Mark H Weaver writes: > Hi Raghav, > > Raghav Gururajan writes: > >>> Those commits on 'core-updates' were digitally signed by Léo Le Bouter >>> and have the same problems: they remove security >>> fixes, and yet the summary lines indicate that only "cosmetic changes" >>> were made. >> >> Yeah, the commit title didn't mention the change but the commit message did. > > I'm sorry, but that won't do. There are at least three things wrong > with these commits: > > (1) The summary lines were misleading, because they implied that no > functional changes were made. Yes, if the title can't summary the change, then the change should be splited into multiple commits. > > (2) The commit messages were misleading, because they failed to mention > that security holes which had previously been fixed were now being > re-introduced. That wasn't at all obvious. > > Commits like these, which remove patches that had fixed security > flaws, are fairly common: someone casually looking over the commit > log might assume that the patches could be safely removed because a > version update was done at the same time, rendering those patches > obsolete. Agree, I think we should mention explicitly that those patches are now not needed after some code audit. > > (3) Although your 'glib' commit was immediately followed by a 'glib' > update, rendering it harmless, your misleading 'cairo' commit left > 'cairo' vulnerable to CVE-2018-19876 and CVE-2020-35492 on our > 'core-updates' and 'wip-gnome' branches. Those will need to be > fixed now. This patch is for core-updates: