From: Christopher Baines <mail@cbaines.net>
To: "Léo Le Bouter" <lle-bout@zaclys.net>
Cc: Raghav Gururajan <rg@raghavgururajan.name>,
Leo Prikler <leo.prikler@student.tugraz.at>,
guix-devel@gnu.org
Subject: Re: A "cosmetic changes" commit that removes security fixes
Date: Thu, 22 Apr 2021 22:08:09 +0100 [thread overview]
Message-ID: <8735vihvt2.fsf@cbaines.net> (raw)
In-Reply-To: <af859e1eeb0963c4e0fe301f877f271b9d39b2a5.camel@zaclys.net>
[-- Attachment #1: Type: text/plain, Size: 4270 bytes --]
Léo Le Bouter <lle-bout@zaclys.net> writes:
> On Thu, 2021-04-22 at 00:08 -0400, Mark H Weaver wrote:
>> Hi Raghav,
>>
>> Raghav Gururajan <rg@raghavgururajan.name> writes:
>>
>> > > Those commits on 'core-updates' were digitally signed by Léo Le
>> > > Bouter
>> > > <lle-bout@zaclys.net> and have the same problems: they remove
>> > > security
>> > > fixes, and yet the summary lines indicate that only "cosmetic
>> > > changes"
>> > > were made.
>> >
>> > Yeah, the commit title didn't mention the change but the commit
>> > message did.
>>
>> I'm sorry, but that won't do. There are at least three things wrong
>> with these commits:
>>
>> (1) The summary lines were misleading, because they implied that no
>> functional changes were made.
>>
>> (2) The commit messages were misleading, because they failed to
>> mention
>> that security holes which had previously been fixed were now
>> being
>> re-introduced. That wasn't at all obvious.
>>
>> Commits like these, which remove patches that had fixed security
>> flaws, are fairly common: someone casually looking over the
>> commit
>> log might assume that the patches could be safely removed because
>> a
>> version update was done at the same time, rendering those patches
>> obsolete.
>>
>> (3) Although your 'glib' commit was immediately followed by a 'glib'
>> update, rendering it harmless, your misleading 'cairo' commit
>> left
>> 'cairo' vulnerable to CVE-2018-19876 and CVE-2020-35492 on our
>> 'core-updates' and 'wip-gnome' branches. Those will need to be
>> fixed now.
>>
>> Léo Le Bouter <lle-bout@zaclys.net> is also culpable here, because he
>> digitally signed the misleading 'cairo' commit that's on our
>> 'core-updates' branch, which re-introduced CVE-2018-19876 and
>> CVE-2020-35492.
>>
>> --8<---------------cut here---------------start------------->8---
>> commit f94cdc86f644984ca83164d40b17e7eed6e22091
>> gpg: Signature made Fri 26 Mar 2021 05:13:57 PM EDT
>> gpg: using RSA key
>> 148BCB8BD80BFB16B1DE0E9145A8B1E86BCD10A6
>> gpg: Good signature from "Léo Le Bouter <lle-bout@zaclys.net>"
>> [unknown]
>> gpg: WARNING: This key is not certified with a trusted signature!
>> gpg: There is no indication that the signature belongs to
>> the owner.
>> Primary key fingerprint: 148B CB8B D80B FB16 B1DE 0E91 45A8 B1E8
>> 6BCD 10A6
>> Author: Raghav Gururajan <raghavgururajan@disroot.org>
>> Date: Fri Dec 4 00:48:43 2020 -0500
>>
>> gnu: cairo: Make some cosmetic changes.
>>
>> * gnu/packages/patches/cairo-CVE-2018-19876.patch,
>> gnu/packages/patches/cairo-CVE-2020-35492.patch: Remove patches.
>> * gnu/local.mk (dist_patch_DATA): Unregister them.
>> * gnu/packages/gtk.scm (cairo): Make some cosmetic changes.
>> [replacement]: Remove.
>> (cairo/fixed): Remove.
>>
>> Signed-off-by: Léo Le Bouter <lle-bout@zaclys.net>
>> --8<---------------cut here---------------end--------------->8---
>>
>> https://git.sv.gnu.org/cgit/guix.git/commit/?h=core-updates&id=f94cdc86f644984ca83164d40b17e7eed6e22091
>>
>> Even the most superficial skimming of this commit should have
>> immediately raised red flags, because the summary line is clearly
>> inaccurate. It shows a lack of careful review, to put it mildly.
>>
>> Mark
>
> Hello Mark,
>
> I don't share your analysis, the security fixes werent stripped because
> glib/cairo was also updated to latest version in subsequent commits
> which were pushed all at once.
>
> Careful review was done, and that's why I signed-off and GPG-signed the
> commits. Nobody was put at risk by these commits and no security fixes
> were stripped.
I think the guidance is that commits should include one set of related
changes, so if the patches/replacement can be removed because the
package is being updated, those related changes should be in the same
commit. If there are other unrelated changes, they can go in other
commits.
Especially if the commits are being pushed at the same time, it's worth
making sure this happens, so that it's easier to review and look at the
changes in a sensible way.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 987 bytes --]
next prev parent reply other threads:[~2021-04-22 21:08 UTC|newest]
Thread overview: 102+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-22 0:58 A "cosmetic changes" commit that removes security fixes Raghav Gururajan
2021-04-22 2:41 ` Mark H Weaver
2021-04-22 3:17 ` Raghav Gururajan
2021-04-22 4:05 ` Raghav Gururajan
2021-04-22 4:33 ` Mark H Weaver
2021-04-22 5:02 ` Raghav Gururajan
2021-04-22 17:21 ` Mark H Weaver
2021-04-22 17:40 ` Another misleading commit log (was Re: A "cosmetic changes" commit that removes security fixes) Mark H Weaver
2021-04-22 20:06 ` Léo Le Bouter
2021-04-22 21:24 ` Ricardo Wurmus
2021-04-22 21:33 ` Mark H Weaver
2021-04-26 17:17 ` Ludovic Courtès
2021-04-28 16:43 ` Criticisms of my "tone" " Mark H Weaver
2021-04-28 17:55 ` Leo Famulari
2021-04-28 20:24 ` Pjotr Prins
2021-04-29 6:54 ` Joshua Branson
2021-04-29 9:26 ` Léo Le Bouter
2021-04-29 15:30 ` Matias Jose Seco Baccanelli
2021-04-30 0:57 ` aviva
2021-05-01 17:02 ` Giovanni Biscuolo
2021-05-01 20:07 ` Leo Prikler
2021-05-01 22:12 ` Mark H Weaver
2021-05-01 22:54 ` Mark H Weaver
2021-05-01 23:15 ` Leo Prikler
2021-05-02 3:13 ` Mark H Weaver
2021-05-02 10:31 ` Leo Prikler
2021-05-03 9:00 ` Mark H Weaver
2021-05-03 9:59 ` Leo Prikler
2021-05-03 17:00 ` Mark H Weaver
2021-05-02 4:17 ` 宋文武
2021-05-02 4:31 ` Leo Famulari
2021-05-02 6:26 ` 宋文武
2021-05-02 15:01 ` Leo Prikler
2021-05-02 19:29 ` Mark H Weaver
2021-05-02 20:09 ` Leo Prikler
2021-05-02 21:02 ` Mark H Weaver
2021-05-02 21:58 ` Leo Prikler
2021-05-02 20:59 ` Ludovic Courtès
2021-05-02 21:23 ` Mark H Weaver
[not found] ` <87czu9sr9k.fsf@outlook.com>
2021-05-02 4:33 ` 宋文武
2021-04-22 21:51 ` Another misleading commit log " Ludovic Courtès
2021-04-22 21:49 ` A "cosmetic changes" commit that removes security fixes Raghav Gururajan
2021-04-24 8:09 ` Mark H Weaver
2021-04-30 0:58 ` aviva
2021-04-22 18:37 ` Leo Famulari
2021-04-22 18:48 ` Mark H Weaver
2021-04-22 21:50 ` Raghav Gururajan
2021-04-22 4:08 ` Mark H Weaver
2021-04-22 11:39 ` 宋文武
2021-04-22 13:28 ` Mark H Weaver
2021-04-22 20:01 ` Léo Le Bouter
2021-04-22 21:08 ` Christopher Baines [this message]
2021-04-22 21:09 ` Leo Prikler
2021-04-22 21:21 ` Mark H Weaver
2021-04-23 17:52 ` Maxim Cournoyer
2021-04-23 18:00 ` Raghav Gururajan
2021-04-23 18:38 ` Maxim Cournoyer
2021-04-23 22:06 ` Raghav Gururajan
2021-04-23 18:50 ` Léo Le Bouter
2021-04-23 19:15 ` Leo Prikler
2021-04-23 19:18 ` Leo Famulari
2021-04-23 19:33 ` Léo Le Bouter
2021-04-23 20:12 ` Leo Famulari
2021-04-26 17:06 ` Giovanni Biscuolo
2021-04-26 17:32 ` Leo Famulari
2021-04-26 21:56 ` Giovanni Biscuolo
2021-04-26 23:01 ` Leo Famulari
2021-04-24 7:46 ` Mark H Weaver
2021-04-26 14:59 ` Léo Le Bouter
2021-04-26 15:23 ` Tobias Geerinckx-Rice
2021-04-26 17:21 ` Ludovic Courtès
2021-04-26 20:07 ` Pjotr Prins
2021-04-26 17:46 ` Léo Le Bouter
2021-04-28 15:52 ` Marius Bakke
2021-04-29 9:13 ` Léo Le Bouter
2021-04-29 11:46 ` Leo Prikler
2021-04-29 11:57 ` Léo Le Bouter
2021-04-29 11:41 ` Arun Isaac
2021-04-29 12:44 ` Pierre Neidhardt
2021-04-29 14:14 ` Pjotr Prins
2021-04-30 17:40 ` Pierre Neidhardt
2021-04-30 19:56 ` Pjotr Prins
2021-05-01 7:23 ` Arun Isaac
2021-05-01 12:40 ` Pjotr Prins
2021-05-01 9:15 ` Pierre Neidhardt
2021-05-01 10:18 ` Yasuaki Kudo
2021-05-03 7:18 ` Pierre Neidhardt
2021-05-01 14:50 ` Giovanni Biscuolo
2021-05-03 7:25 ` Pierre Neidhardt
2021-05-04 2:18 ` Bengt Richter
2021-05-04 6:55 ` Pierre Neidhardt
2021-05-04 15:43 ` Ludovic Courtès
2021-05-06 17:18 ` Pierre Neidhardt
2021-04-29 16:21 ` Arun Isaac
2021-04-26 19:31 ` Léo Le Bouter
2021-04-27 18:10 ` Andreas Enge
-- strict thread matches above, loose matches on Subject: below --
2021-04-21 21:11 Mark H Weaver
2021-04-21 21:24 ` Mark H Weaver
2021-04-21 22:22 ` Tobias Geerinckx-Rice
2021-04-21 23:45 ` Raghav Gururajan
2021-04-21 22:16 ` Leo Prikler
2021-04-21 22:52 ` Leo Famulari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8735vihvt2.fsf@cbaines.net \
--to=mail@cbaines.net \
--cc=guix-devel@gnu.org \
--cc=leo.prikler@student.tugraz.at \
--cc=lle-bout@zaclys.net \
--cc=rg@raghavgururajan.name \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.