From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:bcc0::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id 6MjPGlvrgGBRegAAgWs5BA (envelope-from ) for ; Thu, 22 Apr 2021 05:19:55 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id SC6WFlvrgGBXPgAA1q6Kng (envelope-from ) for ; Thu, 22 Apr 2021 03:19:55 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 283DD25DA1 for ; Thu, 22 Apr 2021 05:19:55 +0200 (CEST) Received: from localhost ([::1]:41272 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lZPsg-0002ra-C2 for larch@yhetil.org; Wed, 21 Apr 2021 23:19:54 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52256) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lZPqW-0001Ky-HA for guix-devel@gnu.org; Wed, 21 Apr 2021 23:17:42 -0400 Received: from out0.migadu.com ([94.23.1.103]:20347) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lZPqT-00037K-F4 for guix-devel@gnu.org; Wed, 21 Apr 2021 23:17:40 -0400 To: Mark H Weaver , Guix Devel DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=raghavgururajan.name; s=key1; t=1619061453; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=/vpItYWypOQJqjZ76VyIDFUFdRzuuL6Gphr3iDtN6xs=; b=COlnfqNPpEAuu7MN3r7JOdXr2Dw7LccH5vcAT0yhEoy2dxPvZmJU6j3NsrMYmZmknRKHOn p/uwAzXKOn5mBOeKPefkmipzLZq933qxF55+TjSJL84/sG45RbNh16m2rQIpQSNCcJ/HPv XzSjt/cXkFCHcfQP6iXFVPvwGFI8FF58cKm0Z3NdTzaPYnvqWmbUdPXrHKgz2FAc9X95cr TcBvrrjRh9hMiVA75ENsr2AsTQz1vnkSmJlnlU7BPwonsPvMThTxtbV8TChPCTw7S4TMdv ZPanW7usJ1MiXwvY7JdwN/GdIAYvda8TgQIXQGopF4nY8mR7sGe+rwT2VpZBKQ== Cc: Tobias Geerinckx-Rice , Leo Prikler , Leo Famulari , =?UTF-8?Q?L=c3=a9o_Le_Bouter?= References: <87tunz11mf.fsf@netris.org> X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Raghav Gururajan Subject: Re: A "cosmetic changes" commit that removes security fixes Message-ID: Date: Wed, 21 Apr 2021 23:17:30 -0400 MIME-Version: 1.0 In-Reply-To: <87tunz11mf.fsf@netris.org> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="HmkVj9jU2UWXAMZoVj0N9jHZDr0vfynVD" X-Migadu-Auth-User: rg@raghavgururajan.name Received-SPF: pass client-ip=94.23.1.103; envelope-from=rg@raghavgururajan.name; helo=out0.migadu.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1619061595; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=/vpItYWypOQJqjZ76VyIDFUFdRzuuL6Gphr3iDtN6xs=; b=PqhENbiiHcmilTqb+GgmkPv3JqflcgPUZbEWaxaw8+tv40WUk+wroqPW7cC54l3EgVrEjL B6yeetn1lt1TDnQCyOava9HbSweZChJXz87+rt1oQg97pqLMlOE3YMJyIFrfGosrWda/SP p0gVtirvDdeiQ/tA9HRFHyYWpKWqAB2q93PjVNXZQ82UAHw7YOwiO0kbtDfXf5t/xr7n9n yGgDtErnka4lha7EPW4ZDKGhPc8PlTPRHKeqcvfIrpNVgGTNn03/puxSuImvoPZvbq9s/O UcJVpQQjT/6QHmN+W5oeViEt20LCLAlDRHhaMs8ZvPRxEf2YpMP4sFLtMv29sQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1619061595; a=rsa-sha256; cv=none; b=LItyoSGoCykJsVEtUnGyqbsBd1/wuyJwKZGKvxndAAes+/ZaIwptndIaOQHQ2I1bWTnBHD lpQNQeAaIYq+RRP8p9rd9v3N4Lr4Pd+qIL+X3nen2D88y0RJXeBxHqA5JYMBvEj5JVvVSy jYM+lbcbY8KcGxDDipw3BOuLKre/LAiIvptKFcmScCUJ4UoQQE/05Qb+B4Xz/ZCeDElcf9 5d+vE+8obSGkx9wbHkx7LRqbtVGvslFWXv7awUEjOMm0rhCbK03aioRYp5wlekTGI8kwhQ gOnthpdQm0Z72/kX/4c3A4C+9z6nLQ9ASh7A8nkQOEI5rUZlyDyLX1ZIZg7Wiw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=raghavgururajan.name header.s=key1 header.b=COlnfqNP; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -3.74 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=raghavgururajan.name header.s=key1 header.b=COlnfqNP; dmarc=pass (policy=quarantine) header.from=raghavgururajan.name; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 283DD25DA1 X-Spam-Score: -3.74 X-Migadu-Scanner: scn0.migadu.com X-TUID: M4awSXopqice This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --HmkVj9jU2UWXAMZoVj0N9jHZDr0vfynVD Content-Type: multipart/mixed; boundary="SUeBiKaJuyez1ps9zINASwBFg7zk3mUT5"; protected-headers="v1" From: Raghav Gururajan To: Mark H Weaver , Guix Devel Cc: Tobias Geerinckx-Rice , Leo Prikler , Leo Famulari , =?UTF-8?Q?L=c3=a9o_Le_Bouter?= Message-ID: Subject: Re: A "cosmetic changes" commit that removes security fixes References: <87tunz11mf.fsf@netris.org> In-Reply-To: <87tunz11mf.fsf@netris.org> --SUeBiKaJuyez1ps9zINASwBFg7zk3mUT5 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: quoted-printable Hi Mark! > Those commits on 'core-updates' were digitally signed by L=C3=A9o Le Bo= uter > and have the same problems: they remove security > fixes, and yet the summary lines indicate that only "cosmetic changes" > were made. Yeah, the commit title didn't mention the change but the commit message d= id. > I'm sorry to say that your responses have done nothing to allay my > concerns. For glib, IIRC, we updated package to latest version and guix lint=20 didn't show any more CVEs. Also, I think the change was added as part of = the cosmetic change commit, to cleanly apply succeeding patches. For cairo, let me get back to you. Regards, RG. --SUeBiKaJuyez1ps9zINASwBFg7zk3mUT5-- --HmkVj9jU2UWXAMZoVj0N9jHZDr0vfynVD Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature" -----BEGIN PGP SIGNATURE----- wnsEABYIACMWIQTNLV6qqYzLN9qR1rBfWBZkf4vlUQUCYIDqygUDAAAAAAAKCRBfWBZkf4vlUaF5 AQC2/bIj+2HR4yMV491qIUz8A4ECgIit5epG3ib7LDQ5agD+PUsPpUiIUp3OsME74NINn6QX/yda /lx7MV55Bl2ARwM= =x9rD -----END PGP SIGNATURE----- --HmkVj9jU2UWXAMZoVj0N9jHZDr0vfynVD--