matter protest gives a > speech which recounts the many unjustifiable killings of innocent > black people by police, and later that day some of the people > attending the protest loot small businesses, I hope that we can agree > that it would be unjust to hold the speaker accountable for that. If the speakers encouraged or silently condoned looting, that would be their moral responsibility. I personally hold, that human lives matter more than items, so in my view the looting that the speaker may have caused is far outweighed by the lesser suffering of black people. If someone holds the opposite view, I encourage them to rather give their life when we start collectivizing toothbrushes. It will make things easier. > If speakers at a protest can be held accountable for the actions of > every person who attends the protest, then protests would > *effectively* become illegal, because the opposition can always hire > infiltrators to *ensure* that someone does something illegal. Note, that I am making a moral case here, not a legal one. Also, morally speaking, the opposition would be responsible not just for the damage they would cause, but also for the suffering of black people. To argue this in front of a court of law is harder, in particular as it requires solid evidence (or in the case that you are the opposition of a protest, planting thereof). For instance, I can state, that right- wing pundits encourage what has become collectively known as stochastic terrorism, but it would be difficult for me to prove that beyond reasonable doubt in front of a judge. > In this case, if I cannot point out a "cosmetic changes" commit that > removes security fixes without being accused of insinuating that the > person was acting in bad faith, then effectively it becomes unsafe > for me to point out breaches such as this one. You should absolutely point out bad commits, but please do so in a manner that doesn't cause excessive attention towards author or committer. It may have been necessary to state both at the start of the thread for context, but it should absolutely not have been necessary to continue doing so as the thread continues. In the end, I don't know what level of attention was or would have been appropriate here, but in my personal opinion lighting a focus on who committed those changes rather than the changes themselves, is a little distracting. Regards, Leo ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes) 2021-05-02 10:31 ` Leo Prikler @ 2021-05-03 9:00 ` Mark H Weaver 2021-05-03 9:59 ` Leo Prikler 0 siblings, 1 reply; 96+ messages in thread From: Mark H Weaver @ 2021-05-03 9:00 UTC (permalink / raw) To: Leo Prikler, Giovanni Biscuolo, Ludovic Courtès Cc: Guix Devel, GNU Guix maintainers Hi Leo, I think we're mostly going in circles at this point, so I think we should finish up this conversation, as Ludovic suggested. I'll let you have the last word on most of our conversation threads, but I feel compelled to briefly counter one claim of yours: Leo Prikler <leo.prikler@student.tugraz.at> writes: > Am Samstag, den 01.05.2021, 23:13 -0400 schrieb Mark H Weaver: >> I don't think I fumbled on the facts at all. It's true that I didn't >> yet have _all_ of the relevant facts, but as far as I know, every >> fact that I presented is true. >> >> If you disagree, can you please provide a counterexample? > > In your very first message you made it seems as though Raghav single- > handedly authored and pushed the changes in question and called into > question their reliability as a committer. The former was based on > "facts", that turned out half-true – Raghav did push that commit, but > they did so thinking that Léo did proper review, which they did not – Here, once again, you've failed to point out any of my *actual* words to back up your (bogus) claim that I "fumbled on the facts". Instead, you speak of how I "made it seem". You put more words into my mouth. That's not nice. Please stop it. Thanks, Mark -- Disinformation flourishes because many people care deeply about injustice but very few check the facts. Ask me about <https://stallmansupport.org>. ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes) 2021-05-03 9:00 ` Mark H Weaver @ 2021-05-03 9:59 ` Leo Prikler 2021-05-03 17:00 ` Mark H Weaver 0 siblings, 1 reply; 96+ messages in thread From: Leo Prikler @ 2021-05-03 9:59 UTC (permalink / raw) To: Mark H Weaver, Giovanni Biscuolo, Ludovic Courtès Cc: Guix Devel, GNU Guix maintainers Hi Mark, Am Montag, den 03.05.2021, 05:00 -0400 schrieb Mark H Weaver: > Leo Prikler <leo.prikler@student.tugraz.at> writes: > > > Am Samstag, den 01.05.2021, 23:13 -0400 schrieb Mark H Weaver: > > > I don't think I fumbled on the facts at all. It's true that I > > > didn't > > > yet have _all_ of the relevant facts, but as far as I know, every > > > fact that I presented is true. > > > > > > If you disagree, can you please provide a counterexample? > > > > In your very first message you made it seems as though Raghav > > single- > > handedly authored and pushed the changes in question and called > > into > > question their reliability as a committer. The former was based on > > "facts", that turned out half-true – Raghav did push that commit, > > but > > they did so thinking that Léo did proper review, which they did not > > – > > Here, once again, you've failed to point out any of my *actual* words > to back up your (bogus) claim that I "fumbled on the > facts". Instead, you speak of how I "made it seem". You put more > words into my mouth. If you want to read your actual words, they were > Behold, Raghav's "cosmetic changes" to our 'cairo' package Again, those were not Raghav's changes, they were added by Léo and "once again" pushed by Raghav, who trusted them on the matter. You made an incorrect assumption based on incomplete information. I call that fumbling. It was an honest mistake based on the facts you thought present at the time, but nonetheless a mistake. Please don't assume I'm acting in bad faith and throw around words like bogus lightly. I don't think I'm making any extraordinary claim here, my statements should follow from the words themselves or the interpretations of a casual observer. I am not aiming to grossly misrepresent you here, I'm trying to help you find an answer to the question > Is it possible that you read more in my messages than I > actually wrote? The answer is "Yes, always". People don't just derive raw information from messages, there's all sorts of other cues – including social cues – that swing with them. Even in newspaper articles or scientific literature, there is such a thing as framing. You absolutely have to consider many forms of subtext both when reading and when writing. I hope this clears up any remaining misconceptions. If not and you're fine having me as conversation partner, I'm still willing to answer (some) questions off-list. Again, I am not attacking you for calling attention to an objectively bad commit, I think it was right of you to do so. All of what I'm saying here should at worst be seen as "criticism of your tone". Regards, Leo ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes) 2021-05-03 9:59 ` Leo Prikler @ 2021-05-03 17:00 ` Mark H Weaver 0 siblings, 0 replies; 96+ messages in thread From: Mark H Weaver @ 2021-05-03 17:00 UTC (permalink / raw) To: Leo Prikler, Giovanni Biscuolo, Ludovic Courtès Cc: Guix Devel, GNU Guix maintainers Hi Leo, Leo Prikler <leo.prikler@student.tugraz.at> writes: > Am Montag, den 03.05.2021, 05:00 -0400 schrieb Mark H Weaver: >> Leo Prikler <leo.prikler@student.tugraz.at> writes: >> >> > Am Samstag, den 01.05.2021, 23:13 -0400 schrieb Mark H Weaver: >> > > I don't think I fumbled on the facts at all. It's true that I >> > > didn't yet have _all_ of the relevant facts, but as far as I >> > > know, every fact that I presented is true. >> > > >> > > If you disagree, can you please provide a counterexample? >> > >> > In your very first message you made it seems as though Raghav >> > single-handedly authored and pushed the changes in question and >> > called into question their reliability as a committer. The former >> > was based on "facts", that turned out half-true – Raghav did push >> > that commit, but they did so thinking that Léo did proper review, >> > which they did not – >> >> Here, once again, you've failed to point out any of my *actual* words >> to back up your (bogus) claim that I "fumbled on the >> facts". Instead, you speak of how I "made it seem". You put more >> words into my mouth. > If you want to read your actual words, they were >> Behold, Raghav's "cosmetic changes" to our 'cairo' package I don't know how the genitive case is used in German, but in English, it can mean a great many things, from possession (Mark's bicycle) to mere association (Mark's community of friends) and many other things. It certainly does *not* imply single-handed authorship as you suggest above. I'll grant that you are correct in your speculation that at the time I wrote the words above, in my *mind* I more-or-less assumed that Raghav had authored the commit. After all, Raghav digitally signed and pushed the commit, whose metadata indicated that he was the sole author. However, I never *wrote* anything that implied he was the sole author. Therefore, I still maintain that in my actual communications, I didn't "fumble on the facts" *at all*. I'm going to _try_ to refrain from responding again, because in order for this exchange to be finite, *one* of us must eventually let the other one have the final word. Regards, Mark -- Disinformation flourishes because many people care deeply about injustice but very few check the facts. Ask me about <https://stallmansupport.org>. ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes) 2021-05-01 23:15 ` Leo Prikler 2021-05-02 3:13 ` Mark H Weaver @ 2021-05-02 4:17 ` 宋文武 2021-05-02 4:31 ` Leo Famulari 2021-05-02 15:01 ` Leo Prikler [not found] ` <87czu9sr9k.fsf@outlook.com> 2 siblings, 2 replies; 96+ messages in thread From: 宋文武 @ 2021-05-02 4:17 UTC (permalink / raw) To: Leo Prikler; +Cc: Guix Devel, GNU Guix maintainers Leo Prikler <leo.prikler@student.tugraz.at> writes: > Hi Mark, > > Am Samstag, den 01.05.2021, 18:12 -0400 schrieb Mark H Weaver: >> Hi Leo, >> >> Leo Prikler <leo.prikler@student.tugraz.at> writes: >> >> > Am Samstag, den 01.05.2021, 19:02 +0200 schrieb Giovanni Biscuolo: >> > > I also spent some time re-reading messages that Mark sent in this >> > > thread and, like him, I really don't understand what Mark did >> > > wrong. >> > > >> > > For sure Mark /insisted/ that Raghav and Léo did something wrong >> > > with >> > > some commits, we can say Mark did it being /direct/ and >> > > /accusatory/ >> > > but we cannot really say Mark assumed bad faith from them. >> > He did wrong insofar as his accusatory message read as though he >> > was >> > assuming bad faith Hello Leo, I see nothing wrong for assuming bad faith when security fixes of packages are removed, in the end the truth matter, which I believe is: You thought the patches for cario is not needed now on core-updates, so you remove them. > [...] > Well, you did fumble on those facts a little, because the true history > of the misleading commits was only discovered later. So did I in the > same thread. Either way, "just pointing out facts" is not an accurate > assessment in my opinion; facts are nothing without interpretation, > which see. Yes, you have to take actions based on interpretation to get more clues from existed facts to reach the truth. > [...] > Let it be said, that I don't condemn you for starting this thread. Not > only did it highlight an issue, that would otherwise have gone > unnoticed, I think most of the participants are now more acutely aware > of what might go wrong if they evade review. It is sad, that things > turned out the way they did, but despite what others might claim you > don't bear sole responsibility for that. Sure, I think we just lack some trust. With the trust, you'll know that Mark only want to confirm the truth with you and avoid this kind of issues in the future. ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes) 2021-05-02 4:17 ` 宋文武 @ 2021-05-02 4:31 ` Leo Famulari 2021-05-02 6:26 ` 宋文武 2021-05-02 15:01 ` Leo Prikler 1 sibling, 1 reply; 96+ messages in thread From: Leo Famulari @ 2021-05-02 4:31 UTC (permalink / raw) To: 宋文武; +Cc: Guix Devel, Leo Prikler, GNU Guix maintainers On Sun, May 02, 2021 at 12:17:59PM +0800, 宋文武 wrote: > Hello Leo, I see nothing wrong for assuming bad faith when security > fixes of packages are removed, in the end the truth matter, which I > believe is: You thought the patches for cario is not needed now on > core-updates, so you remove them. > > > > [...] > > Well, you did fumble on those facts a little, because the true history > > of the misleading commits was only discovered later. So did I in the > > same thread. Either way, "just pointing out facts" is not an accurate > > assessment in my opinion; facts are nothing without interpretation, > > which see. > > Yes, you have to take actions based on interpretation to get more clues > from existed facts to reach the truth. > > > [...] > > Let it be said, that I don't condemn you for starting this thread. Not > > only did it highlight an issue, that would otherwise have gone > > unnoticed, I think most of the participants are now more acutely aware > > of what might go wrong if they evade review. It is sad, that things > > turned out the way they did, but despite what others might claim you > > don't bear sole responsibility for that. > > Sure, I think we just lack some trust. With the trust, you'll know that > Mark only want to confirm the truth with you and avoid this kind of > issues in the future. To clarify, Leo Prikler is not the same person that was involved in removing the Cairo bug fixes. That was a different person, also named Leo. Not me, either :) ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes) 2021-05-02 4:31 ` Leo Famulari @ 2021-05-02 6:26 ` 宋文武 0 siblings, 0 replies; 96+ messages in thread From: 宋文武 @ 2021-05-02 6:26 UTC (permalink / raw) To: Leo Famulari; +Cc: Guix Devel, Leo Prikler, GNU Guix maintainers Leo Famulari <leo@famulari.name> writes: > [...] > To clarify, Leo Prikler is not the same person that was involved in > removing the Cairo bug fixes. That was a different person, also named > Leo. > > Not me, either :) Um, my bad, thank you! ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes) 2021-05-02 4:17 ` 宋文武 2021-05-02 4:31 ` Leo Famulari @ 2021-05-02 15:01 ` Leo Prikler 2021-05-02 19:29 ` Mark H Weaver 1 sibling, 1 reply; 96+ messages in thread From: Leo Prikler @ 2021-05-02 15:01 UTC (permalink / raw) To: 宋文武; +Cc: Guix Devel, GNU Guix maintainers Am Sonntag, den 02.05.2021, 12:17 +0800 schrieb 宋文武: > Hello Leo, I see nothing wrong for assuming bad faith when security > fixes of packages are removed, in the end the truth matter, which I > believe is: You thought the patches for cario is not needed now on > core-updates, so you remove them. > what I mean is "for assuming bad intent", or more clearly: "for > assuming that you remove thoese security patches to introduce > backdoors on purpose". I don't think Mark try to prove you're lying > from his messages, if that's what "assumed bad faith" means... Now, lfam has already pointed out, that I'm not Léo, but I don't think whether I am or am not matters much in this context. Let us assume for the sake of argument I were to introduce a bug into Guix. There are a number of ways this can happen, but let's focus on the important distinction here, which is me purposefully introducing that bug vs. it happening due to oversight. Let us imagine the following four scenarios: 1. You assume I'm acting in bad faith and I indeed am. 2. You assume I'm acting in bad faith and I am not. 3. You assume I'm acting in good faith and I am not. 4. You assume I'm acting in good faith and I am. In scenarios 1 and 4, your judgement is completely correct and we need not further discuss it. But what about 2 and 3? First, let's believe myself to be acting in bad faith while I am not. You will attack me for introducing a bug into Guix and (because you've already determined I'm acting in bad faith) strip me from commit rights. This can either be the end of the story or the start of a long rant started by me on how unfairly I was treated by Guix. Bad optics. Now let's say you assume I'm acting in good faith while I am not. You might want to (politely) ask me to come up with an explanation as to why I introduced this bug. I might respond or not. Depending on my response, you might even be fooled into believing I acted in good faith until I conveniently introduce another bug. At some point, you will probably have to conclude, that I'm not. In this scenario, I am kept around longer than necessary and my repeated introduction of bugs produces headaches to everyone, particularly when I circumvent the review process. To be honest, the way I presented 3, it looks very grim, but realistically speaking, I don't think all of the maintainers will be fooled for very long. With regards to the recent issue, we have a clear account from Raghav as to what happened as well as their statement, that they have since learned to be less misleading in their commit messages. I often collaborate with Raghav or review their patches and when doing so I can feel clear commitment from their side, but also a sense of eagerness, that at times I feel uneasy about. Rather than worrying, that they might intentionally do bad, I fear they might do bad out of haste and I'm still in the process of learning how to best communicate that to them. They are awfully fast at churning out patch sets and at times I find myself outpaced, especially recently, when Guix has not been the only project I'm working on. Writing long essays by email also takes precious time away from patch review, working on my own contributions or leisure. In short, I'm slowly starting to feel a little too stressed. But enough about my complaints. Long story short, I think we ought to assume good faith when engaging in criticism, so as to not discourage people, who otherwise do good work. Regards, Leo ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes) 2021-05-02 15:01 ` Leo Prikler @ 2021-05-02 19:29 ` Mark H Weaver 2021-05-02 20:09 ` Leo Prikler 2021-05-02 20:59 ` Ludovic Courtès 0 siblings, 2 replies; 96+ messages in thread From: Mark H Weaver @ 2021-05-02 19:29 UTC (permalink / raw) To: Leo Prikler, 宋文武; +Cc: Guix Devel, GNU Guix maintainers Hi Leo, Leo Prikler <leo.prikler@student.tugraz.at> writes: > Let us assume for > the sake of argument I were to introduce a bug into Guix. There are a > number of ways this can happen, but let's focus on the important > distinction here, which is me purposefully introducing that bug vs. it > happening due to oversight. > > Let us imagine the following four scenarios: > 1. You assume I'm acting in bad faith and I indeed am. > 2. You assume I'm acting in bad faith and I am not. > 3. You assume I'm acting in good faith and I am not. > 4. You assume I'm acting in good faith and I am. This is a false dilemma <https://en.wikipedia.org/wiki/False_dilemma>, because you've missed a very important case, namely: 5. You assume *nothing*. This is, in fact, the current scenario. I'm not making any assumptions. That is truly the state of my mind on this question, and I think it's the only rational position to take. In particular, I don't feel the need to introduce assumptions in order to justify my question in the opening email of this thread, namely whether someone who pushed a "cosmetic changes" commit that removes security fixes should have commit access. That question does _not_ imply that anyone acted in bad faith. From my perspective, it doesn't matter for our purposes. (Of course, it would be good to know, but I'd rather not be distracted by questions that we have little hope of ever answering.) My primary concern here is to protect our users, and the integrity of our systems and of Guix itself. I don't know how to do that if we tolerate committers who repeatedly push commits with misleading commit messages. In order for meaningful oversight of Guix to be practical, it is of *paramount* importance that the summary lines of commits be reasonably accurate. I have neither the time nor the interest in scrutinizing _every_ commit pushed to our repository, just in case the summary lines are misleading. Therefore, I claim that we *must not* tolerate committers who repeatedly push commits with misleading commit logs. We are lucky that this incident was discovered. There's no guarantee that the next one will be. This is _not_ about being a beginner. No technical expertise should have been required to avoid this incident, only some basic care before pushing commits. Even the most cursory glance at the commit log should have immediately raised red flags, because its summary line clearly contradicts the next few lines of the commit log itself: --8<---------------cut here---------------start------------->8--- gnu: cairo: Make some cosmetic changes. * gnu/packages/patches/cairo-CVE-2018-19876.patch, gnu/packages/patches/cairo-CVE-2020-35492.patch: Remove patches. * gnu/local.mk (dist_patch_DATA): Unregister them. * gnu/packages/gtk.scm (cairo): Make some cosmetic changes. [replacement]: Remove. (cairo/fixed): Remove. --8<---------------cut here---------------end--------------->8--- I don't know what went wrong here, but it doesn't really matter to me. Whatever the reason, I don't want someone who pushes commits like this to have commit access. If people want to condemn me for saying that, so be it. Regards, Mark -- Disinformation flourishes because many people care deeply about injustice but very few check the facts. Ask me about <https://stallmansupport.org>. ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes) 2021-05-02 19:29 ` Mark H Weaver @ 2021-05-02 20:09 ` Leo Prikler 2021-05-02 21:02 ` Mark H Weaver 2021-05-02 20:59 ` Ludovic Courtès 1 sibling, 1 reply; 96+ messages in thread From: Leo Prikler @ 2021-05-02 20:09 UTC (permalink / raw) To: Mark H Weaver, 宋文武; +Cc: Guix Devel, GNU Guix maintainers Hi Mark, Am Sonntag, den 02.05.2021, 15:29 -0400 schrieb Mark H Weaver: > Hi Leo, > > Leo Prikler <leo.prikler@student.tugraz.at> writes: > > > Let us assume for > > the sake of argument I were to introduce a bug into Guix. There > > are a > > number of ways this can happen, but let's focus on the important > > distinction here, which is me purposefully introducing that bug vs. > > it > > happening due to oversight. > > > > Let us imagine the following four scenarios: > > 1. You assume I'm acting in bad faith and I indeed am. > > 2. You assume I'm acting in bad faith and I am not. > > 3. You assume I'm acting in good faith and I am not. > > 4. You assume I'm acting in good faith and I am. > > This is a false dilemma <https://en.wikipedia.org/wiki/False_dilemma> > ;, > because you've missed a very important case, namely: > > 5. You assume *nothing*. I think you're nitpicking here. If "good faith vs. bad faith" is not a boolean value, I could also be acting without one or the other, but clearly I either have evil intentions or I don't – there's no middle ground. Likewise, there's no middle ground on assuming evil intentions, you either assume they exist or you don't. Of course, we could get into technicalities of how evil you assume my intentions to be, but that's not going to help us here. > This is, in fact, the current scenario. I'm not making any > assumptions. > That is truly the state of my mind on this question, and I think it's > the only rational position to take. Which one is the rational position now? Not assuming evil intentions or assuming them? > In particular, I don't feel the need to introduce assumptions in > order to justify my question in the opening email of this thread, > namely whether someone who pushed a "cosmetic changes" commit that > removes security fixes should have commit access. > > That question does _not_ imply that anyone acted in bad faith. From > my perspective, it doesn't matter for our purposes. (Of course, it > would be good to know, but I'd rather not be distracted by questions > that we have little hope of ever answering.) IIRC I already answered that question as one of the first things in this thread (before it got renamed), so I don't want to repeat myself at lengths here. > My primary concern here is to protect our users, and the integrity of > our systems and of Guix itself. I don't know how to do that if we > tolerate committers who repeatedly push commits with misleading > commit messages. > > In order for meaningful oversight of Guix to be practical, it is of > *paramount* importance that the summary lines of commits be > reasonably accurate. I have neither the time nor the interest in > scrutinizing _every_ commit pushed to our repository, just in case > the summary lines are misleading. Therefore, I claim that we *must > not* tolerate committers who repeatedly push commits with misleading > commit logs. > > We are lucky that this incident was discovered. There's no guarantee > that the next one will be. I'm not sure what you're trying to say here, but if it's something along the lines of "Raghav must not be trusted", I disagree. They themselves have stated, that they have since learned from their past mistakes and the only reason this commit was even introduced at this point was because one of their older commits did not receive careful review. > This is _not_ about being a beginner. No technical expertise should > have been required to avoid this incident, only some basic care > before pushing commits. Even the most cursory glance at the commit > log should have immediately raised red flags, because its summary > line clearly contradicts the next few lines of the commit log itself: > > --8<---------------cut here---------------start------------->8--- > gnu: cairo: Make some cosmetic changes. > > * gnu/packages/patches/cairo-CVE-2018-19876.patch, > gnu/packages/patches/cairo-CVE-2020-35492.patch: Remove patches. > * gnu/local.mk (dist_patch_DATA): Unregister them. > * gnu/packages/gtk.scm (cairo): Make some cosmetic changes. > [replacement]: Remove. > (cairo/fixed): Remove. > --8<---------------cut here---------------end--------------->8--- > > I don't know what went wrong here, but it doesn't really matter to > me. Whatever the reason, I don't want someone who pushes commits > like this to have commit access. If people want to condemn me for > saying that, so be it. I don't know why your rehashing this at this point, we went over this already. Please refer to Raghav's messages at the time, they were helpful in clearing up the matter. Regards, Leo ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes) 2021-05-02 20:09 ` Leo Prikler @ 2021-05-02 21:02 ` Mark H Weaver 2021-05-02 21:58 ` Leo Prikler 0 siblings, 1 reply; 96+ messages in thread From: Mark H Weaver @ 2021-05-02 21:02 UTC (permalink / raw) To: Leo Prikler, 宋文武; +Cc: Guix Devel, GNU Guix maintainers Hi Leo, Leo Prikler <leo.prikler@student.tugraz.at> writes: > Am Sonntag, den 02.05.2021, 15:29 -0400 schrieb Mark H Weaver: >> >> Leo Prikler <leo.prikler@student.tugraz.at> writes: >> >> > Let us assume for the sake of argument I were to introduce a bug >> > into Guix. There are a number of ways this can happen, but let's >> > focus on the important distinction here, which is me purposefully >> > introducing that bug vs. it happening due to oversight. >> > >> > Let us imagine the following four scenarios: >> > 1. You assume I'm acting in bad faith and I indeed am. >> > 2. You assume I'm acting in bad faith and I am not. >> > 3. You assume I'm acting in good faith and I am not. >> > 4. You assume I'm acting in good faith and I am. >> >> This is a false dilemma <https://en.wikipedia.org/wiki/False_dilemma>, >> because you've missed a very important case, namely: >> >> 5. You assume *nothing*. > I think you're nitpicking here. I don't think so. > clearly I either have evil intentions or I don't – there's no middle > ground. Yes, I agree with this. > Likewise, there's no middle ground on assuming evil > intentions, you either assume they exist or you don't. That's true also, but this is a different dichotomy than the one you presented above. In the sentence above, the dichotomy is between: (1) You assume bad faith (2) You do not assume bad faith In your list of scenarios above, there's a (false) dichotomy between: (1) You assume bad faith (2) You assume good faith It's a false dichotomy because neither of these is the logical negation of the other. They cannot both be true, but they _can_ both be false. In other words, I think that you have conflated "not assuming bad faith" with "assuming good faith". Do you see the difference? This is not mere nitpicking. It's a very important distinction. It's analogous to being forced to choose between "faith in god" and "atheism", without allowing for the possibility of "agnosticism". Does that make sense? >> This is, in fact, the current scenario. I'm not making any >> assumptions. >> That is truly the state of my mind on this question, and I think it's >> the only rational position to take. > Which one is the rational position now? Not assuming evil intentions > or assuming them? I think the only rational position to take here is to not make assumptions. Regards, Mark -- Disinformation flourishes because many people care deeply about injustice but very few check the facts. Ask me about <https://stallmansupport.org>. ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes) 2021-05-02 21:02 ` Mark H Weaver @ 2021-05-02 21:58 ` Leo Prikler 0 siblings, 0 replies; 96+ messages in thread From: Leo Prikler @ 2021-05-02 21:58 UTC (permalink / raw) To: Mark H Weaver, 宋文武; +Cc: Guix Devel, GNU Guix maintainers Hi Mark, Am Sonntag, den 02.05.2021, 17:02 -0400 schrieb Mark H Weaver: > Hi Leo, > > Leo Prikler <leo.prikler@student.tugraz.at> writes: > > > Am Sonntag, den 02.05.2021, 15:29 -0400 schrieb Mark H Weaver: > > > > Likewise, there's no middle ground on assuming evil > > intentions, you either assume they exist or you don't. > > That's true also, but this is a different dichotomy than the one you > presented above. In the sentence above, the dichotomy is between: > > (1) You assume bad faith > (2) You do not assume bad faith > > In your list of scenarios above, there's a (false) dichotomy between: > > (1) You assume bad faith > (2) You assume good faith > > It's a false dichotomy because neither of these is the logical > negation of the other. They cannot both be true, but they _can_ both > be false. > > In other words, I think that you have conflated "not assuming bad > faith" with "assuming good faith". Do you see the difference? > > This is not mere nitpicking. It's a very important distinction. > It's analogous to being forced to choose between "faith in god" and > "atheism", without allowing for the possibility of "agnosticism". > > Does that make sense? When it comes to interactions, "good faith" is defined as being "fair, open and honest". Negate any of these, and you arrive at some form of bad faith. I think more commonly "bad faith" means that the honesty is negated, while openness is contrasted with lack of transparency and fairness with unfairness. You could say "Well, technically, I don't know whether they're being honest", and that is correct, but it is also a form of casting doubt, which I would argue constitutes an assumption of bad faith. Of course, "you're not sure about it", but the other party is still guilty until proven innocent. I'm not sure what definitions of "good" and "bad" faith you're using, but please consider that I meant "acting in bad faith" to be the same as "not acting in good faith". > > > This is, in fact, the current scenario. I'm not making any > > > assumptions. That is truly the state of my mind on this > > > question, and I think it's the only rational position to take. > > Which one is the rational position now? Not assuming evil > > intentions or assuming them? > > I think the only rational position to take here is to not make > assumptions. You're always making an assumption, however. Even if it's not one governed by the situation at hand, you have a natural bias to trust or distrust others in their words. Claiming you don't is misleading yourself and others. Regards, Leo ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes) 2021-05-02 19:29 ` Mark H Weaver 2021-05-02 20:09 ` Leo Prikler @ 2021-05-02 20:59 ` Ludovic Courtès 2021-05-02 21:23 ` Mark H Weaver 1 sibling, 1 reply; 96+ messages in thread From: Ludovic Courtès @ 2021-05-02 20:59 UTC (permalink / raw) To: Mark H Weaver Cc: 宋文武, Leo Prikler, GNU Guix maintainers, Guix Devel Leo, Mark, Mark H Weaver <mhw@netris.org> skribis: > This is a false dilemma <https://en.wikipedia.org/wiki/False_dilemma>, > because you've missed a very important case, namely: > > 5. You assume *nothing*. I’m sorry to inform you that this is not a philosophy or linguistics mailing list. I invite you to continue this discussion off-list. We have a release coming up that needs everyone’s focus and attention. :-) Thanks in advance! Ludo’. ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes) 2021-05-02 20:59 ` Ludovic Courtès @ 2021-05-02 21:23 ` Mark H Weaver 0 siblings, 0 replies; 96+ messages in thread From: Mark H Weaver @ 2021-05-02 21:23 UTC (permalink / raw) To: Ludovic Courtès Cc: 宋文武, Leo Prikler, GNU Guix maintainers, Guix Devel Hi Ludovic, Ludovic Courtès <ludo@gnu.org> writes: > I’m sorry to inform you that this is not a philosophy or linguistics > mailing list. *lol* Indeed, this conversation has wandered quite far off-topic. Thanks for stepping in. > I invite you to continue this discussion off-list. We have a release > coming up that needs everyone’s focus and attention. :-) Sounds good to me. Let's get back to work :) Regards, Mark -- Disinformation flourishes because many people care deeply about injustice but very few check the facts. Ask me about <https://stallmansupport.org>. ^ permalink raw reply [flat|nested] 96+ messages in thread
[parent not found: <87czu9sr9k.fsf@outlook.com>]
* Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes) [not found] ` <87czu9sr9k.fsf@outlook.com> @ 2021-05-02 4:33 ` 宋文武 0 siblings, 0 replies; 96+ messages in thread From: 宋文武 @ 2021-05-02 4:33 UTC (permalink / raw) To: Leo Prikler; +Cc: Guix Devel, GNU Guix maintainers 宋文武 <iyzsong@outlook.com> writes: > Leo Prikler <leo.prikler@student.tugraz.at> writes: > >> Hi Mark, >> >> Am Samstag, den 01.05.2021, 18:12 -0400 schrieb Mark H Weaver: >>> Hi Leo, >>> >>> Leo Prikler <leo.prikler@student.tugraz.at> writes: >>> >>> > Am Samstag, den 01.05.2021, 19:02 +0200 schrieb Giovanni Biscuolo: >>> > > I also spent some time re-reading messages that Mark sent in this >>> > > thread and, like him, I really don't understand what Mark did >>> > > wrong. >>> > > >>> > > For sure Mark /insisted/ that Raghav and Léo did something wrong >>> > > with >>> > > some commits, we can say Mark did it being /direct/ and >>> > > /accusatory/ >>> > > but we cannot really say Mark assumed bad faith from them. >>> > He did wrong insofar as his accusatory message read as though he >>> > was >>> > assuming bad faith > > Hello Leo, I see nothing wrong for assuming bad faith when security > fixes of packages are removed, in the end the truth matter, which I > believe is: You thought the patches for cario is not needed now on > core-updates, so you remove them. Sorry, I'm not a native English speaker, what I mean is "for assuming bad intent", or more clearly: "for assuming that you remove thoese security patches to introduce backdoors on purpose". I don't think Mark try to prove you're lying from his messages, if that's what "assumed bad faith" means... ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: Another misleading commit log (was Re: A "cosmetic changes" commit that removes security fixes) 2021-04-22 20:06 ` Léo Le Bouter 2021-04-22 21:24 ` Ricardo Wurmus 2021-04-22 21:33 ` Mark H Weaver @ 2021-04-22 21:51 ` Ludovic Courtès 2 siblings, 0 replies; 96+ messages in thread From: Ludovic Courtès @ 2021-04-22 21:51 UTC (permalink / raw) To: Guix Devel; +Cc: Raghav Gururajan, Leo Prikler Hi Guix! Thanks Mark for raising these issues. I definitely share your concerns, specifically regarding the two commits you mentioned and how they misleadingly have undesirable consequences: https://git.savannah.gnu.org/cgit/guix.git/commit/?h=wip-gnome&id=d975ed975456a2c8e855eb024b5487c4c460684a https://git.savannah.gnu.org/cgit/guix.git/commit/?h=wip-gnome&id=f5fc3c609e2f38ca1c0523deadb9f77d838fbf32 I believe all the parties involved behaved in good faith and I’m more interested in (1) fixing these two mistakes, and (2) making sure this doesn’t happen again in the future. Regarding #1, I see 宋文武 (iyzsong) proposed a patch that reinstates the Cairo security fixes, so it seems we’re on the right track. Raghav, could you post a patch reinstating the gdk-pixbuf security fix removed in f5fc3c609e2f38ca1c0523deadb9f77d838fbf32? If that commit is only on ‘wip-gnome’, can you simply drop it? (The convention is that a ‘wip-’ branch may be rebased at will by the person responsible for it.) Could you also check ‘wip-gnome’ and ‘core-updates’ for similar “cosmetic changes” commits likely to be controversial? Regarding #2, everyone please keep in mind the commit rules¹. We’re all pouring hours of our time into this. It’s a social project before being a technical one, so it’s crucial to not step on each other’s toes. As per these rules, ‘wip-gnome’ will have to go through review as usual. As always, it’s best if you can submit it for review in small chunks. Note that review has to happen via guix-patches@gnu.org so everyone in the project can see it and has a chance to chime in. You can have pre-review/mentoring elsewhere if you want (it’s great if you can have that), but it “doesn’t count” from the project’s viewpoint. I think committers and particularly vouchers should spend more time reviewing and mentoring newcomers. Regarding commit logs, we only add a ‘Signed-off-by’ line when applying someone else’s patches; let’s keep following that rule, for clarity. For the subject line: as 宋文武 wrote, as a rule of thumb, if you cannot summarize the change in the subject line, that probably means the patch should be split into smaller logical units. More generally, never bundle together unrelated changes in the same commit, as per: https://guix.gnu.org/manual/en/html_node/Submitting-Patches.html Here are additional rules I try to follow for the commit message and that I’d recommend following: 1. Never write “cosmetic changes” as the summary: it’s too vague. Instead, be more specific: “reindent foo.scm”, “remove unused module imports”, whatever. 2. Never write “Fix X”. Instead describe the fix: “Avoid non-top-level 'use-modules'”, “Remove file that no longer exists”, “Honor proxy settings”, “Disable tests when building on i586-gnu”, etc. In all these examples I could have written “Fix …”, but fellow hackers would have had to look at the diff to understand what’s going on. A long message! Let’s calm down and focus the way forward: fixing the security issues that were reported, checking whether similar ones are lurking, and improving our practices. If you feel the need for it, feel free to propose improvements to the “Commit Access” and “Submitting Patches” sections, too! Thanks in advance. :-) Ludo’. ¹ https://guix.gnu.org/manual/en/html_node/Commit-Access.html ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-22 17:21 ` Mark H Weaver 2021-04-22 17:40 ` Another misleading commit log (was Re: A "cosmetic changes" commit that removes security fixes) Mark H Weaver @ 2021-04-22 21:49 ` Raghav Gururajan 2021-04-24 8:09 ` Mark H Weaver 1 sibling, 1 reply; 96+ messages in thread From: Raghav Gururajan @ 2021-04-22 21:49 UTC (permalink / raw) To: Guix Devel Cc: Mark H Weaver, Tobias Geerinckx-Rice, Leo Prikler, Leo Famulari, Léo Le Bouter [-- Attachment #1.1: Type: text/plain, Size: 1189 bytes --] Hi Mark! > Thank you for these links. From the IRC log cited above, it now appears > that Léo Le Bouter <lle-bout@zaclys.net> bears primary responsibility > for these mistakes. In particular, according to the IRC > logs, Léo wrote: > > <lle-bout> raghavgururajan: the main issues on the rebasing were about > security fixes on cairo, gdk-pixbuf and glib > <lle-bout> I modified the cosmetic commits to remove the graft and > patches etc. > > <https://logs.guix.gnu.org/guix/2021-03-26.log#000950> Yes, Leo made these changes. But I also have to acknowledge that it was part of my responsibility to question any changes. My apologies for that. Leo was occupied with many stuff on those days (with CVE bug hunting etc.). Its understandable that it was a honest mistake. > Nonetheless, you (Raghav) also bear some responsibility for digitally > signing and pushing these misleading commits to the 'wip-gnome' branch. > At least one of the problems (the misleading summary line) should have > been obvious from a cursory glance at the commit log. Yes, my apologies. I will merge fix commits from core-updates to wip-gnome. Regards, RG. [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 236 bytes --] ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-22 21:49 ` A "cosmetic changes" commit that removes security fixes Raghav Gururajan @ 2021-04-24 8:09 ` Mark H Weaver 2021-04-30 0:58 ` aviva 0 siblings, 1 reply; 96+ messages in thread From: Mark H Weaver @ 2021-04-24 8:09 UTC (permalink / raw) To: Raghav Gururajan, Guix Devel; +Cc: Leo Prikler Hi Raghav, Raghav Gururajan <rg@raghavgururajan.name> writes: >> Thank you for these links. From the IRC log cited above, it now appears >> that Léo Le Bouter <lle-bout@zaclys.net> bears primary responsibility >> for these mistakes. In particular, according to the IRC >> logs, Léo wrote: >> >> <lle-bout> raghavgururajan: the main issues on the rebasing were about >> security fixes on cairo, gdk-pixbuf and glib >> <lle-bout> I modified the cosmetic commits to remove the graft and >> patches etc. >> >> <https://logs.guix.gnu.org/guix/2021-03-26.log#000950> > Yes, Leo made these changes. But I also have to acknowledge that it was > part of my responsibility to question any changes. My apologies for > that. Thank you for this acknowledgment, Raghav. Your recent responses in this thread have been commendable. Regards, Mark -- Support Richard Stallman against the vicious disinformation campaign against him and the FSF. See <https://stallmansupport.org> for more. ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-24 8:09 ` Mark H Weaver @ 2021-04-30 0:58 ` aviva 0 siblings, 0 replies; 96+ messages in thread From: aviva @ 2021-04-30 0:58 UTC (permalink / raw) To: guix-devel On 4/24/21 4:09 AM, Mark H Weaver wrote: > Your recent responses in > this thread have been commendable. by who? ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-22 4:05 ` Raghav Gururajan 2021-04-22 4:33 ` Mark H Weaver 2021-04-22 17:21 ` Mark H Weaver @ 2021-04-22 18:37 ` Leo Famulari 2021-04-22 18:48 ` Mark H Weaver 2021-04-22 21:50 ` Raghav Gururajan 2 siblings, 2 replies; 96+ messages in thread From: Leo Famulari @ 2021-04-22 18:37 UTC (permalink / raw) To: Raghav Gururajan; +Cc: Guix Devel, Leo Prikler On Thu, Apr 22, 2021 at 12:05:36AM -0400, Raghav Gururajan wrote: > Okay, I was able to retrace. When Leo and I were working outside savannah, > there was master --> core-updates merge. Leo made these changes when he > committed to his repo > (https://logs.guix.gnu.org/guix/2021-03-26.log#000811), from which I pulled > then format-patched and sent it to guix-patches > (https://issues.guix.gnu.org/42958#64). From guix-patches it was then pushed > to core-updates (https://issues.guix.gnu.org/42958#67), from where I > cherry-picked into wip-gnome. Mark, Do you know if the security fixes under discussion are necessary on core-updates? Raghav and Léo, is wip-gnome based on core-updates? ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-22 18:37 ` Leo Famulari @ 2021-04-22 18:48 ` Mark H Weaver 2021-04-22 21:50 ` Raghav Gururajan 1 sibling, 0 replies; 96+ messages in thread From: Mark H Weaver @ 2021-04-22 18:48 UTC (permalink / raw) To: Leo Famulari, Raghav Gururajan; +Cc: Guix Devel, Leo Prikler Hi Leo, Leo Famulari <leo@famulari.name> writes: > On Thu, Apr 22, 2021 at 12:05:36AM -0400, Raghav Gururajan wrote: >> Okay, I was able to retrace. When Leo and I were working outside savannah, >> there was master --> core-updates merge. Leo made these changes when he >> committed to his repo >> (https://logs.guix.gnu.org/guix/2021-03-26.log#000811), from which I pulled >> then format-patched and sent it to guix-patches >> (https://issues.guix.gnu.org/42958#64). From guix-patches it was then pushed >> to core-updates (https://issues.guix.gnu.org/42958#67), from where I >> cherry-picked into wip-gnome. > > Mark, > > Do you know if the security fixes under discussion are necessary on > core-updates? The 'cairo' fixes are certainly still needed, because there has been no upstream stable release of 'cairo' since the version (1.16.0) on our 'master' branch. 宋文武 proposed a patch to re-apply the fixes on 'core-updates', here: https://lists.gnu.org/archive/html/guix-devel/2021-04/msg00361.html A similar patch will be needed for 'wip-gnome' as well. I'm not sure about the other packages off-hand, but both 'glib' and 'gdk-pixbuf' were ultimately updated to newer versions, so I guess it's likely that they're okay (although I haven't verified this). Thanks, Mark -- Support Richard Stallman against the vicious misinformation campaign against him and the FSF. See <https://stallmansupport.org> for more. ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-22 18:37 ` Leo Famulari 2021-04-22 18:48 ` Mark H Weaver @ 2021-04-22 21:50 ` Raghav Gururajan 1 sibling, 0 replies; 96+ messages in thread From: Raghav Gururajan @ 2021-04-22 21:50 UTC (permalink / raw) To: Leo Famulari Cc: Mark H Weaver, Guix Devel, Tobias Geerinckx-Rice, Leo Prikler, Léo Le Bouter [-- Attachment #1.1: Type: text/plain, Size: 174 bytes --] Hi Leo! > Raghav and Léo, is wip-gnome based on core-updates? It was based on core-updates, but I recently re-created wip-gnome based on master. Regards, RG. [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 236 bytes --] ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-22 3:17 ` Raghav Gururajan 2021-04-22 4:05 ` Raghav Gururajan @ 2021-04-22 4:08 ` Mark H Weaver 2021-04-22 11:39 ` 宋文武 2021-04-22 20:01 ` Léo Le Bouter 1 sibling, 2 replies; 96+ messages in thread From: Mark H Weaver @ 2021-04-22 4:08 UTC (permalink / raw) To: Raghav Gururajan, Guix Devel; +Cc: Leo Prikler Hi Raghav, Raghav Gururajan <rg@raghavgururajan.name> writes: >> Those commits on 'core-updates' were digitally signed by Léo Le Bouter >> <lle-bout@zaclys.net> and have the same problems: they remove security >> fixes, and yet the summary lines indicate that only "cosmetic changes" >> were made. > > Yeah, the commit title didn't mention the change but the commit message did. I'm sorry, but that won't do. There are at least three things wrong with these commits: (1) The summary lines were misleading, because they implied that no functional changes were made. (2) The commit messages were misleading, because they failed to mention that security holes which had previously been fixed were now being re-introduced. That wasn't at all obvious. Commits like these, which remove patches that had fixed security flaws, are fairly common: someone casually looking over the commit log might assume that the patches could be safely removed because a version update was done at the same time, rendering those patches obsolete. (3) Although your 'glib' commit was immediately followed by a 'glib' update, rendering it harmless, your misleading 'cairo' commit left 'cairo' vulnerable to CVE-2018-19876 and CVE-2020-35492 on our 'core-updates' and 'wip-gnome' branches. Those will need to be fixed now. Léo Le Bouter <lle-bout@zaclys.net> is also culpable here, because he digitally signed the misleading 'cairo' commit that's on our 'core-updates' branch, which re-introduced CVE-2018-19876 and CVE-2020-35492. --8<---------------cut here---------------start------------->8--- commit f94cdc86f644984ca83164d40b17e7eed6e22091 gpg: Signature made Fri 26 Mar 2021 05:13:57 PM EDT gpg: using RSA key 148BCB8BD80BFB16B1DE0E9145A8B1E86BCD10A6 gpg: Good signature from "Léo Le Bouter <lle-bout@zaclys.net>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 148B CB8B D80B FB16 B1DE 0E91 45A8 B1E8 6BCD 10A6 Author: Raghav Gururajan <raghavgururajan@disroot.org> Date: Fri Dec 4 00:48:43 2020 -0500 gnu: cairo: Make some cosmetic changes. * gnu/packages/patches/cairo-CVE-2018-19876.patch, gnu/packages/patches/cairo-CVE-2020-35492.patch: Remove patches. * gnu/local.mk (dist_patch_DATA): Unregister them. * gnu/packages/gtk.scm (cairo): Make some cosmetic changes. [replacement]: Remove. (cairo/fixed): Remove. Signed-off-by: Léo Le Bouter <lle-bout@zaclys.net> --8<---------------cut here---------------end--------------->8--- https://git.sv.gnu.org/cgit/guix.git/commit/?h=core-updates&id=f94cdc86f644984ca83164d40b17e7eed6e22091 Even the most superficial skimming of this commit should have immediately raised red flags, because the summary line is clearly inaccurate. It shows a lack of careful review, to put it mildly. Mark ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-22 4:08 ` Mark H Weaver @ 2021-04-22 11:39 ` 宋文武 2021-04-22 13:28 ` Mark H Weaver 2021-04-22 20:01 ` Léo Le Bouter 1 sibling, 1 reply; 96+ messages in thread From: 宋文武 @ 2021-04-22 11:39 UTC (permalink / raw) To: Mark H Weaver; +Cc: Guix Devel, Raghav Gururajan, Leo Prikler [-- Attachment #1: Type: text/plain, Size: 1729 bytes --] Mark H Weaver <mhw@netris.org> writes: > Hi Raghav, > > Raghav Gururajan <rg@raghavgururajan.name> writes: > >>> Those commits on 'core-updates' were digitally signed by Léo Le Bouter >>> <lle-bout@zaclys.net> and have the same problems: they remove security >>> fixes, and yet the summary lines indicate that only "cosmetic changes" >>> were made. >> >> Yeah, the commit title didn't mention the change but the commit message did. > > I'm sorry, but that won't do. There are at least three things wrong > with these commits: > > (1) The summary lines were misleading, because they implied that no > functional changes were made. Yes, if the title can't summary the change, then the change should be splited into multiple commits. > > (2) The commit messages were misleading, because they failed to mention > that security holes which had previously been fixed were now being > re-introduced. That wasn't at all obvious. > > Commits like these, which remove patches that had fixed security > flaws, are fairly common: someone casually looking over the commit > log might assume that the patches could be safely removed because a > version update was done at the same time, rendering those patches > obsolete. Agree, I think we should mention explicitly that those patches are now not needed after some code audit. > > (3) Although your 'glib' commit was immediately followed by a 'glib' > update, rendering it harmless, your misleading 'cairo' commit left > 'cairo' vulnerable to CVE-2018-19876 and CVE-2020-35492 on our > 'core-updates' and 'wip-gnome' branches. Those will need to be > fixed now. This patch is for core-updates: [-- Warning: decoded text below may be mangled, UTF-8 assumed --] [-- Attachment #2: 0001-gnu-cairo-Reintroduce-security-patches-security-fixe.patch --] [-- Type: text/x-patch, Size: 5364 bytes --] From 15e28e84eaea8f68b6247ab53052f0dd50a544b2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=AE=8B=E6=96=87=E6=AD=A6?= <iyzsong@member.fsf.org> Date: Thu, 22 Apr 2021 19:21:51 +0800 Subject: [PATCH] gnu: cairo: Reintroduce security patches [security fixes]. Two patches were accidentally removed in commit f94cdc86f644984ca83164d40b17e7eed6e22091. * gnu/packages/patches/cairo-CVE-2018-19876.patch, gnu/packages/patches/cairo-CVE-2020-35492.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/gtk.scm (cairo)[patches]: Apply them. --- gnu/local.mk | 2 + gnu/packages/gtk.scm | 5 +- .../patches/cairo-CVE-2018-19876.patch | 37 ++++++++++++++ .../patches/cairo-CVE-2020-35492.patch | 49 +++++++++++++++++++ 4 files changed, 92 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/cairo-CVE-2018-19876.patch create mode 100644 gnu/packages/patches/cairo-CVE-2020-35492.patch diff --git a/gnu/local.mk b/gnu/local.mk index a8dd66f34a..39b2b72a42 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -880,6 +880,8 @@ dist_patch_DATA = \ %D%/packages/patches/bpftrace-disable-bfd-disasm.patch \ %D%/packages/patches/busybox-CVE-2021-28831.patch \ %D%/packages/patches/byobu-writable-status.patch \ + %D%/packages/patches/cairo-CVE-2018-19876.patch \ + %D%/packages/patches/cairo-CVE-2020-35492.patch \ %D%/packages/patches/calibre-no-updates-dialog.patch \ %D%/packages/patches/calibre-remove-test-sqlite.patch \ %D%/packages/patches/calibre-remove-test-unrar.patch \ diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm index 9f3aea4aca..f70e667115 100644 --- a/gnu/packages/gtk.scm +++ b/gnu/packages/gtk.scm @@ -142,7 +142,10 @@ tools have full access to view and control running applications.") (string-append "https://cairographics.org/releases/cairo-" version ".tar.xz")) (sha256 - (base32 "0c930mk5xr2bshbdljv005j3j8zr47gqmkry3q6qgvqky6rjjysy")))) + (base32 "0c930mk5xr2bshbdljv005j3j8zr47gqmkry3q6qgvqky6rjjysy")) + (patches (search-patches + "cairo-CVE-2018-19876.patch" + "cairo-CVE-2020-35492.patch")))) (build-system glib-or-gtk-build-system) (outputs '("out" "doc")) (arguments diff --git a/gnu/packages/patches/cairo-CVE-2018-19876.patch b/gnu/packages/patches/cairo-CVE-2018-19876.patch new file mode 100644 index 0000000000..c0fba2ecaa --- /dev/null +++ b/gnu/packages/patches/cairo-CVE-2018-19876.patch @@ -0,0 +1,37 @@ +Copied from Debian. + +From: Carlos Garcia Campos <cgarcia@igalia.com> +Date: Mon, 19 Nov 2018 12:33:07 +0100 +Subject: ft: Use FT_Done_MM_Var instead of free when available in + cairo_ft_apply_variations + +Fixes a crash when using freetype >= 2.9 + +[This is considered to be security-sensitive because WebKitGTK+ sets its +own memory allocator, which is not compatible with system free(), making +this a remotely triggerable denial of service or memory corruption.] + +Origin: upstream, commit:90e85c2493fdfa3551f202ff10282463f1e36645 +Bug: https://gitlab.freedesktop.org/cairo/cairo/merge_requests/5 +Bug-Debian: https://bugs.debian.org/916389 +Bug-CVE: CVE-2018-19876 +--- + src/cairo-ft-font.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/cairo-ft-font.c b/src/cairo-ft-font.c +index 325dd61..981973f 100644 +--- a/src/cairo-ft-font.c ++++ b/src/cairo-ft-font.c +@@ -2393,7 +2393,11 @@ skip: + done: + free (coords); + free (current_coords); ++#if HAVE_FT_DONE_MM_VAR ++ FT_Done_MM_Var (face->glyph->library, ft_mm_var); ++#else + free (ft_mm_var); ++#endif + } + } + diff --git a/gnu/packages/patches/cairo-CVE-2020-35492.patch b/gnu/packages/patches/cairo-CVE-2020-35492.patch new file mode 100644 index 0000000000..e8b90fa5c5 --- /dev/null +++ b/gnu/packages/patches/cairo-CVE-2020-35492.patch @@ -0,0 +1,49 @@ +Copied from Debian. + +From 03a820b173ed1fdef6ff14b4468f5dbc02ff59be Mon Sep 17 00:00:00 2001 +From: Heiko Lewin <heiko.lewin@worldiety.de> +Date: Tue, 15 Dec 2020 16:48:19 +0100 +Subject: [PATCH] Fix mask usage in image-compositor + +[trimmed test case, since not used in Debian build] + +--- + src/cairo-image-compositor.c | 8 ++-- + +--- cairo-1.16.0.orig/src/cairo-image-compositor.c ++++ cairo-1.16.0/src/cairo-image-compositor.c +@@ -2601,14 +2601,14 @@ _inplace_src_spans (void *abstract_rende + unsigned num_spans) + { + cairo_image_span_renderer_t *r = abstract_renderer; +- uint8_t *m; ++ uint8_t *m, *base = (uint8_t*)pixman_image_get_data(r->mask); + int x0; + + if (num_spans == 0) + return CAIRO_STATUS_SUCCESS; + + x0 = spans[0].x; +- m = r->_buf; ++ m = base; + do { + int len = spans[1].x - spans[0].x; + if (len >= r->u.composite.run_length && spans[0].coverage == 0xff) { +@@ -2646,7 +2646,7 @@ _inplace_src_spans (void *abstract_rende + spans[0].x, y, + spans[1].x - spans[0].x, h); + +- m = r->_buf; ++ m = base; + x0 = spans[1].x; + } else if (spans[0].coverage == 0x0) { + if (spans[0].x != x0) { +@@ -2675,7 +2675,7 @@ _inplace_src_spans (void *abstract_rende + #endif + } + +- m = r->_buf; ++ m = base; + x0 = spans[1].x; + } else { + *m++ = spans[0].coverage; -- 2.30.0 [-- Attachment #3: Type: text/plain, Size: 41 bytes --] We should be more careful next time... ^ permalink raw reply related [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-22 11:39 ` 宋文武 @ 2021-04-22 13:28 ` Mark H Weaver 0 siblings, 0 replies; 96+ messages in thread From: Mark H Weaver @ 2021-04-22 13:28 UTC (permalink / raw) To: 宋文武; +Cc: Guix Devel, Raghav Gururajan, Leo Prikler Hi, 宋文武 <iyzsong@outlook.com> writes: > This patch is for core-updates: > From 15e28e84eaea8f68b6247ab53052f0dd50a544b2 Mon Sep 17 00:00:00 2001 > From: 宋文武 <iyzsong@member.fsf.org> > Date: Thu, 22 Apr 2021 19:21:51 +0800 > Subject: [PATCH] gnu: cairo: Reintroduce security patches [security fixes]. > > Two patches were accidentally removed in commit > f94cdc86f644984ca83164d40b17e7eed6e22091. > > * gnu/packages/patches/cairo-CVE-2018-19876.patch, > gnu/packages/patches/cairo-CVE-2020-35492.patch: New files. > * gnu/local.mk (dist_patch_DATA): Add them. > * gnu/packages/gtk.scm (cairo)[patches]: Apply them. Looks good to me. Please push! Thanks, Mark ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-22 4:08 ` Mark H Weaver 2021-04-22 11:39 ` 宋文武 @ 2021-04-22 20:01 ` Léo Le Bouter 2021-04-22 21:08 ` Christopher Baines ` (2 more replies) 1 sibling, 3 replies; 96+ messages in thread From: Léo Le Bouter @ 2021-04-22 20:01 UTC (permalink / raw) To: Mark H Weaver, Raghav Gururajan, Guix Devel Cc: Tobias Geerinckx-Rice, Leo Prikler, Leo Famulari [-- Attachment #1: Type: text/plain, Size: 3662 bytes --] On Thu, 2021-04-22 at 00:08 -0400, Mark H Weaver wrote: > Hi Raghav, > > Raghav Gururajan <rg@raghavgururajan.name> writes: > > > > Those commits on 'core-updates' were digitally signed by Léo Le > > > Bouter > > > <lle-bout@zaclys.net> and have the same problems: they remove > > > security > > > fixes, and yet the summary lines indicate that only "cosmetic > > > changes" > > > were made. > > > > Yeah, the commit title didn't mention the change but the commit > > message did. > > I'm sorry, but that won't do. There are at least three things wrong > with these commits: > > (1) The summary lines were misleading, because they implied that no > functional changes were made. > > (2) The commit messages were misleading, because they failed to > mention > that security holes which had previously been fixed were now > being > re-introduced. That wasn't at all obvious. > > Commits like these, which remove patches that had fixed security > flaws, are fairly common: someone casually looking over the > commit > log might assume that the patches could be safely removed because > a > version update was done at the same time, rendering those patches > obsolete. > > (3) Although your 'glib' commit was immediately followed by a 'glib' > update, rendering it harmless, your misleading 'cairo' commit > left > 'cairo' vulnerable to CVE-2018-19876 and CVE-2020-35492 on our > 'core-updates' and 'wip-gnome' branches. Those will need to be > fixed now. > > Léo Le Bouter <lle-bout@zaclys.net> is also culpable here, because he > digitally signed the misleading 'cairo' commit that's on our > 'core-updates' branch, which re-introduced CVE-2018-19876 and > CVE-2020-35492. > > --8<---------------cut here---------------start------------->8--- > commit f94cdc86f644984ca83164d40b17e7eed6e22091 > gpg: Signature made Fri 26 Mar 2021 05:13:57 PM EDT > gpg: using RSA key > 148BCB8BD80BFB16B1DE0E9145A8B1E86BCD10A6 > gpg: Good signature from "Léo Le Bouter <lle-bout@zaclys.net>" > [unknown] > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to > the owner. > Primary key fingerprint: 148B CB8B D80B FB16 B1DE 0E91 45A8 B1E8 > 6BCD 10A6 > Author: Raghav Gururajan <raghavgururajan@disroot.org> > Date: Fri Dec 4 00:48:43 2020 -0500 > > gnu: cairo: Make some cosmetic changes. > > * gnu/packages/patches/cairo-CVE-2018-19876.patch, > gnu/packages/patches/cairo-CVE-2020-35492.patch: Remove patches. > * gnu/local.mk (dist_patch_DATA): Unregister them. > * gnu/packages/gtk.scm (cairo): Make some cosmetic changes. > [replacement]: Remove. > (cairo/fixed): Remove. > > Signed-off-by: Léo Le Bouter <lle-bout@zaclys.net> > --8<---------------cut here---------------end--------------->8--- > > https://git.sv.gnu.org/cgit/guix.git/commit/?h=core-updates&id=f94cdc86f644984ca83164d40b17e7eed6e22091 > > Even the most superficial skimming of this commit should have > immediately raised red flags, because the summary line is clearly > inaccurate. It shows a lack of careful review, to put it mildly. > > Mark Hello Mark, I don't share your analysis, the security fixes werent stripped because glib/cairo was also updated to latest version in subsequent commits which were pushed all at once. Careful review was done, and that's why I signed-off and GPG-signed the commits. Nobody was put at risk by these commits and no security fixes were stripped. Léo [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-22 20:01 ` Léo Le Bouter @ 2021-04-22 21:08 ` Christopher Baines 2021-04-22 21:09 ` Leo Prikler 2021-04-22 21:21 ` Mark H Weaver 2 siblings, 0 replies; 96+ messages in thread From: Christopher Baines @ 2021-04-22 21:08 UTC (permalink / raw) To: Léo Le Bouter; +Cc: Raghav Gururajan, Leo Prikler, guix-devel [-- Attachment #1: Type: text/plain, Size: 4270 bytes --] Léo Le Bouter <lle-bout@zaclys.net> writes: > On Thu, 2021-04-22 at 00:08 -0400, Mark H Weaver wrote: >> Hi Raghav, >> >> Raghav Gururajan <rg@raghavgururajan.name> writes: >> >> > > Those commits on 'core-updates' were digitally signed by Léo Le >> > > Bouter >> > > <lle-bout@zaclys.net> and have the same problems: they remove >> > > security >> > > fixes, and yet the summary lines indicate that only "cosmetic >> > > changes" >> > > were made. >> > >> > Yeah, the commit title didn't mention the change but the commit >> > message did. >> >> I'm sorry, but that won't do. There are at least three things wrong >> with these commits: >> >> (1) The summary lines were misleading, because they implied that no >> functional changes were made. >> >> (2) The commit messages were misleading, because they failed to >> mention >> that security holes which had previously been fixed were now >> being >> re-introduced. That wasn't at all obvious. >> >> Commits like these, which remove patches that had fixed security >> flaws, are fairly common: someone casually looking over the >> commit >> log might assume that the patches could be safely removed because >> a >> version update was done at the same time, rendering those patches >> obsolete. >> >> (3) Although your 'glib' commit was immediately followed by a 'glib' >> update, rendering it harmless, your misleading 'cairo' commit >> left >> 'cairo' vulnerable to CVE-2018-19876 and CVE-2020-35492 on our >> 'core-updates' and 'wip-gnome' branches. Those will need to be >> fixed now. >> >> Léo Le Bouter <lle-bout@zaclys.net> is also culpable here, because he >> digitally signed the misleading 'cairo' commit that's on our >> 'core-updates' branch, which re-introduced CVE-2018-19876 and >> CVE-2020-35492. >> >> --8<---------------cut here---------------start------------->8--- >> commit f94cdc86f644984ca83164d40b17e7eed6e22091 >> gpg: Signature made Fri 26 Mar 2021 05:13:57 PM EDT >> gpg: using RSA key >> 148BCB8BD80BFB16B1DE0E9145A8B1E86BCD10A6 >> gpg: Good signature from "Léo Le Bouter <lle-bout@zaclys.net>" >> [unknown] >> gpg: WARNING: This key is not certified with a trusted signature! >> gpg: There is no indication that the signature belongs to >> the owner. >> Primary key fingerprint: 148B CB8B D80B FB16 B1DE 0E91 45A8 B1E8 >> 6BCD 10A6 >> Author: Raghav Gururajan <raghavgururajan@disroot.org> >> Date: Fri Dec 4 00:48:43 2020 -0500 >> >> gnu: cairo: Make some cosmetic changes. >> >> * gnu/packages/patches/cairo-CVE-2018-19876.patch, >> gnu/packages/patches/cairo-CVE-2020-35492.patch: Remove patches. >> * gnu/local.mk (dist_patch_DATA): Unregister them. >> * gnu/packages/gtk.scm (cairo): Make some cosmetic changes. >> [replacement]: Remove. >> (cairo/fixed): Remove. >> >> Signed-off-by: Léo Le Bouter <lle-bout@zaclys.net> >> --8<---------------cut here---------------end--------------->8--- >> >> https://git.sv.gnu.org/cgit/guix.git/commit/?h=core-updates&id=f94cdc86f644984ca83164d40b17e7eed6e22091 >> >> Even the most superficial skimming of this commit should have >> immediately raised red flags, because the summary line is clearly >> inaccurate. It shows a lack of careful review, to put it mildly. >> >> Mark > > Hello Mark, > > I don't share your analysis, the security fixes werent stripped because > glib/cairo was also updated to latest version in subsequent commits > which were pushed all at once. > > Careful review was done, and that's why I signed-off and GPG-signed the > commits. Nobody was put at risk by these commits and no security fixes > were stripped. I think the guidance is that commits should include one set of related changes, so if the patches/replacement can be removed because the package is being updated, those related changes should be in the same commit. If there are other unrelated changes, they can go in other commits. Especially if the commits are being pushed at the same time, it's worth making sure this happens, so that it's easier to review and look at the changes in a sensible way. [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 987 bytes --] ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-22 20:01 ` Léo Le Bouter 2021-04-22 21:08 ` Christopher Baines @ 2021-04-22 21:09 ` Leo Prikler 2021-04-22 21:21 ` Mark H Weaver 2 siblings, 0 replies; 96+ messages in thread From: Leo Prikler @ 2021-04-22 21:09 UTC (permalink / raw) To: Léo Le Bouter, Mark H Weaver, Raghav Gururajan, Guix Devel Am Donnerstag, den 22.04.2021, 22:01 +0200 schrieb Léo Le Bouter: > On Thu, 2021-04-22 at 00:08 -0400, Mark H Weaver wrote: > > Hi Raghav, > > > > Raghav Gururajan <rg@raghavgururajan.name> writes: > > > > > > Those commits on 'core-updates' were digitally signed by Léo Le > > > > Bouter > > > > <lle-bout@zaclys.net> and have the same problems: they remove > > > > security > > > > fixes, and yet the summary lines indicate that only "cosmetic > > > > changes" > > > > were made. > > > > > > Yeah, the commit title didn't mention the change but the commit > > > message did. > > > > I'm sorry, but that won't do. There are at least three things > > wrong > > with these commits: > > > > (1) The summary lines were misleading, because they implied that no > > functional changes were made. > > > > (2) The commit messages were misleading, because they failed to > > mention > > that security holes which had previously been fixed were now > > being > > re-introduced. That wasn't at all obvious. > > > > Commits like these, which remove patches that had fixed > > security > > flaws, are fairly common: someone casually looking over the > > commit > > log might assume that the patches could be safely removed > > because > > a > > version update was done at the same time, rendering those > > patches > > obsolete. > > > > (3) Although your 'glib' commit was immediately followed by a > > 'glib' > > update, rendering it harmless, your misleading 'cairo' commit > > left > > 'cairo' vulnerable to CVE-2018-19876 and CVE-2020-35492 on our > > 'core-updates' and 'wip-gnome' branches. Those will need to be > > fixed now. > > > > Léo Le Bouter <lle-bout@zaclys.net> is also culpable here, because > > he > > digitally signed the misleading 'cairo' commit that's on our > > 'core-updates' branch, which re-introduced CVE-2018-19876 and > > CVE-2020-35492. > > > > --8<---------------cut here---------------start------------->8--- > > commit f94cdc86f644984ca83164d40b17e7eed6e22091 > > gpg: Signature made Fri 26 Mar 2021 05:13:57 PM EDT > > gpg: using RSA key > > 148BCB8BD80BFB16B1DE0E9145A8B1E86BCD10A6 > > gpg: Good signature from "Léo Le Bouter <lle-bout@zaclys.net>" > > [unknown] > > gpg: WARNING: This key is not certified with a trusted signature! > > gpg: There is no indication that the signature belongs to > > the owner. > > Primary key fingerprint: 148B CB8B D80B FB16 B1DE 0E91 45A8 B1E8 > > 6BCD 10A6 > > Author: Raghav Gururajan <raghavgururajan@disroot.org> > > Date: Fri Dec 4 00:48:43 2020 -0500 > > > > gnu: cairo: Make some cosmetic changes. > > > > * gnu/packages/patches/cairo-CVE-2018-19876.patch, > > gnu/packages/patches/cairo-CVE-2020-35492.patch: Remove > > patches. > > * gnu/local.mk (dist_patch_DATA): Unregister them. > > * gnu/packages/gtk.scm (cairo): Make some cosmetic changes. > > [replacement]: Remove. > > (cairo/fixed): Remove. > > > > Signed-off-by: Léo Le Bouter <lle-bout@zaclys.net> > > --8<---------------cut here---------------end--------------->8--- > > > > https://git.sv.gnu.org/cgit/guix.git/commit/?h=core-updates&id=f94cdc86f644984ca83164d40b17e7eed6e22091 > > > > Even the most superficial skimming of this commit should have > > immediately raised red flags, because the summary line is clearly > > inaccurate. It shows a lack of careful review, to put it mildly. > > > > Mark > > Hello Mark, > > I don't share your analysis, the security fixes werent stripped > because > glib/cairo was also updated to latest version in subsequent commits > which were pushed all at once. This may be the case for glib, but which commit pushes cairo to a version, in which those security fixes are applied? ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-22 20:01 ` Léo Le Bouter 2021-04-22 21:08 ` Christopher Baines 2021-04-22 21:09 ` Leo Prikler @ 2021-04-22 21:21 ` Mark H Weaver 2021-04-23 17:52 ` Maxim Cournoyer 2 siblings, 1 reply; 96+ messages in thread From: Mark H Weaver @ 2021-04-22 21:21 UTC (permalink / raw) To: Léo Le Bouter, Raghav Gururajan, Guix Devel; +Cc: Leo Prikler Hi Léo, Léo Le Bouter <lle-bout@zaclys.net> writes: > I don't share your analysis, the security fixes werent stripped because > glib/cairo was also updated to latest version in subsequent commits > which were pushed all at once. 'glib' was updated, but 'cairo' wasn't, presumably because there's no newer stable release of 'cairo' to update to. > Careful review was done, and that's why I signed-off and GPG-signed the > commits. Nobody was put at risk by these commits and no security fixes > were stripped. Those are bold claims, given the contents of our git repository. Here's Raghav's commit on the 'core-updates' branch, which bears your digital signature (according to my 'git' client), where the security fixes for CVE-2018-19876 and CVE-2020-35492 were removed, in a commit whose summary line is "gnu: cairo: Make some cosmetic changes": https://git.sv.gnu.org/cgit/guix.git/commit/?h=core-updates&id=f94cdc86f644984ca83164d40b17e7eed6e22091 I have two questions for you: (1) Do you deny that you digitally signed that commit? (2) Do you deny that there's anything wrong with that commit? Thanks, Mark -- Support Richard Stallman against the vicious misinformation campaign against him and the FSF. See <https://stallmansupport.org> for more. ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-22 21:21 ` Mark H Weaver @ 2021-04-23 17:52 ` Maxim Cournoyer 2021-04-23 18:00 ` Raghav Gururajan 2021-04-23 18:50 ` Léo Le Bouter 0 siblings, 2 replies; 96+ messages in thread From: Maxim Cournoyer @ 2021-04-23 17:52 UTC (permalink / raw) To: Léo Le Bouter Cc: Guix Devel, Leo Prikler, Sou Bunnbu (宋文武), Raghav Gururajan Hi, Mark H Weaver <mhw@netris.org> writes: > Hi Léo, > > Léo Le Bouter <lle-bout@zaclys.net> writes: > >> I don't share your analysis, the security fixes werent stripped because >> glib/cairo was also updated to latest version in subsequent commits >> which were pushed all at once. > > 'glib' was updated, but 'cairo' wasn't, presumably because there's no > newer stable release of 'cairo' to update to. Actually, there *is* a "new" stable release available on their release page, 1.17.2 [0] According to NVD [1], that latest version has no known CVE [1]. Léo, could it be that you had planned to do this update, but it somehow fell into the cracks? In any case I agree with the others that it'd have been better to ungraft/remove patches in the same commit that updates the software to a version that incorporates the fixes, as I'm sure you already know: it'd have prevented this kind of situation. I also urge you to remain calm and collaborative even in the face of criticism; as Ricardo said, escalating things will lead us nowhere good. Honest mistakes are made and that's no problem so long as we stand ready to apologize for them and work together for a resolution. I see that 宋文武 has pushed a commit (2ab4f4c950ffa7ca40271a534cb3bed997672138) to core-updates reinstating the security patches; thanks! Thank you, Maxim [0] https://www.cairographics.org/releases/ [1] https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&seach_type=all&query=cpe:2.3:a:cairographics:cairo:-:*:*:*:*:*:*:* ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-23 17:52 ` Maxim Cournoyer @ 2021-04-23 18:00 ` Raghav Gururajan 2021-04-23 18:38 ` Maxim Cournoyer 2021-04-23 18:50 ` Léo Le Bouter 1 sibling, 1 reply; 96+ messages in thread From: Raghav Gururajan @ 2021-04-23 18:00 UTC (permalink / raw) To: Maxim Cournoyer, Léo Le Bouter Cc: Mark H Weaver, Guix Devel, Leo Prikler, Sou Bunnbu (宋文武) [-- Attachment #1.1: Type: text/plain, Size: 334 bytes --] Hi Maxim! > Actually, there *is* a "new" stable release available on their release > page, 1.17.2 It seems 1.16.0 is the latest+stable version. Quoting their download, "Please download one of the latest [releases](https://cairographics.org/releases/) in order to get an API-stable version of cairo." Regards, RG. [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 236 bytes --] ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-23 18:00 ` Raghav Gururajan @ 2021-04-23 18:38 ` Maxim Cournoyer 2021-04-23 22:06 ` Raghav Gururajan 0 siblings, 1 reply; 96+ messages in thread From: Maxim Cournoyer @ 2021-04-23 18:38 UTC (permalink / raw) To: Raghav Gururajan Cc: Guix Devel, Leo Prikler, Sou Bunnbu (宋文武) Hello Raghav, Raghav Gururajan <rg@raghavgururajan.name> writes: > Hi Maxim! > >> Actually, there *is* a "new" stable release available on their release >> page, 1.17.2 > > It seems 1.16.0 is the latest+stable version. > > Quoting their download, "Please download one of the latest > [releases](https://cairographics.org/releases/) in order to get an > API-stable version of cairo." Oh, indeed, sorry for the confusion. I think I got tricked by seeing the changelog for 1.17.2 under their releases/ directory (https://www.cairographics.org/releases/ChangeLog.cairo-1.17.2). Thank you, Maxim ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-23 18:38 ` Maxim Cournoyer @ 2021-04-23 22:06 ` Raghav Gururajan 0 siblings, 0 replies; 96+ messages in thread From: Raghav Gururajan @ 2021-04-23 22:06 UTC (permalink / raw) To: Maxim Cournoyer Cc: Léo Le Bouter, Mark H Weaver, Guix Devel, Leo Prikler, Sou Bunnbu (宋文武) [-- Attachment #1.1: Type: text/plain, Size: 316 bytes --] Hi Maxim! > Oh, indeed, sorry for the confusion. I think I got tricked by seeing > the changelog for 1.17.2 under their releases/ directory > (https://www.cairographics.org/releases/ChangeLog.cairo-1.17.2). No worries! I was confused by that too, while I was working on cairo package. Regards, RG. [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 236 bytes --] ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-23 17:52 ` Maxim Cournoyer 2021-04-23 18:00 ` Raghav Gururajan @ 2021-04-23 18:50 ` Léo Le Bouter 2021-04-23 19:15 ` Leo Prikler 2021-04-23 19:18 ` Leo Famulari 1 sibling, 2 replies; 96+ messages in thread From: Léo Le Bouter @ 2021-04-23 18:50 UTC (permalink / raw) To: Maxim Cournoyer Cc: Mark H Weaver, Raghav Gururajan, Guix Devel, Leo Prikler, Sou Bunnbu [-- Attachment #1: Type: text/plain, Size: 2425 bytes --] On Fri, 2021-04-23 at 13:52 -0400, Maxim Cournoyer wrote: > Actually, there *is* a "new" stable release available on their > release > page, 1.17.2 [0] > > According to NVD [1], that latest version has no known CVE [1]. > > Léo, could it be that you had planned to do this update, but it > somehow > fell into the cracks? In any case I agree with the others that it'd > have been better to ungraft/remove patches in the same commit that > updates the software to a version that incorporates the fixes, as I'm > sure you already know: it'd have prevented this kind of situation. Considering the GNOME upgrade is not finished yet, this is indeed ongoing work. I would've never done this on master. > > I also urge you to remain calm and collaborative even in the face of > criticism; as Ricardo said, escalating things will lead us nowhere > good. > Honest mistakes are made and that's no problem so long as we stand > ready > to apologize for them and work together for a resolution. > I think there is no problem in accepting criticism but there is a certain way Mark presents criticism and I don't feel like I can respond to it when it is written in such way. Over several emails Mark was looking to point to people who were somehow responsible for whatever "damage" for changes that happened on a branch nobody uses and always contains ongoing work (core-updates), so maintaining it security-wise is not as much of a question. The result is that we have a long thread of people responding etc. causing a fuss over something that just needs to be fixed rather than find whoever is somehow "responsible". I feel like we're collectively responsible. We try our best at all times, during this GNOME upgrade I also tried to take into account Raghav's feelings so they do not give up and have a rewarding review experience, I knew these commits werent great, I have written about it here: < https://issues.guix.gnu.org/42958#67>. > I see that 宋文武 has pushed a commit > (2ab4f4c950ffa7ca40271a534cb3bed997672138) to core-updates > reinstating > the security patches; thanks! > Great! Thanks for figuring this out. > Thank you, > > Maxim > > [0] https://www.cairographics.org/releases/ > [1] > https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&seach_type=all&query=cpe:2.3:a:cairographics:cairo:-:*:*:*:*:*:*:* Léo [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-23 18:50 ` Léo Le Bouter @ 2021-04-23 19:15 ` Leo Prikler 2021-04-23 19:18 ` Leo Famulari 1 sibling, 0 replies; 96+ messages in thread From: Leo Prikler @ 2021-04-23 19:15 UTC (permalink / raw) To: Léo Le Bouter, Maxim Cournoyer Cc: Guix Devel, Sou Bunnbu, Raghav Gururajan Hi, Am Freitag, den 23.04.2021, 20:50 +0200 schrieb Léo Le Bouter: > I think there is no problem in accepting criticism but there is a > certain way Mark presents criticism and I don't feel like I can > respond > to it when it is written in such way. Over several emails Mark was > looking to point to people who were somehow responsible for whatever > "damage" for changes that happened on a branch nobody uses and always > contains ongoing work (core-updates), so maintaining it security-wise > is not as much of a question. The result is that we have a long > thread > of people responding etc. causing a fuss over something that just > needs > to be fixed rather than find whoever is somehow "responsible". I disagree with the sentiment, that core-updates is fair game for any kind of commit. Now, naturally, since they cause many rebuilds it may be harder to verify that upgrading some packages does not lead to failure in another (especially without the CI), contributing to the "work in progress" nature of core-updates, but this still doesn't excuse removing security fixes. We all expect, that at some point we can merge core-updates "as is" into master and commits like that call this assumption into question, instead demanding a full review of a branch, whose patches should already have been reviewed by the time they land. > I feel > like we're collectively responsible. We try our best at all times, > during this GNOME upgrade I also tried to take into account Raghav's > feelings so they do not give up and have a rewarding review > experience, > I knew these commits werent great, I have written about it here: < > https://issues.guix.gnu.org/42958#67>;. I think a more rewarding experience would have been to help them arrive at a point, where such changes are no longer needed for the rest of their patch set. Not only would this have solved their immediate issue, it would also have been a good learning experience and we wouldn't need to discuss this at lengths several months later. I have worked with Raghav before on telegram-desktop (and other packages as well) and they were pretty patient with about 20 versions being sent back and forth between us until we arrived at a set of descriptions, that we could safely push. Not nearly as many versions would need to be sent in the case of a "cosmetic changes" patch, when I ported their GStreamer updates to staging, I noticed that it was mostly the indentation, that would screw things up for future patches. I admit, sometimes Raghav appears to "just want to get the job done quickly", but giving in to such urges helps no one. Regards, Leo ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-23 18:50 ` Léo Le Bouter 2021-04-23 19:15 ` Leo Prikler @ 2021-04-23 19:18 ` Leo Famulari 2021-04-23 19:33 ` Léo Le Bouter 2021-04-26 19:31 ` Léo Le Bouter 1 sibling, 2 replies; 96+ messages in thread From: Leo Famulari @ 2021-04-23 19:18 UTC (permalink / raw) To: Léo Le Bouter Cc: Maxim Cournoyer, Raghav Gururajan, Sou Bunnbu, Leo Prikler, Guix Devel [-- Attachment #1: Type: text/plain, Size: 2054 bytes --] On Fri, Apr 23, 2021 at 08:50:37PM +0200, Léo Le Bouter wrote: > I think there is no problem in accepting criticism but there is a > certain way Mark presents criticism and I don't feel like I can respond > to it when it is written in such way. Over several emails Mark was > looking to point to people who were somehow responsible for whatever > "damage" for changes that happened on a branch nobody uses and always > contains ongoing work (core-updates), so maintaining it security-wise > is not as much of a question. The result is that we have a long thread > of people responding etc. causing a fuss over something that just needs > to be fixed rather than find whoever is somehow "responsible". I feel > like we're collectively responsible. We try our best at all times, > during this GNOME upgrade I also tried to take into account Raghav's > feelings so they do not give up and have a rewarding review experience, > I knew these commits werent great, I have written about it here: < > https://issues.guix.gnu.org/42958#67>. I have to agree with everybody in this thead. The commits in question were problematic (especially on core-updates, which is not a "WIP" branch and thus cannot be rewritten to fix past problems). I'm not confident that the security fixes would have been reinstated on core-updates if Mark had not asked about them. Léo and Raghav, you need to keep learning our workflow around security updates. It's not okay to remove security patches and later update a package to a fixed version in a different commit. `git rebase` is the tool to learn for cases like this one. However, Mark, you have way more experience, and you need to handle these things differently. If you don't trust certain Guix contributors, take it up with the maintainers — in private. The style of communication you used here is ineffective and will dissuade people from contributing to Guix. Do you want Léo and Raghav to learn and improve? Or do you want them to leave? Remember that we all begin as beginners. [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-23 19:18 ` Leo Famulari @ 2021-04-23 19:33 ` Léo Le Bouter 2021-04-23 20:12 ` Leo Famulari 2021-04-24 7:46 ` Mark H Weaver 2021-04-26 19:31 ` Léo Le Bouter 1 sibling, 2 replies; 96+ messages in thread From: Léo Le Bouter @ 2021-04-23 19:33 UTC (permalink / raw) To: Leo Famulari Cc: Maxim Cournoyer, Mark H Weaver, Raghav Gururajan, Guix Devel, Leo Prikler, Sou Bunnbu [-- Attachment #1: Type: text/plain, Size: 975 bytes --] On Fri, 2021-04-23 at 15:18 -0400, Leo Famulari wrote: > Léo and Raghav, you need to keep learning our workflow around > security > updates. It's not okay to remove security patches and later update a > package to a fixed version in a different commit. `git rebase` is the > tool to learn for cases like this one. I knew about this but I didnt feel like telling Raghav to do yet another rebase. I felt like Raghav was taking on with so much already. The rebase was specially complicated because Raghav's commit changed indentation, git has bad quite bad UX for cases like these. At the time I had lots of things to handle also and couldnt spend lots of time on it myself. I didnt feel like blocking the merge of these patches for commit history was worth it at all. Such blocking could have hindered the GNOME upgrade effort even more. Thankfully now there's lots of energy being put to it, at the time there wasnt anyone else than Raghav and me. Léo [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-23 19:33 ` Léo Le Bouter @ 2021-04-23 20:12 ` Leo Famulari 2021-04-26 17:06 ` Giovanni Biscuolo 2021-04-24 7:46 ` Mark H Weaver 1 sibling, 1 reply; 96+ messages in thread From: Leo Famulari @ 2021-04-23 20:12 UTC (permalink / raw) To: Léo Le Bouter Cc: Maxim Cournoyer, Raghav Gururajan, Sou Bunnbu, Leo Prikler, Guix Devel [-- Attachment #1: Type: text/plain, Size: 1950 bytes --] On Fri, Apr 23, 2021 at 09:33:07PM +0200, Léo Le Bouter wrote: > I knew about this but I didnt feel like telling Raghav to do yet > another rebase. I felt like Raghav was taking on with so much already. > The rebase was specially complicated because Raghav's commit changed > indentation, git has bad quite bad UX for cases like these. At the time > I had lots of things to handle also and couldnt spend lots of time on > it myself. I didnt feel like blocking the merge of these patches for > commit history was worth it at all. Such blocking could have hindered > the GNOME upgrade effort even more. Thankfully now there's lots of > energy being put to it, at the time there wasnt anyone else than Raghav > and me. I'm sympathetic. There is an imbalance between the work that we want to complete, and the time and energy that we can give to it. And in the case of GNOME, we have already fallen short of our goals several times, having missed multiple upgrades. I too have felt the temptation to cut corners with Git when I know that the final result will be "okay". But Guix is not just about the final product (a release, or a merge). We also have the --commit option to Guix commands, and `guix time-machine`. So the Git history is important too. And I have also spent several hours at a time, focused on completing (after several restarts) a complicated rebase involving dozens of commits. And I've done that many times. I do think that Mark is being hyperbolic about the wip-gnome branch. The name says "work in progress" and we don't hold those branches to a high standard. But what happened on core-updates *must not happen again*. For a task as large as "updating GNOME in Guix", history tells me that it has to be a group effort. In many cases, the hardest part of a project is coordination and leadership, not coding. I hope that this current effort continues, and that more people decide to join. [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-23 20:12 ` Leo Famulari @ 2021-04-26 17:06 ` Giovanni Biscuolo 2021-04-26 17:32 ` Leo Famulari 0 siblings, 1 reply; 96+ messages in thread From: Giovanni Biscuolo @ 2021-04-26 17:06 UTC (permalink / raw) To: Leo Famulari, Léo Le Bouter; +Cc: Guix Devel, Raghav Gururajan [-- Attachment #1: Type: text/plain, Size: 2813 bytes --] Hello Guix, Leo Famulari <leo@famulari.name> writes: [...] > And in the case of GNOME, we have already fallen short of our goals > several times, having missed multiple upgrades. I regret not to be able to contribute more to Guix, but please nobody should feel guilty not to be able to keep-up with upstream's upgrading rate (whatever rate it is), better safe than up-to-date :-) > I too have felt the temptation to cut corners with Git when I know that > the final result will be "okay". But Guix is not just about the final > product (a release, or a merge). We also have the --commit option to > Guix commands, and `guix time-machine`. So the Git history is important > too. Yes, please this should be stressed: Guix *is* it's official (master, core-updates...) git repo branches. Just to understand: /if/ at any point in time a user is able to afford the effort to build the entire core-updates /or/ staging branch she should be confident the result is state-of-the-art secure. Am I wrong with this assumption? > And I have also spent several hours at a time, focused on completing > (after several restarts) a complicated rebase involving dozens of > commits. And I've done that many times. I think this is the most expensive activity of Guix maintainers, for the very reason that Guix *is* git > I do think that Mark is being hyperbolic about the wip-gnome branch. The > name says "work in progress" and we don't hold those branches to a high > standard. I understand your point but please consider that /unless/ a wip-branch is private (or privately shared out-of-Guix-git) that branch it's a pubblic collective work in progress and sometimes (seldom? often? I really don't know) that work could be completed by someone else, so even in wip- branches committers should exercise some degree of discipline, especially when dealing with "commit message completeness" and more with security related patches. In other words, IMHO a certain degree of safety must be assured also on wip- branches. Probably the policy about wip-branches, whatever it is ("do what you want" or something in line with my comments above), should be documented in the contributing section of the Guix manual. > But what happened on core-updates *must not happen again*. Please no. > For a task as large as "updating GNOME in Guix", history tells me that > it has to be a group effort. In many cases, the hardest part of a > project is coordination and leadership, not coding. I hope that this > current effort continues, and that more people decide to join. OK but please consider that /if/ Guix cannot "update GNOME in Guix" for whatever reason, GNOME should not be updated. Thanks! Giovanni. -- Giovanni Biscuolo Xelera IT Infrastructures [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 849 bytes --] ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-26 17:06 ` Giovanni Biscuolo @ 2021-04-26 17:32 ` Leo Famulari 2021-04-26 21:56 ` Giovanni Biscuolo 0 siblings, 1 reply; 96+ messages in thread From: Leo Famulari @ 2021-04-26 17:32 UTC (permalink / raw) To: Giovanni Biscuolo; +Cc: Guix Devel, Raghav Gururajan [-- Attachment #1: Type: text/plain, Size: 2888 bytes --] On Mon, Apr 26, 2021 at 07:06:33PM +0200, Giovanni Biscuolo wrote: > Just to understand: /if/ at any point in time a user is able to afford > the effort to build the entire core-updates /or/ staging branch she > should be confident the result is state-of-the-art secure. Am I wrong > with this assumption? Unfortunately your assumption is incorrect. We do not apply security updates to the core-updates branch, except what comes via `git merge master`, which only happens in the final stages of the cycle. Core-updates is not expected to be "buildable", let alone "secure", until the end of the core-updates cycle when we start to whip it into shape. That branch is just a place to push updates of core packages, so that we don't duplicate effort or lose track of updates. Nevertheless, we should never remove security patches without a corresponding package update, done in a single atomic commit. That's not how we work. If there is some documentation or messaging that suggests that anyone should ever use the core-updates branch, please let us know and we will fix that. The only branch you should use is the master branch, unless you are testing something as a developer > Leo Famulari <leo@famulari.name> writes: > > I do think that Mark is being hyperbolic about the wip-gnome branch. The > > name says "work in progress" and we don't hold those branches to a high > > standard. > > I understand your point but please consider that /unless/ a wip-branch > is private (or privately shared out-of-Guix-git) that branch it's a > pubblic collective work in progress and sometimes (seldom? often? I > really don't know) that work could be completed by someone else, so even > in wip- branches committers should exercise some degree of discipline, > especially when dealing with "commit message completeness" and more with > security related patches. In other words, IMHO a certain degree of > safety must be assured also on wip- branches. > > Probably the policy about wip-branches, whatever it is ("do what you > want" or something in line with my comments above), should be documented > in the contributing section of the Guix manual. I did not mean to suggestthat wip-* branches should not be secure but, again, they are only works in progress. They do not even have a stable Git history, due to rebasing, which breaks the Guix code authentication mechanism. So, if you try to use them, you will have to use `guix pull --allow-downgrades` and then all bets are off in terms of security. These branches are merely a way for developers to share their work with each other. > OK but please consider that /if/ Guix cannot "update GNOME in Guix" for > whatever reason, GNOME should not be updated. I don't understand this. It seems tautological that if we cannot update GNOME, then GNOME should not be updated. [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-26 17:32 ` Leo Famulari @ 2021-04-26 21:56 ` Giovanni Biscuolo 2021-04-26 23:01 ` Leo Famulari 0 siblings, 1 reply; 96+ messages in thread From: Giovanni Biscuolo @ 2021-04-26 21:56 UTC (permalink / raw) To: Leo Famulari; +Cc: Guix Devel, Raghav Gururajan [-- Attachment #1: Type: text/plain, Size: 720 bytes --] Leo Famulari <leo@famulari.name> writes: > On Mon, Apr 26, 2021 at 07:06:33PM +0200, Giovanni Biscuolo wrote: >> Just to understand: /if/ at any point in time a user is able to afford >> the effort to build the entire core-updates /or/ staging branch she >> should be confident the result is state-of-the-art secure. Am I wrong >> with this assumption? > > Unfortunately your assumption is incorrect. [...] > If there is some documentation or messaging that suggests that anyone > should ever use the core-updates branch, please let us know and we will > fix that. No, I simply misunderstood, sorry for the noise! [...] Thanks, Giovanni -- Giovanni Biscuolo Xelera IT Infrastructures [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 849 bytes --] ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-26 21:56 ` Giovanni Biscuolo @ 2021-04-26 23:01 ` Leo Famulari 0 siblings, 0 replies; 96+ messages in thread From: Leo Famulari @ 2021-04-26 23:01 UTC (permalink / raw) To: Giovanni Biscuolo; +Cc: Guix Devel, Raghav Gururajan On Mon, Apr 26, 2021 at 11:56:22PM +0200, Giovanni Biscuolo wrote: > No, I simply misunderstood, sorry for the noise! Okay, and thanks for asking! It's important to clarify these things; it's not just noise :) This kind of knowledge is something I picked up over time, but I'm not sure it's written down anywhere. So I added a line to the manual that I hope can make it a little more clear to anyone looking for information: https://git.savannah.gnu.org/cgit/guix.git/commit/?id=4de688738ce802056dadd6f785c7bdb3407dc768 ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-23 19:33 ` Léo Le Bouter 2021-04-23 20:12 ` Leo Famulari @ 2021-04-24 7:46 ` Mark H Weaver 2021-04-26 14:59 ` Léo Le Bouter 1 sibling, 1 reply; 96+ messages in thread From: Mark H Weaver @ 2021-04-24 7:46 UTC (permalink / raw) To: Léo Le Bouter, Leo Famulari Cc: Guix Devel, Raghav Gururajan, Leo Prikler, Maxim Cournoyer, Sou Bunnbu Hi Léo, Léo Le Bouter <lle-bout@zaclys.net> writes: > On Fri, 2021-04-23 at 15:18 -0400, Leo Famulari wrote: >> Léo and Raghav, you need to keep learning our workflow around >> security updates. It's not okay to remove security patches and later >> update a package to a fixed version in a different commit. `git >> rebase` is the tool to learn for cases like this one. > > I knew about this but I didnt feel like telling Raghav to do yet > another rebase. I felt like Raghav was taking on with so much already. This response is what native English speakers call a "red herring" <https://en.wikipedia.org/wiki/Red_herring>: something that misleads or distracts from a relevant or important question. Why do I say that? As I pointed out elsewhere in this thread, https://lists.gnu.org/archive/html/guix-devel/2021-04/msg00366.html it appears that Raghav didn't actually remove the security fixes; it appears that *you* did. Therefore, I fail to see how it could have been avoided by asking Raghav to do another rebase. From the IRC logs cited in the message above, it appears that you took the liberty of modifying Raghav's "cosmetic changes" commits to also remove security fixes in the re-indented packages, while claiming in the summary lines that you were "ungraft[ing]" cairo and glib. https://git.sr.ht/~lle-bout/guix/commit/a045a48dd961f0c5c3d536dcc3fd21d9c08d2d50 https://git.sr.ht/~lle-bout/guix/commit/6477daa338fbf1c9edacfc3690aca77cacfe0008 Can you please explain what went wrong here? Thanks, Mark -- Support Richard Stallman against the vicious disinformation campaign against him and the FSF. See <https://stallmansupport.org> for more. ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-24 7:46 ` Mark H Weaver @ 2021-04-26 14:59 ` Léo Le Bouter 2021-04-26 15:23 ` Tobias Geerinckx-Rice 0 siblings, 1 reply; 96+ messages in thread From: Léo Le Bouter @ 2021-04-26 14:59 UTC (permalink / raw) To: Mark H Weaver, Leo Famulari Cc: Maxim Cournoyer, Raghav Gururajan, Guix Devel, Leo Prikler, Sou Bunnbu [-- Attachment #1: Type: text/plain, Size: 1894 bytes --] On Sat, 2021-04-24 at 03:46 -0400, Mark H Weaver wrote: > Hi Léo, > > Léo Le Bouter <lle-bout@zaclys.net> writes: > > > On Fri, 2021-04-23 at 15:18 -0400, Leo Famulari wrote: > > > Léo and Raghav, you need to keep learning our workflow around > > > security updates. It's not okay to remove security patches and > > > later > > > update a package to a fixed version in a different commit. `git > > > rebase` is the tool to learn for cases like this one. > > > > I knew about this but I didnt feel like telling Raghav to do yet > > another rebase. I felt like Raghav was taking on with so much > > already. > > This response is what native English speakers call a "red herring" > <https://en.wikipedia.org/wiki/Red_herring>;: something that misleads > or > distracts from a relevant or important question. > > Why do I say that? As I pointed out elsewhere in this thread, > > https://lists.gnu.org/archive/html/guix-devel/2021-04/msg00366.html > > it appears that Raghav didn't actually remove the security fixes; it > appears that *you* did. Therefore, I fail to see how it could have > been > avoided by asking Raghav to do another rebase. > > From the IRC logs cited in the message above, it appears that you > took > the liberty of modifying Raghav's "cosmetic changes" commits to also > remove security fixes in the re-indented packages, while claiming in > the > summary lines that you were "ungraft[ing]" cairo and glib. > > > https://git.sr.ht/~lle-bout/guix/commit/a045a48dd961f0c5c3d536dcc3fd21d9c08d2d50 > > https://git.sr.ht/~lle-bout/guix/commit/6477daa338fbf1c9edacfc3690aca77cacfe0008 > > Can you please explain what went wrong here? > > Thanks, > Mark > Hello Mark, I will not answer anything to you anymore because I feel like you do not write messages in a constructive way. Léo [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-26 14:59 ` Léo Le Bouter @ 2021-04-26 15:23 ` Tobias Geerinckx-Rice 2021-04-26 17:21 ` Ludovic Courtès 2021-04-26 17:46 ` Léo Le Bouter 0 siblings, 2 replies; 96+ messages in thread From: Tobias Geerinckx-Rice @ 2021-04-26 15:23 UTC (permalink / raw) To: Léo Le Bouter Cc: Mark H Weaver, Leo Famulari, Maxim Cournoyer, Raghav Gururajan, Leo Prikler, Sou Bunnbu, guix-devel [-- Attachment #1: Type: text/plain, Size: 418 bytes --] Hi Léo, > https://git.sr.ht/~lle-bout/guix/commit/a045a48dd961f0c5c3d536dcc3fd21d9c08d2d50 > https://git.sr.ht/~lle-bout/guix/commit/6477daa338fbf1c9edacfc3690aca77cacfe0008 > > Can you please explain what went wrong here? Is a reasonable question, shared by all of us, not just Mark. The constructive way forward is to answer it fully. It's in your best interest to do so. Kind regards, T G-R [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 247 bytes --] ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-26 15:23 ` Tobias Geerinckx-Rice @ 2021-04-26 17:21 ` Ludovic Courtès 2021-04-26 20:07 ` Pjotr Prins 2021-04-26 17:46 ` Léo Le Bouter 1 sibling, 1 reply; 96+ messages in thread From: Ludovic Courtès @ 2021-04-26 17:21 UTC (permalink / raw) To: Léo Le Bouter Cc: Maxim Cournoyer, Sou Bunnbu, Raghav Gururajan, Leo Prikler, guix-devel Hi Léo, Tobias Geerinckx-Rice <me@tobias.gr> skribis: >> https://git.sr.ht/~lle-bout/guix/commit/a045a48dd961f0c5c3d536dcc3fd21d9c08d2d50 >> https://git.sr.ht/~lle-bout/guix/commit/6477daa338fbf1c9edacfc3690aca77cacfe0008 >> Can you please explain what went wrong here? > > Is a reasonable question, shared by all of us, not just Mark. The > constructive way forward is to answer it fully. It's in your best > interest to do so. I concur. Please reply as soon as you can so we can understand what happened, restore trust, and collectively avoid such pitfalls in the future. Thanks in advance, Ludo’. ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-26 17:21 ` Ludovic Courtès @ 2021-04-26 20:07 ` Pjotr Prins 0 siblings, 0 replies; 96+ messages in thread From: Pjotr Prins @ 2021-04-26 20:07 UTC (permalink / raw) To: Ludovic Courtès Cc: Maxim Cournoyer, Raghav Gururajan, Sou Bunnbu, Leo Prikler, guix-devel On Mon, Apr 26, 2021 at 07:21:14PM +0200, Ludovic Courtès wrote: > Hi Léo, > > Tobias Geerinckx-Rice <me@tobias.gr> skribis: > > >> https://git.sr.ht/~lle-bout/guix/commit/a045a48dd961f0c5c3d536dcc3fd21d9c08d2d50 > >> https://git.sr.ht/~lle-bout/guix/commit/6477daa338fbf1c9edacfc3690aca77cacfe0008 > >> Can you please explain what went wrong here? To be honest, I think Leo and Raghav have been pretty clear. They made a mistake and that can happen to all of us. Now before this thing goes off the rails we should also recognise that everyone is different. Which is really something to celebrate. Everyone on this thread has made great contributions in a highly diverse environment to GNU Guix and that is what matters, really. We should also recognise that some people may be blunt and direct and even personal. I don't think that is bad. It may not always be nice and it may hurt our goals of being inclusive, but then there may be a cultural component too. What is honest and meaningful to one may be perceived as hurtful by another. It is somewhat unavoidable in an international social experiment. Personally I shut up on disagreement, as these E-mails live much too long. Ricardo wrote a great E-mail early in this thread. I suggest we bury the hatchet and move forward. It is clear to me that Leo and Raghav mean well, won't make the mistake again, and this is taking too much energy from everyone. Pj. ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-26 15:23 ` Tobias Geerinckx-Rice 2021-04-26 17:21 ` Ludovic Courtès @ 2021-04-26 17:46 ` Léo Le Bouter 2021-04-28 15:52 ` Marius Bakke 1 sibling, 1 reply; 96+ messages in thread From: Léo Le Bouter @ 2021-04-26 17:46 UTC (permalink / raw) To: Tobias Geerinckx-Rice Cc: Mark H Weaver, Leo Famulari, Maxim Cournoyer, Raghav Gururajan, Leo Prikler, Sou Bunnbu, guix-devel [-- Attachment #1: Type: text/plain, Size: 2631 bytes --] On Mon, 2021-04-26 at 17:23 +0200, Tobias Geerinckx-Rice wrote: > Hi Léo, > > > https://git.sr.ht/~lle-bout/guix/commit/a045a48dd961f0c5c3d536dcc3fd21d9c08d2d50 > > https://git.sr.ht/~lle-bout/guix/commit/6477daa338fbf1c9edacfc3690aca77cacfe0008 > > > > Can you please explain what went wrong here? > > Is a reasonable question, shared by all of us, not just Mark. The > constructive way forward is to answer it fully. It's in your best > interest to do so. > > Kind regards, > > T G-R I am sorry, I will not. It's evident nothing went wrong and Mark is not asking questions that are beneficial to anyone here besides contributing to public shaming of people. The fix is already pushed and thank you to the person that made it and Mark for identifying the issue, however I don't say thank you for trying to publicly shame people on the mailing list, both Raghav and me. At best there was an oversight (like there's many in various commits made everyday to GNU Guix) where I assumed the latest version of software would contain all security fixes (as I tend to consider GNONE software such as cairo is well maintained upstream security-wise, seems not), I don't think there's anything more to add. I find Mark's way of communicating about these issues not constructive and unfriendly. I think that if Mark or anyone else's expect me to answer I think they should not phrase criticism in a way that they accuse me or anyone else of having made a mistake. I don't think we should find who is responsible for mistakes, we could however ask advice on what happened to fix the mistake in case the person that introduced it cannot. And to ever think I would act in bad faith towards GNU Guix security when I spent entire weeks checking and patching CVEs full time, I don't think that would make sense. On Mon, 2021-04-26 at 19:21 +0200, Ludovic Courtès wrote: > Hi Léo, > > Tobias Geerinckx-Rice <me@tobias.gr> skribis: > > > > https://git.sr.ht/~lle-bout/guix/commit/a045a48dd961f0c5c3d536dcc3fd21d9c08d2d50 > > > https://git.sr.ht/~lle-bout/guix/commit/6477daa338fbf1c9edacfc3690aca77cacfe0008 > > > Can you please explain what went wrong here? > > > > Is a reasonable question, shared by all of us, not just Mark. The > > constructive way forward is to answer it fully. It's in your best > > interest to do so. > > I concur. Please reply as soon as you can so we can understand what > happened, restore trust, and collectively avoid such pitfalls in the > future. > > Thanks in advance, > Ludo’. I don't understand how trust would be lost. Léo [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-26 17:46 ` Léo Le Bouter @ 2021-04-28 15:52 ` Marius Bakke 2021-04-29 9:13 ` Léo Le Bouter 2021-04-29 11:41 ` Arun Isaac 0 siblings, 2 replies; 96+ messages in thread From: Marius Bakke @ 2021-04-28 15:52 UTC (permalink / raw) To: Léo Le Bouter; +Cc: guix-devel [-- Attachment #1: Type: text/plain, Size: 1135 bytes --] Léo, We maintainers have been disappointed by Marks harsh tone which do not meet the project's communication standards, but also by your apparent lack of will to reply constructively to legitimate criticism. This is the next in a series of incidents. The incidents are okay--we we all make mistakes and that's how we learn--but we interpreted your responses all too often as dismissive and defensive, rather than understanding and forward-looking. This has been causing unnecessary friction and stress, and is not how we envision peaceful collaboration. I'm sorry to say your commit privileges have been temporarily suspended. After one month, you are invited to get in touch with the maintainers collective and discuss next steps. You have done terrific work in Guix in the short time you've been around: from the POWER9 port, to the many security fixes, to tracking and reporting issues, and suggesting improvements to the tools. I hope you'll eventually rejoin to collaborate in the peaceful and empathetic fashion that this project encourages. -- Marius (on behalf of the maintainers collective) [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 247 bytes --] ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-28 15:52 ` Marius Bakke @ 2021-04-29 9:13 ` Léo Le Bouter 2021-04-29 11:46 ` Leo Prikler 2021-04-29 11:41 ` Arun Isaac 1 sibling, 1 reply; 96+ messages in thread From: Léo Le Bouter @ 2021-04-29 9:13 UTC (permalink / raw) To: Marius Bakke; +Cc: guix-devel [-- Attachment #1: Type: text/plain, Size: 2593 bytes --] On Wed, 2021-04-28 at 17:52 +0200, Marius Bakke wrote: > Léo, > > We maintainers have been disappointed by Marks harsh tone which do > not > meet the project's communication standards, but also by your apparent > lack of will to reply constructively to legitimate criticism. > > This is the next in a series of incidents. The incidents are okay > --we > we all make mistakes and that's how we learn--but we interpreted your > responses all too often as dismissive and defensive, rather than > understanding and forward-looking. This has been causing unnecessary > friction and stress, and is not how we envision peaceful > collaboration. > > I'm sorry to say your commit privileges have been temporarily > suspended. After one month, you are invited to get in touch with the > maintainers collective and discuss next steps. > > You have done terrific work in Guix in the short time you've been > around: from the POWER9 port, to the many security fixes, > to tracking and reporting issues, and suggesting improvements to the > tools. I hope you'll eventually rejoin to collaborate in the > peaceful > and empathetic fashion that this project encourages. > Hello! To make a statement about this on the public mailing list also, I think such suspension is largely unfair and unjustified. It seems I am expected to do peaceful collaboration with people who are not writing messages in a non-violent manner, and I refuse to engage further in that context. I do not want to answer Mark or anyone else who does not write in a friendly way. If that means I cannot be a GNU Guix contributor then I will not be any longer. It means for me that GNU Guix is not a safe place for me to contribute to. I think if anyone expects me to not answer in a dismissive or defensive way then also they must think of the message they're writing if it is encouraging a confrontational response or peaceful collaboration. I don't feel like I have been hindering peaceful collaboration at any time, since everything I've done in GNU Guix was collaborative work. With many people in the GNU Guix community everything goes well and is very peaceful, when there's problems it's with specific people who also happen to write messages in a way that generates confrontation. I cannot and I refuse to collaborate with people who are not being friendly and do not care about the emotions of the humans they're communicating with, it's the reason I come to GNU Guix in the first place, but to me it appears it's not the right place for that either now. Léo [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-29 9:13 ` Léo Le Bouter @ 2021-04-29 11:46 ` Leo Prikler 2021-04-29 11:57 ` Léo Le Bouter 0 siblings, 1 reply; 96+ messages in thread From: Leo Prikler @ 2021-04-29 11:46 UTC (permalink / raw) To: Léo Le Bouter, Marius Bakke; +Cc: guix-devel Am Donnerstag, den 29.04.2021, 11:13 +0200 schrieb Léo Le Bouter: > On Wed, 2021-04-28 at 17:52 +0200, Marius Bakke wrote: > > Léo, > > > > We maintainers have been disappointed by Marks harsh tone which do > > not > > meet the project's communication standards, but also by your > > apparent > > lack of will to reply constructively to legitimate criticism. > > > > This is the next in a series of incidents. The incidents are okay > > --we > > we all make mistakes and that's how we learn--but we interpreted > > your > > responses all too often as dismissive and defensive, rather than > > understanding and forward-looking. This has been causing > > unnecessary > > friction and stress, and is not how we envision peaceful > > collaboration. > > > > I'm sorry to say your commit privileges have been temporarily > > suspended. After one month, you are invited to get in touch with > > the > > maintainers collective and discuss next steps. > > > > You have done terrific work in Guix in the short time you've been > > around: from the POWER9 port, to the many security fixes, > > to tracking and reporting issues, and suggesting improvements to > > the > > tools. I hope you'll eventually rejoin to collaborate in the > > peaceful > > and empathetic fashion that this project encourages. > > > > Hello! > > To make a statement about this on the public mailing list also, I > think > such suspension is largely unfair and unjustified. I personally disagree. While their tone may have been questionable, I find it important that both committers and non-committers are able to call changes into question, everything else would not be democratic. Ideally, that would happen during review, but this thread has clearly indicated that the review process failed in this instance. Perhaps informing you privately first is more fair, but pointless assignments of guilt aside it is an issue that we should all be aware of and learn from, so as to not repeat it. > It seems I am expected to do peaceful collaboration with people who > are > not writing messages in a non-violent manner, and I refuse to engage > further in that context. I do not want to answer Mark or anyone else > who does not write in a friendly way. If that means I cannot be a GNU > Guix contributor then I will not be any longer. It means for me that > GNU Guix is not a safe place for me to contribute to. Even if unfriendly, we are not attacking you on any non-technical grounds, but instead asking you to do self-criticism and to learn from your mistake. You can (and should) call the tone in which this is done into question, but this does not absolve you from your duty to ensure package quality standards. > I think if anyone expects me to not answer in a dismissive or > defensive > way then also they must think of the message they're writing if it is > encouraging a confrontational response or peaceful collaboration. I > don't feel like I have been hindering peaceful collaboration at any > time, since everything I've done in GNU Guix was collaborative work. > With many people in the GNU Guix community everything goes well and > is > very peaceful, when there's problems it's with specific people who > also > happen to write messages in a way that generates confrontation. I > cannot and I refuse to collaborate with people who are not being > friendly and do not care about the emotions of the humans they're > communicating with, it's the reason I come to GNU Guix in the first > place, but to me it appears it's not the right place for that either > now. The criticisms pointed at you comes not just from Mark, but others as well. Others, who I would argue, potentially phrase them in a less confrontational manner. Leaving them unanswered just because Mark's tone was inadequate is in my opinion not justified. Regards, Leo ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-29 11:46 ` Leo Prikler @ 2021-04-29 11:57 ` Léo Le Bouter 0 siblings, 0 replies; 96+ messages in thread From: Léo Le Bouter @ 2021-04-29 11:57 UTC (permalink / raw) To: Leo Prikler, Marius Bakke; +Cc: guix-devel [-- Attachment #1: Type: text/plain, Size: 4875 bytes --] On Thu, 2021-04-29 at 13:46 +0200, Leo Prikler wrote: > Am Donnerstag, den 29.04.2021, 11:13 +0200 schrieb Léo Le Bouter: > > On Wed, 2021-04-28 at 17:52 +0200, Marius Bakke wrote: > > > Léo, > > > > > > We maintainers have been disappointed by Marks harsh tone which > > > do > > > not > > > meet the project's communication standards, but also by your > > > apparent > > > lack of will to reply constructively to legitimate criticism. > > > > > > This is the next in a series of incidents. The incidents are > > > okay > > > --we > > > we all make mistakes and that's how we learn--but we interpreted > > > your > > > responses all too often as dismissive and defensive, rather than > > > understanding and forward-looking. This has been causing > > > unnecessary > > > friction and stress, and is not how we envision peaceful > > > collaboration. > > > > > > I'm sorry to say your commit privileges have been temporarily > > > suspended. After one month, you are invited to get in touch with > > > the > > > maintainers collective and discuss next steps. > > > > > > You have done terrific work in Guix in the short time you've been > > > around: from the POWER9 port, to the many security fixes, > > > to tracking and reporting issues, and suggesting improvements to > > > the > > > tools. I hope you'll eventually rejoin to collaborate in the > > > peaceful > > > and empathetic fashion that this project encourages. > > > > > > > Hello! > > > > To make a statement about this on the public mailing list also, I > > think > > such suspension is largely unfair and unjustified. > I personally disagree. While their tone may have been questionable, > I > find it important that both committers and non-committers are able to > call changes into question, everything else would not be democratic. > Ideally, that would happen during review, but this thread has clearly > indicated that the review process failed in this instance. Perhaps > informing you privately first is more fair, but pointless assignments > of guilt aside it is an issue that we should all be aware of and > learn > from, so as to not repeat it. > > > It seems I am expected to do peaceful collaboration with people who > > are > > not writing messages in a non-violent manner, and I refuse to > > engage > > further in that context. I do not want to answer Mark or anyone > > else > > who does not write in a friendly way. If that means I cannot be a > > GNU > > Guix contributor then I will not be any longer. It means for me > > that > > GNU Guix is not a safe place for me to contribute to. > Even if unfriendly, we are not attacking you on any non-technical > grounds, but instead asking you to do self-criticism and to learn > from > your mistake. You can (and should) call the tone in which this is > done > into question, but this does not absolve you from your duty to ensure > package quality standards. > > > I think if anyone expects me to not answer in a dismissive or > > defensive > > way then also they must think of the message they're writing if it > > is > > encouraging a confrontational response or peaceful collaboration. I > > don't feel like I have been hindering peaceful collaboration at any > > time, since everything I've done in GNU Guix was collaborative > > work. > > With many people in the GNU Guix community everything goes well and > > is > > very peaceful, when there's problems it's with specific people who > > also > > happen to write messages in a way that generates confrontation. I > > cannot and I refuse to collaborate with people who are not being > > friendly and do not care about the emotions of the humans they're > > communicating with, it's the reason I come to GNU Guix in the first > > place, but to me it appears it's not the right place for that > > either > > now. > The criticisms pointed at you comes not just from Mark, but others as > well. Others, who I would argue, potentially phrase them in a less > confrontational manner. Leaving them unanswered just because Mark's > tone was inadequate is in my opinion not justified. > > Regards, > Leo > Hello Leo, If the criticism is well phrased in the first place, then I have no issue to address it and go on constructively. The very problem is that it wasnt well phrased. The rest cannot work great. I am unable to collaborate in these conditions, I don't think this can change, I am not even willing to make such change, that is, to accept collaboration with people who do not care about communicating in a caring way. I think it is contradictory to GNU Guix spirit to expect me to do that, and I cannot emotionally do so, even if I wanted to. I have had too much suffering due to these situations before, I don't want this to repeat here and now. Léo [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-28 15:52 ` Marius Bakke 2021-04-29 9:13 ` Léo Le Bouter @ 2021-04-29 11:41 ` Arun Isaac 2021-04-29 12:44 ` Pierre Neidhardt 2021-04-29 16:21 ` Arun Isaac 1 sibling, 2 replies; 96+ messages in thread From: Arun Isaac @ 2021-04-29 11:41 UTC (permalink / raw) To: Marius Bakke, Léo Le Bouter; +Cc: guix-devel [-- Attachment #1: Type: text/plain, Size: 642 bytes --] Hi Guix, I didn't want to get involved in this argument, but I feel I must register a dissenting opinion. > I'm sorry to say your commit privileges have been temporarily > suspended. After one month, you are invited to get in touch with the > maintainers collective and discuss next steps. I think this suspension goes too far and doesn't help de-escalate the issue. I think Léo should be cut some slack since it was Mark who opened poorly with public shaming. I can completely understand why Léo is responding defensively. Guix has been a very friendly welcoming community. Let's keep it that way. Regards, Arun [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 524 bytes --] ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-29 11:41 ` Arun Isaac @ 2021-04-29 12:44 ` Pierre Neidhardt 2021-04-29 14:14 ` Pjotr Prins 2021-04-29 16:21 ` Arun Isaac 1 sibling, 1 reply; 96+ messages in thread From: Pierre Neidhardt @ 2021-04-29 12:44 UTC (permalink / raw) To: Arun Isaac, Marius Bakke, Léo Le Bouter; +Cc: guix-devel [-- Attachment #1: Type: text/plain, Size: 68 bytes --] I agree with Arun. -- Pierre Neidhardt https://ambrevar.xyz/ [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 511 bytes --] ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-29 12:44 ` Pierre Neidhardt @ 2021-04-29 14:14 ` Pjotr Prins 2021-04-30 17:40 ` Pierre Neidhardt 0 siblings, 1 reply; 96+ messages in thread From: Pjotr Prins @ 2021-04-29 14:14 UTC (permalink / raw) To: Pierre Neidhardt; +Cc: guix-devel Peeps, I am not a core maintainer, but it should be obvious that core maintainers would not take a decision to revoke commit rights lightly. Since it hardly happens is it now a loss of face on both sides which it should not be. Marius representing the core maintainers clearly wrote: This is the next in a series of incidents. I.e., it is not only about Mark and his communication. Please read carefully. This was not an ad hoc decision. I think *everyone* will be happy to give Léo his rights back provided he plays by the rules of the Guix project. I think it is a good policy to revoke rights on any serious complaint about quality of work. Also, no one really needs commit rights to contribute. That is what core maintainers are for. Pj. ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-29 14:14 ` Pjotr Prins @ 2021-04-30 17:40 ` Pierre Neidhardt 2021-04-30 19:56 ` Pjotr Prins 2021-05-01 14:50 ` Giovanni Biscuolo 0 siblings, 2 replies; 96+ messages in thread From: Pierre Neidhardt @ 2021-04-30 17:40 UTC (permalink / raw) To: Pjotr Prins; +Cc: guix-devel [-- Attachment #1: Type: text/plain, Size: 2325 bytes --] Hi Pjotr, I haven't really followed the issue, so I couldn't say whether the decision taken by the core maintainers was right or not. However, I find that your message is insightful in that it raises a few questions on _how_ this decision was taken. > I am not a core maintainer, but it should be obvious that core > maintainers would not take a decision to revoke commit rights lightly. I trust that it is the case, but being the devil's advocate, I could argue that from reading this thread does not make it obvious. Maybe the decision process should be made more transparent? Reading between the lines, I feel that some discussion happened behind closed curtains between some maintainers. Correct me if I'm wrong. I don't know if this is ideal in such circumstances, but if it is, then it is probably a good idea to mention it. Another question one could ask: why just the core maintainers actually? Shouldn't everyone be involved? Maybe the right answer is "no" here, and if so, I believe we should explain why in the community guidelines. Lest the community present an image where a few would benefit from arbitrary privileges. It'd be nice to explicit these and the reason behind the various roles found among the members of the community. Last, maybe a more important question: if core maintainers are entrusted to take executive decisions about the community members, what about executive decisions about the core maintainers themselves? Are there such provisions? Example: what if a core maintainers misbehaves? Can they see there privileges revoked? How? Is this documented? > Marius representing the core maintainers clearly wrote: This is the > next in a series of incidents. Considering this is the main cause for the decision, I believe it's important to detail it with references. "a series of incidents" is too vague and in isolation, it does not seem to justify the decision very well. It seems necessary to me to recap the whole series of points that led to the decision. So maybe there are some issues we could address with regard to the structural organization of the Guix community, which could help making it increasingly more welcoming, peaceful and strong. Food for thoughts! :) -- Pierre Neidhardt https://ambrevar.xyz/ [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 511 bytes --] ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-30 17:40 ` Pierre Neidhardt @ 2021-04-30 19:56 ` Pjotr Prins 2021-05-01 7:23 ` Arun Isaac 2021-05-01 9:15 ` Pierre Neidhardt 2021-05-01 14:50 ` Giovanni Biscuolo 1 sibling, 2 replies; 96+ messages in thread From: Pjotr Prins @ 2021-04-30 19:56 UTC (permalink / raw) To: Pierre Neidhardt; +Cc: guix-devel On Fri, Apr 30, 2021 at 07:40:36PM +0200, Pierre Neidhardt wrote: > I trust that it is the case, but being the devil's advocate, I could > argue that from reading this thread does not make it obvious. Maybe the > decision process should be made more transparent? Let's not make this a big thing. I am not a core committer - don't want to be one. What I know is that commit rights are given to people who are expected to play by the rules of the project. Is that hard to understand? When someone does not play by the rules and is unapologetic - and it happens multiple times - it is completely justified to take away those rights. Being a core committer is *not* a badge of honour. It does not give special privileges beyond what is expected. It does not give you money, a degree or a knighthood. It only allows you to push code directly where it interferes with the work of others :) Everyone will be *happy* to give the commit rights again, provided the person plays by the rules. Pj. ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-30 19:56 ` Pjotr Prins @ 2021-05-01 7:23 ` Arun Isaac 2021-05-01 12:40 ` Pjotr Prins 2021-05-01 9:15 ` Pierre Neidhardt 1 sibling, 1 reply; 96+ messages in thread From: Arun Isaac @ 2021-05-01 7:23 UTC (permalink / raw) To: Pjotr Prins, Pierre Neidhardt; +Cc: guix-devel [-- Attachment #1: Type: text/plain, Size: 1045 bytes --] Hi everyone, This decision aside, I share some of the general concerns raised by Pierre about core maintainership and the behind closed doors decision making process. > Being a core committer is *not* a badge of honour. It does not give > special privileges beyond what is expected. It does not give you > money, a degree or a knighthood. It only allows you to push code > directly where it interferes with the work of others :) We may like to imagine that being a core maintainer is not a badge of honor, but in reality, it *is* a badge of honor. A core maintainer is not just a regular participant any more than the President is just a public servant. If core maintainership is not to be associated with power and honor, we should put in place processes to achieve that. In that regard, Guix has done better than most other free software projects. For example, we don't assign people as maintainers (or owners) of specific packages or groups of packages like other distributions have. Still, I'm sure there's more we can do. Cheers! Arun [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 524 bytes --] ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-05-01 7:23 ` Arun Isaac @ 2021-05-01 12:40 ` Pjotr Prins 0 siblings, 0 replies; 96+ messages in thread From: Pjotr Prins @ 2021-05-01 12:40 UTC (permalink / raw) To: Arun Isaac; +Cc: guix-devel On Sat, May 01, 2021 at 12:53:43PM +0530, Arun Isaac wrote: > We may like to imagine that being a core maintainer is not a badge of > honor, but in reality, it *is* a badge of honor. A core maintainer is > not just a regular participant any more than the President is just a > public servant. If core maintainership is not to be associated with > power and honor, we should put in place processes to achieve that. It is an interesting perspective. One problem I see with assuming a badge of honor is that it will make it much harder to decide on giving commit rights because it will have to be based on merit/selection and make even harder to revoke them. Are you suggesting we elect committers? At this point, my personal assumption about the procedure and what I have seen is that if someone is promising and active they get commit rights - i.e., to make it easier on everyone who is maintaining Guix. It is about flow of work and convenience. A core committer is arguably not even a core maintainer. Nothing makes me think a core committer is comparable to an elected president. The Debian project is much larger than Guix and has unwieldy selection criteria for people joining certain levels. Is that what we want? One of the attractions of Guix to me is that it is a flat project and, as far as I can tell, we have mostly avoided regular politics distracting us from real work. We have channels so people can do what they want. No reason to meddle with the core project if you are not so inclined. I would vote to keep the Guix project structure as simple and flat as possible without overheads. Nimble is the word. Want to build your own cathedral? Start a channel. Pj. PS: I am not a core committer and not a core maintainer. All opinions are my own. ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-30 19:56 ` Pjotr Prins 2021-05-01 7:23 ` Arun Isaac @ 2021-05-01 9:15 ` Pierre Neidhardt 2021-05-01 10:18 ` Yasuaki Kudo 1 sibling, 1 reply; 96+ messages in thread From: Pierre Neidhardt @ 2021-05-01 9:15 UTC (permalink / raw) To: Pjotr Prins; +Cc: guix-devel [-- Attachment #1: Type: text/plain, Size: 899 bytes --] Pjotr Prins <pjotr.public12@thebird.nl> writes: > Being a core committer is *not* a badge of honour. It does not give > special privileges beyond what is expected. But this may not be true. Quite a few people have expressed otherwise over the years. Maybe an issue is that much of the organizational structure of Guix is implicit. The roles are not well defined and as a result, they may reach beyond what is commonly understood. Some time ago, I was discussing the quetsion of implicit structure with Ludo, who sent me this essay: https://www.jofreeman.com/joreen/tyranny.htm I found it enlightening and quite relevant to the matter at hand. Even if in the end my concerns end up being unjustified, I find it good practice to always question the status quo: maybe something better could come out of it! :) Cheers! -- Pierre Neidhardt https://ambrevar.xyz/ [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 511 bytes --] ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-05-01 9:15 ` Pierre Neidhardt @ 2021-05-01 10:18 ` Yasuaki Kudo 2021-05-03 7:18 ` Pierre Neidhardt 0 siblings, 1 reply; 96+ messages in thread From: Yasuaki Kudo @ 2021-05-01 10:18 UTC (permalink / raw) To: Pierre Neidhardt; +Cc: guix-devel [-- Attachment #1: Type: text/plain, Size: 1289 bytes --] Hello! I don't know the details of the case at all but let met mention this: https://communityrule.info/ It comes from the world of worker cooperatives and I think them "rules of the community" is discussed a lot there as well 😄 Cheers, Yasu > On May 1, 2021, at 18:16, Pierre Neidhardt <mail@ambrevar.xyz> wrote: > > Pjotr Prins <pjotr.public12@thebird.nl> writes: > >> Being a core committer is *not* a badge of honour. It does not give >> special privileges beyond what is expected. > > But this may not be true. Quite a few people have expressed otherwise > over the years. > > Maybe an issue is that much of the organizational structure of Guix is > implicit. The roles are not well defined and as a result, they may > reach beyond what is commonly understood. > > Some time ago, I was discussing the quetsion of implicit structure with > Ludo, who sent me this essay: > > https://www.jofreeman.com/joreen/tyranny.htm > > I found it enlightening and quite relevant to the matter at hand. > > Even if in the end my concerns end up being unjustified, I find it good > practice to always question the status quo: maybe something better could > come out of it! :) > > Cheers! > > -- > Pierre Neidhardt > https://ambrevar.xyz/ [-- Attachment #2: Type: text/html, Size: 2190 bytes --] ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-05-01 10:18 ` Yasuaki Kudo @ 2021-05-03 7:18 ` Pierre Neidhardt 0 siblings, 0 replies; 96+ messages in thread From: Pierre Neidhardt @ 2021-05-03 7:18 UTC (permalink / raw) To: Yasuaki Kudo; +Cc: guix-devel [-- Attachment #1: Type: text/plain, Size: 807 bytes --] Hi! Yasuaki Kudo <yasu@yasuaki.com> writes: > I don't know the details of the case at all but let met mention this: > https://communityrule.info/ > It comes from the world of worker cooperatives and I think them "rules of the community" is discussed a lot there as well 😄 Thanks for sharing, I didn't know about this! I think it's a great starting point. I like these ones in particular: https://communityrule.info/create/?r=consensus https://communityrule.info/create/?r=jury communityrule.info helps identifying different types of governance, with different strategies to various decision problems. Let's note this down and bring it back up in a thread that's more focused on the governance question of Guix. Cheers! -- Pierre Neidhardt https://ambrevar.xyz/ [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 511 bytes --] ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-30 17:40 ` Pierre Neidhardt 2021-04-30 19:56 ` Pjotr Prins @ 2021-05-01 14:50 ` Giovanni Biscuolo 2021-05-03 7:25 ` Pierre Neidhardt 1 sibling, 1 reply; 96+ messages in thread From: Giovanni Biscuolo @ 2021-05-01 14:50 UTC (permalink / raw) To: Pierre Neidhardt; +Cc: guix-devel [-- Attachment #1: Type: text/plain, Size: 4199 bytes --] Hi Pierre, Pierre Neidhardt <mail@ambrevar.xyz> writes: > I haven't really followed the issue, I have, very carefully ;-) > so I couldn't say whether the decision taken by the core maintainers > was right or not. From my point of view it was /but/ this is *not* relevant: what's relevant here is that /if/ we trust Guix maintainers (I do) when they give commit access rights to people, whe /have/ to trust them when they revoke those rights. We /should/ disccus /if/ the rules and best practices to have and maintain the commit acces are well documented: please make proposals (patches wellcome :-) ) but please we have to keep trusting Guix maintainers (that is a collective of very competent people). [...] >> I am not a core maintainer, but it should be obvious that core >> maintainers would not take a decision to revoke commit rights lightly. > > I trust that it is the case, but being the devil's advocate, Please don't: «Why the Devil's Advocate Doesn't Help Reach the Truth» https://www.gnu.org/philosophy/devils-advocate.html --8<---------------cut here---------------start------------->8--- The devil achieves that by twisting my words: presenting a misleading context in which my words appear to mean something other than what I intended. --8<---------------cut here---------------end--------------->8--- ;-) [...] > Another question one could ask: why just the core maintainers > actually? Shouldn't everyone be involved? Maybe the right answer is > "no" here, and if so, I believe we should explain why in the community > guidelines. Guix is a GNU project and AFAIU GNU project management is well documented: https://www.gnu.org/gnu/gnu-structure.html I don't know if Guix project needs specific «GNU Guix structure» documentation but /if/ the answer is yes it should complement the official GNU one, not replace it, IMHO. BTW I see Guix contributors with commit access as "package maintanance assistants" delegated by maintainers to make some technical decisions: --8<---------------cut here---------------start------------->8--- The maintainers of a package often recruit others to contribute to its development, and delegate some technical decisions to them. However, the maintainers retain authority over the whole of the package so they can carry out their responsibility to the GNU Project. --8<---------------cut here---------------end--------------->8--- Please we should always consider that GNU maintainers are the persons that carry out the responsibility to the GNU project, not contributors with commit access. Maybe the contributing section of Guix manual should mention it and link the relevant GNU project's documents: do you think it'd be useful? > Lest the community present an image where a few would benefit from > arbitrary privileges. ...or seen from /the other side of the moon/: a few carry out the precious work to be /responsible/ to do a good, practical job of developing and maintaining Guix according to the GNU project's mission and general decision. If you want call it /arbitrary privilege/ but I have a different point of view :-D The "community" (whatever this means) should acknowledge that contributing also means to be responsible toward other users of free software: this needs competence in the specific matter (also domain specific), discipline (i.e. properly documenting changes in commit messages) and commitment to a set of common shared rules (documented in Guix and GNU project manual). [...] > Last, maybe a more important question: if core maintainers are > entrusted to take executive decisions about the community members, > what about executive decisions about the core maintainers themselves? Maintainers are appointed by the GNU project. > Are there such provisions? Example: what if a core maintainers > misbehaves? Can they see there privileges revoked? How? Is this > documented? «GNU Software Evaluation» https://www.gnu.org/help/evaluation.html#whatmeans Does this answer your question? [...] Happy hacking! Gio' -- Giovanni Biscuolo Xelera IT Infrastructures [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 849 bytes --] ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-05-01 14:50 ` Giovanni Biscuolo @ 2021-05-03 7:25 ` Pierre Neidhardt 2021-05-04 2:18 ` Bengt Richter 0 siblings, 1 reply; 96+ messages in thread From: Pierre Neidhardt @ 2021-05-03 7:25 UTC (permalink / raw) To: Giovanni Biscuolo; +Cc: guix-devel [-- Attachment #1: Type: text/plain, Size: 432 bytes --] Hi Giovanni, > Guix is a GNU project and AFAIU GNU project management is well > documented: > > https://www.gnu.org/gnu/gnu-structure.html This applies to GNU at the top level, but it does not specify how sub-projects (referred to as "packages" in the aforementioned document) are governed locally. This question is mostly left unanswered as I understand it. Cheers! -- Pierre Neidhardt https://ambrevar.xyz/ [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 511 bytes --] ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-05-03 7:25 ` Pierre Neidhardt @ 2021-05-04 2:18 ` Bengt Richter 2021-05-04 6:55 ` Pierre Neidhardt 0 siblings, 1 reply; 96+ messages in thread From: Bengt Richter @ 2021-05-04 2:18 UTC (permalink / raw) To: Pierre Neidhardt; +Cc: guix-devel Hi Pierre, On +2021-05-03 09:25:21 +0200, Pierre Neidhardt wrote: > Hi Giovanni, > > > Guix is a GNU project and AFAIU GNU project management is well > > documented: > > > > https://www.gnu.org/gnu/gnu-structure.html > > This applies to GNU at the top level, but it does not specify how > sub-projects (referred to as "packages" in the aforementioned document) > are governed locally. This question is mostly left unanswered as I > understand it. > You may find some clues here: https://www.gnu.org/help/evaluation.html#whatmeans And links to more :) > Cheers! > > -- > Pierre Neidhardt > https://ambrevar.xyz/ -- Regards, Bengt Richter ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-05-04 2:18 ` Bengt Richter @ 2021-05-04 6:55 ` Pierre Neidhardt 2021-05-04 15:43 ` Ludovic Courtès 0 siblings, 1 reply; 96+ messages in thread From: Pierre Neidhardt @ 2021-05-04 6:55 UTC (permalink / raw) To: Bengt Richter; +Cc: guix-devel [-- Attachment #1: Type: text/plain, Size: 693 bytes --] Hi Bengt, >> This applies to GNU at the top level, but it does not specify how >> sub-projects (referred to as "packages" in the aforementioned document) >> are governed locally. This question is mostly left unanswered as I >> understand it. >> > > You may find some clues here: > https://www.gnu.org/help/evaluation.html#whatmeans > And links to more :) Thanks for sharing. I've read it and it does not seem to be concerned with the question of governance. At the bottom, I found this long manual which may offer more discussion: https://www.gnu.org/prep/maintain/ But one has to dissect it first :) Cheers! -- Pierre Neidhardt https://ambrevar.xyz/ [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 511 bytes --] ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-05-04 6:55 ` Pierre Neidhardt @ 2021-05-04 15:43 ` Ludovic Courtès 2021-05-06 17:18 ` Pierre Neidhardt 0 siblings, 1 reply; 96+ messages in thread From: Ludovic Courtès @ 2021-05-04 15:43 UTC (permalink / raw) To: Pierre Neidhardt; +Cc: guix-devel Hi, Pierre Neidhardt <mail@ambrevar.xyz> skribis: > Thanks for sharing. I've read it and it does not seem to be concerned > with the question of governance. For the record, you can read about Guix roles and responsibilities at: https://guix.gnu.org/en/blog/2019/gnu-guix-maintainer-collective-expands/ The “Contributing” section of the manual discusses specific policies: https://guix.gnu.org/manual/en/html_node/Contributing.html Evidently, some aspects have yet to be formalized. HTH, Ludo’. ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-05-04 15:43 ` Ludovic Courtès @ 2021-05-06 17:18 ` Pierre Neidhardt 0 siblings, 0 replies; 96+ messages in thread From: Pierre Neidhardt @ 2021-05-06 17:18 UTC (permalink / raw) To: Ludovic Courtès; +Cc: guix-devel [-- Attachment #1: Type: text/plain, Size: 1327 bytes --] Hi Ludo, Thanks for the links, it's a good starting point. > For the record, you can read about Guix roles and responsibilities at: > > https://guix.gnu.org/en/blog/2019/gnu-guix-maintainer-collective-expands/ I think a good next step would be to store this information at a more accessible location on https://guix.gnu.org. A visitor looking for this kind of information may not think to browse the blog entries. It's also not convenient, since it gets buried deeper and deeper as articles get published. > The “Contributing” section of the manual discusses specific policies: > > https://guix.gnu.org/manual/en/html_node/Contributing.html This page mentions the code of conduct, which gives some guidelines on communication, but as I understand it, it does not say anything about structure or governance. The code of conduct itself could be expanded. For a start, we could address some characteristic communication issues that have occurred on the mailing list over time. For example, we could add a section on "Accountability != blame", to paraphrase Jelle. Another section (a very important one in my opinion) could be about giving the benefit of the doubt and _ask why_ before policing someone. Food for thoughts! Cheers! -- Pierre Neidhardt https://ambrevar.xyz/ [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 511 bytes --] ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-29 11:41 ` Arun Isaac 2021-04-29 12:44 ` Pierre Neidhardt @ 2021-04-29 16:21 ` Arun Isaac 1 sibling, 0 replies; 96+ messages in thread From: Arun Isaac @ 2021-04-29 16:21 UTC (permalink / raw) To: Marius Bakke; +Cc: guix-devel [-- Attachment #1: Type: text/plain, Size: 720 bytes --] Hi Guix, >> I'm sorry to say your commit privileges have been temporarily >> suspended. After one month, you are invited to get in touch with the >> maintainers collective and discuss next steps. > > I think this suspension goes too far and doesn't help de-escalate the > issue. I think Léo should be cut some slack since it was Mark who opened > poorly with public shaming. I can completely understand why Léo is > responding defensively. It looks like I made this statement based on this instance only and without considering earlier instances. I normally don't read most mail on guix-devel. It's too high volume for me. Sorry about that. Please consider my statement withdrawn. Thanks, Arun [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 524 bytes --] ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-23 19:18 ` Leo Famulari 2021-04-23 19:33 ` Léo Le Bouter @ 2021-04-26 19:31 ` Léo Le Bouter 2021-04-27 18:10 ` Andreas Enge 1 sibling, 1 reply; 96+ messages in thread From: Léo Le Bouter @ 2021-04-26 19:31 UTC (permalink / raw) To: Leo Famulari Cc: Maxim Cournoyer, Mark H Weaver, Raghav Gururajan, Guix Devel, Leo Prikler, Sou Bunnbu [-- Attachment #1: Type: text/plain, Size: 3168 bytes --] On Fri, 2021-04-23 at 15:18 -0400, Leo Famulari wrote: > I have to agree with everybody in this thead. > > The commits in question were problematic (especially on core-updates, > which is not a "WIP" branch and thus cannot be rewritten to fix past > problems). I'm not confident that the security fixes would have been > reinstated on core-updates if Mark had not asked about them. > > Léo and Raghav, you need to keep learning our workflow around > security > updates. It's not okay to remove security patches and later update a > package to a fixed version in a different commit. `git rebase` is the > tool to learn for cases like this one. I do not think here that Raghav and myself should somehow be framed as people having to learn more and that would be the reason for these issues. To talk about myself, I think the main difference here is that Mark and myself consider different things to have value when contributing to GNU Guix. Mark tends to consider the technicality of contributing to GNU Guix, that the code be well tested, that every change be made in a very rigorous way. I tend to also consider these things but also consider other things like how people feel when they contribute to GNU Guix, do they feel discouraged or rewarded by their contributions, I find that it can be tiring and very discouraging to respond back and forth to many many review comments, and at some point, even if things have some rough edges, I tend to prefer rewarding a contributor for their work than insist the commit history should be perfect or something. I also stopped upholding myself to high rigorous standards at all times, also because I think it is not good for my mental health. I tend to move the responsability of rigorous testing into tools, I think putting testing/checking into tools is at the same time good for mental health and inclusive because it means also everyone can check their own changes and correct errors. Having tools to check things is less stressful for everyone, I discovered that aspect after I learned Rust and I think it really is the way to go. I think there is an aspect of contribution where people feel stressed and doubt themselves and that's what keeps them away from contribution, if we have tools then those problems tend to disappear because the tool acts as a stopgap, the tool can also be collectively improved as soon as more best practices are discovered by the community. Rust does this with clippy lint rules, the borrow checker and the very well made error/warning reporting of the compiler. I think relying more on tools even if we never can do so fully and less on individual accountability is better here. > > However, Mark, you have way more experience, and you need to handle > these things differently. If you don't trust certain Guix > contributors, > take it up with the maintainers — in private. The style of > communication > you used here is ineffective and will dissuade people from > contributing > to Guix. Do you want Léo and Raghav to learn and improve? Or do you > want > them to leave? Remember that we all begin as beginners. Léo [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 96+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes 2021-04-26 19:31 ` Léo Le Bouter @ 2021-04-27 18:10 ` Andreas Enge 0 siblings, 0 replies; 96+ messages in thread From: Andreas Enge @ 2021-04-27 18:10 UTC (permalink / raw) To: Léo Le Bouter; +Cc: Guix Devel Hello Léo, Am Mon, Apr 26, 2021 at 09:31:18PM +0200 schrieb Léo Le Bouter: > also consider other things like how people feel when they > contribute to GNU Guix, do they feel discouraged or rewarded by their > contributions indeed that is an important aspect. > I find that it can be tiring and very discouraging to > respond back and forth to many many review comments, and at some point, > even if things have some rough edges, I tend to prefer rewarding a > contributor for their work than insist the commit history should be > perfect or something. I also stopped upholding myself to high rigorous > standards at all times, also because I think it is not good for my > mental health. I agree that it can be a bit tiring, but at the same time, I think that the high quality of Guix is a very important feature, that sets it apart from some other distros. It is definitely one of the reasons I am using it and have been contributing to it. And it has been one of the defining features of Guix from the start that we try to avoid rough edges as much as possible. Like building texlive from source instead of wrapping Debian binaries, to give just one example. Or striving for bootstrappability, which can be seen as removing rough edges at the expense of extraordinary efforts. Luckily, I do not think that enjoying contributing and keeping high quality standards are in contradiction. > I tend to move the responsability of rigorous testing > into tools, I think putting testing/checking into tools is at the same > time good for mental health and inclusive because it means also > everyone can check their own changes and correct errors. Tooling can definitely be helpful with this. We have "guix lint", and if you have ideas for improved tools, these would be very welcome. Andreas ^ permalink raw reply [flat|nested] 96+ messages in thread
end of thread, other threads:[~2021-05-06 17:25 UTC | newest] Thread overview: 96+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2021-04-22 0:58 A "cosmetic changes" commit that removes security fixes Raghav Gururajan 2021-04-22 2:41 ` Mark H Weaver 2021-04-22 3:17 ` Raghav Gururajan 2021-04-22 4:05 ` Raghav Gururajan 2021-04-22 4:33 ` Mark H Weaver 2021-04-22 5:02 ` Raghav Gururajan 2021-04-22 17:21 ` Mark H Weaver 2021-04-22 17:40 ` Another misleading commit log (was Re: A "cosmetic changes" commit that removes security fixes) Mark H Weaver 2021-04-22 20:06 ` Léo Le Bouter 2021-04-22 21:24 ` Ricardo Wurmus 2021-04-22 21:33 ` Mark H Weaver 2021-04-26 17:17 ` Ludovic Courtès 2021-04-28 16:43 ` Criticisms of my "tone" " Mark H Weaver 2021-04-28 17:55 ` Leo Famulari 2021-04-28 20:24 ` Pjotr Prins 2021-04-29 6:54 ` Joshua Branson 2021-04-29 9:26 ` Léo Le Bouter 2021-04-29 15:30 ` Matias Jose Seco Baccanelli 2021-04-30 0:57 ` aviva 2021-05-01 17:02 ` Giovanni Biscuolo 2021-05-01 20:07 ` Leo Prikler 2021-05-01 22:12 ` Mark H Weaver 2021-05-01 22:54 ` Mark H Weaver 2021-05-01 23:15 ` Leo Prikler 2021-05-02 3:13 ` Mark H Weaver 2021-05-02 10:31 ` Leo Prikler 2021-05-03 9:00 ` Mark H Weaver 2021-05-03 9:59 ` Leo Prikler 2021-05-03 17:00 ` Mark H Weaver 2021-05-02 4:17 ` 宋文武 2021-05-02 4:31 ` Leo Famulari 2021-05-02 6:26 ` 宋文武 2021-05-02 15:01 ` Leo Prikler 2021-05-02 19:29 ` Mark H Weaver 2021-05-02 20:09 ` Leo Prikler 2021-05-02 21:02 ` Mark H Weaver 2021-05-02 21:58 ` Leo Prikler 2021-05-02 20:59 ` Ludovic Courtès 2021-05-02 21:23 ` Mark H Weaver [not found] ` <87czu9sr9k.fsf@outlook.com> 2021-05-02 4:33 ` 宋文武 2021-04-22 21:51 ` Another misleading commit log " Ludovic Courtès 2021-04-22 21:49 ` A "cosmetic changes" commit that removes security fixes Raghav Gururajan 2021-04-24 8:09 ` Mark H Weaver 2021-04-30 0:58 ` aviva 2021-04-22 18:37 ` Leo Famulari 2021-04-22 18:48 ` Mark H Weaver 2021-04-22 21:50 ` Raghav Gururajan 2021-04-22 4:08 ` Mark H Weaver 2021-04-22 11:39 ` 宋文武 2021-04-22 13:28 ` Mark H Weaver 2021-04-22 20:01 ` Léo Le Bouter 2021-04-22 21:08 ` Christopher Baines 2021-04-22 21:09 ` Leo Prikler 2021-04-22 21:21 ` Mark H Weaver 2021-04-23 17:52 ` Maxim Cournoyer 2021-04-23 18:00 ` Raghav Gururajan 2021-04-23 18:38 ` Maxim Cournoyer 2021-04-23 22:06 ` Raghav Gururajan 2021-04-23 18:50 ` Léo Le Bouter 2021-04-23 19:15 ` Leo Prikler 2021-04-23 19:18 ` Leo Famulari 2021-04-23 19:33 ` Léo Le Bouter 2021-04-23 20:12 ` Leo Famulari 2021-04-26 17:06 ` Giovanni Biscuolo 2021-04-26 17:32 ` Leo Famulari 2021-04-26 21:56 ` Giovanni Biscuolo 2021-04-26 23:01 ` Leo Famulari 2021-04-24 7:46 ` Mark H Weaver 2021-04-26 14:59 ` Léo Le Bouter 2021-04-26 15:23 ` Tobias Geerinckx-Rice 2021-04-26 17:21 ` Ludovic Courtès 2021-04-26 20:07 ` Pjotr Prins 2021-04-26 17:46 ` Léo Le Bouter 2021-04-28 15:52 ` Marius Bakke 2021-04-29 9:13 ` Léo Le Bouter 2021-04-29 11:46 ` Leo Prikler 2021-04-29 11:57 ` Léo Le Bouter 2021-04-29 11:41 ` Arun Isaac 2021-04-29 12:44 ` Pierre Neidhardt 2021-04-29 14:14 ` Pjotr Prins 2021-04-30 17:40 ` Pierre Neidhardt 2021-04-30 19:56 ` Pjotr Prins 2021-05-01 7:23 ` Arun Isaac 2021-05-01 12:40 ` Pjotr Prins 2021-05-01 9:15 ` Pierre Neidhardt 2021-05-01 10:18 ` Yasuaki Kudo 2021-05-03 7:18 ` Pierre Neidhardt 2021-05-01 14:50 ` Giovanni Biscuolo 2021-05-03 7:25 ` Pierre Neidhardt 2021-05-04 2:18 ` Bengt Richter 2021-05-04 6:55 ` Pierre Neidhardt 2021-05-04 15:43 ` Ludovic Courtès 2021-05-06 17:18 ` Pierre Neidhardt 2021-04-29 16:21 ` Arun Isaac 2021-04-26 19:31 ` Léo Le Bouter 2021-04-27 18:10 ` Andreas Enge
Code repositories for project(s) associated with this external index https://git.savannah.gnu.org/cgit/guix.git This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.