From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:8:6d80::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id YEnIM4P5hmCUCAAAgWs5BA (envelope-from ) for ; Mon, 26 Apr 2021 19:33:55 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id eFWKL4P5hmC1EAAA1q6Kng (envelope-from ) for ; Mon, 26 Apr 2021 17:33:55 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 6F61B1DC5A for ; Mon, 26 Apr 2021 19:33:55 +0200 (CEST) Received: from localhost ([::1]:60608 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lb57K-0005F8-4S for larch@yhetil.org; Mon, 26 Apr 2021 13:33:54 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:57634) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lb56V-0005Et-PP for guix-devel@gnu.org; Mon, 26 Apr 2021 13:33:04 -0400 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:46511) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lb56O-0001ko-Q7; Mon, 26 Apr 2021 13:33:03 -0400 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 00B075C012A; Mon, 26 Apr 2021 13:32:55 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Mon, 26 Apr 2021 13:32:55 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=mesmtp; bh=/dOR1vqlfO3+/9pEMAF8qkKd CYj6qBLawgwHVyEQWfM=; b=EBn+MqLbBov1JYQNQSxswRBBzGPZAVApaK6rvYsJ 6Y8JMNMd2CbCpsO+M8Mo+qeIiemM07jECS1JXF+QKdkQDkgTkAQ6KYmSbQ7Ih/Vs 68sWHTjA/eEjUflq3wNkxMIXaM/UKcMxzYsq4qseFYf0mI8toUhOvyzAhes6KHcE 3nA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=/dOR1v qlfO3+/9pEMAF8qkKdCYj6qBLawgwHVyEQWfM=; b=HXQ2RZBJ8PnZxzdvBXRtrr uD53hyLksqHv4z9tKbtVUylGVJ3HlL7Q6MWq87666g1W0cO1hWbBtOGZAR/U4E4P 5gWY3TfCPyE4XWHNhkX55Ff7eKLlqlwFIz9EW84eZSKlZ6eoUb3R75/NThj4YpR5 Tb8NTrwSR8ZYSL4pMVP+Y29AWHCC52ZsA8NjYpg7aWu9T9Yuel92DrGM/h8Oj4uq Ec4aJrMBmd1TJ9mXBkjne7cB8v2W+1LMaDgUJbTnRsKwfzIZzH6GVEttJoPryHD8 WcGWB6v4P14OsLdVecBmfWw0pUR6mbcRGBcOEwnfMPHZlRwYePhlY5FwbTfbUaOg == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrvddukedgudduiecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpeffhffvuffkfhggtggujgesghdtreertddtvdenucfhrhhomhepnfgvohcu hfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgrrhhirdhnrghmvgeqnecuggftrfgrth htvghrnhepudekveegteekleetgfeitdejgfejkeffudethedvhfeukeduleeikeejfeeh ffetnecukfhppedutddtrdduuddrudeiledruddukeenucevlhhushhtvghrufhiiigvpe dtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehlvghosehfrghmuhhlrghrihdrnhgrmhgv X-ME-Proxy: Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net [100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA id A5EAE1080066; Mon, 26 Apr 2021 13:32:53 -0400 (EDT) Date: Mon, 26 Apr 2021 13:32:51 -0400 From: Leo Famulari To: Giovanni Biscuolo Subject: Re: A "cosmetic changes" commit that removes security fixes Message-ID: References: <87r1j30xmo.fsf@netris.org> <87czumypz3.fsf@netris.org> <87o8e4zy5k.fsf@gmail.com> <5cbbfa9b258fb28beb9288685ccc85b4d015cd8a.camel@zaclys.net> <87tuntasbq.fsf@biscuolo.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="KZWwhcsgWS/8VjzI" Content-Disposition: inline In-Reply-To: <87tuntasbq.fsf@biscuolo.net> Received-SPF: pass client-ip=66.111.4.28; envelope-from=leo@famulari.name; helo=out4-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Guix Devel , Raghav Gururajan Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1619458435; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=/dOR1vqlfO3+/9pEMAF8qkKdCYj6qBLawgwHVyEQWfM=; b=BL/E1YSgVlSAZPYzX4fSv94HgO5RbG4ALcPyA7HzN2HCW3wk65Q4LlZVYnPpHHnwNcw3+y DTmmgW8GPi+lb0vwpVgmetmqLzEO5dLemNLuZtjZC4GccQWQWWffFrD88Ss8Fv+Fek05/q ubKt4Dy4tNQQq+a2D+kU2ZTBuMLfhKJeyd2Sgyqgt3l5FpQfF+BnK76c87AEbYcq8wX+J/ UVk+RPnWsI3qwkSqGjK1bp17mm9XG4jRlhMMhE3xKNbvj0BM9UXYSUCXN4EhlK0oQkvE6f iHIQktiWPxlEGhBnu4YsSf5J/STxODp08KLMsewZXjqIpRwwNkW0fmdFhuU/SQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1619458435; a=rsa-sha256; cv=none; b=VvZrq/AFe5kdL5bG6Jk8yWyhld+nP2//THZS4Sl/GBPv4QTGzwmNp3S9Z8MMhHpUgGx5C4 V8sDbNV4BJVLOVPmCZq7gxE8yS4/9NPijopApwejSG30rM19/sK7OK/rkZHVrCjE5SMsNi FlG2TAsgS7rtH4E3+PHEURzZnNBzBJHBfuFh2EL6/fjq6eiVmEUW7lxOJbLsYv5wqf83N5 mCnERnUErGby64v8bbuP6Qu1ttIwtbcPvGZBMBYFUz5W6X8s9dMMcaaGaMr0evpcCFLVqt e8muav5KLRyMvYJrEMilS4yONjh7KwXEd+nHoqdg6K0zB37DeBzIMbRhd8gYAA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=EBn+MqLb; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=HXQ2RZBJ; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -3.55 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=EBn+MqLb; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=HXQ2RZBJ; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 6F61B1DC5A X-Spam-Score: -3.55 X-Migadu-Scanner: scn0.migadu.com X-TUID: WDkpFndLWcgJ --KZWwhcsgWS/8VjzI Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Apr 26, 2021 at 07:06:33PM +0200, Giovanni Biscuolo wrote: > Just to understand: /if/ at any point in time a user is able to afford > the effort to build the entire core-updates /or/ staging branch she > should be confident the result is state-of-the-art secure. Am I wrong > with this assumption? Unfortunately your assumption is incorrect. We do not apply security updates to the core-updates branch, except what comes via `git merge master`, which only happens in the final stages of the cycle. Core-updates is not expected to be "buildable", let alone "secure", until the end of the core-updates cycle when we start to whip it into shape. That branch is just a place to push updates of core packages, so that we don't duplicate effort or lose track of updates. Nevertheless, we should never remove security patches without a corresponding package update, done in a single atomic commit. That's not how we work. If there is some documentation or messaging that suggests that anyone should ever use the core-updates branch, please let us know and we will fix that. The only branch you should use is the master branch, unless you are testing something as a developer =20 > Leo Famulari writes: > > I do think that Mark is being hyperbolic about the wip-gnome branch. The > > name says "work in progress" and we don't hold those branches to a high > > standard. >=20 > I understand your point but please consider that /unless/ a wip-branch > is private (or privately shared out-of-Guix-git) that branch it's a > pubblic collective work in progress and sometimes (seldom? often? I > really don't know) that work could be completed by someone else, so even > in wip- branches committers should exercise some degree of discipline, > especially when dealing with "commit message completeness" and more with > security related patches. In other words, IMHO a certain degree of > safety must be assured also on wip- branches. >=20 > Probably the policy about wip-branches, whatever it is ("do what you > want" or something in line with my comments above), should be documented > in the contributing section of the Guix manual. I did not mean to suggestthat wip-* branches should not be secure but, again, they are only works in progress. They do not even have a stable Git history, due to rebasing, which breaks the Guix code authentication mechanism. So, if you try to use them, you will have to use `guix pull --allow-downgrades` and then all bets are off in terms of security. These branches are merely a way for developers to share their work with each other. > OK but please consider that /if/ Guix cannot "update GNOME in Guix" for > whatever reason, GNOME should not be updated. I don't understand this. It seems tautological that if we cannot update GNOME, then GNOME should not be updated. --KZWwhcsgWS/8VjzI Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmCG+UMACgkQJkb6MLrK fwitXhAArl4QctPmvDttl0mfd05UzeyZckq3AaDsVHRvxzO1G4USsJRu1Tu1KXNK JqelfXb5cgoRyk7yQ/WiAsgF7vsg+ChQcw/3JPUraLg6vIdpVqvx0JDqG2Rfnik9 v+7vRTNM+r0a/seiaz4EDYSAPVRyn6w1jtFhvybyBwnl1yyJpvv3FtZ/V+Oafp9J zTtB6Wf6wVw8IS7/ItTnVr2owCrcEthvr1skpkBHvSqpu+3eqptG5OOiO0Ke8OX/ hY3EnHyZAhJ97ynWkjXNCse3WS7orUtK2lK7aWnrOpv6XXgWvncuCIGSnIYLhJT9 j0lYUPl9Up6QhcuEPrtnXEffu6+JFXxbyuXFhUusWfmc2hpogCpRmq3IL8iWEGww qIObjfsezhsFFdyNlDZyspH9+UyWQn7nwFX7yLCl+FfXV1srudY+DyK9B86DgOX+ 841V5gTt6ilLq2ewkE7f8GqjuGjMPvtUY+RZxWNwlH75BL429e8recv+muawtmdi y1XjYluGztxWSxsjI/XXHLvcDBP0mPfqG6Cz8uX92/l37qlwLSgYeBlAbEfI08cO j50qhVV+ll7KjLBa/BJyO1uGKmasLYoiVaJKOiRjgcBhUS6IZ9i6oT/sEXCgKlQL Bw5sI2DQvdzAiIOJyptCcN5lUsck+djzbCRsrqWAzmx6FiOdjfY= =myDH -----END PGP SIGNATURE----- --KZWwhcsgWS/8VjzI--