all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
From: Leo Prikler <leo.prikler@student.tugraz.at>
To: Mark H Weaver <mhw@netris.org>, guix-devel@gnu.org
Subject: Re: A "cosmetic changes" commit that removes security fixes
Date: Thu, 22 Apr 2021 00:16:13 +0200	[thread overview]
Message-ID: <d7ffd29309632e700e858514b51e7749321b42cc.camel@student.tugraz.at> (raw)
In-Reply-To: <877dkv2vi5.fsf@netris.org>

Hi Mark,

Am Mittwoch, den 21.04.2021, 17:11 -0400 schrieb Mark H Weaver:
> Hello Guix,
> 
> Raghav Gururajan has pushed another misleading "cosmetic changes"
> commit.  This one is *far* worse than the examples I gave before.
> This one removes the security fixes for CVE-2018-19876 and
> cairo-CVE-2020-35492 that I had applied in commit
> bc16eacc99e801ac30cbe2aa649a2be3ca5c102a.
> 
> Behold, Raghav's "cosmetic changes" to our 'cairo' package:
In particular, it is also worse than the glib example you've used,
since at least the glib one is followed up by an update.  This one is
not, at least as far as I can tell.

https://git.savannah.gnu.org/cgit/guix.git/commit/?h=wip-gnome&id=d975ed975456a2c8e855eb024b5487c4c460684a
> 
> With this in mind, does anyone else find it worrisome that Raghav has
> commit access?
> 
>       Mark
It is indeed worrying, that those patches seem to have made it to wip-
gnome with little review.  I believe we inherited this from before work
was done on savannah, as I can't seem to find them within our mailing
lists.  As a side note, that's why I make it a habit not to push any
patches, that I've edited too heavily, instead sending them back to the
mailing list in hope for another reviewer.  Even if those changes seem
merely cosmetic to me, they might have a larger impact than I can
imagine.  However, in taking more time to let patches sit on the
mailing list, I fear that I might come off as "unwilling" to those
contributors, whose work I help review, including Raghav, and also that
my involvement in some patch discussion tells other committers "don't
worry, I got this, do something else".

I don't think we need to strip Raghav's commit rights yet, but at the
same time we ought to more closely monitor what's going on in wip-
gnome.  Being 3 GNOME releases and one c-u merge late, there isn't much
room to allow for fuck-ups, and as we all know, that's when most of
them happen.

Regards,
Leo



  parent reply	other threads:[~2021-04-21 22:16 UTC|newest]

Thread overview: 68+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-04-21 21:11 A "cosmetic changes" commit that removes security fixes Mark H Weaver
2021-04-21 21:24 ` Mark H Weaver
2021-04-21 22:22   ` Tobias Geerinckx-Rice
2021-04-21 23:45   ` Raghav Gururajan
2021-04-21 22:16 ` Leo Prikler [this message]
2021-04-21 22:52   ` Leo Famulari
  -- strict thread matches above, loose matches on Subject: below --
2021-04-22  0:58 Raghav Gururajan
2021-04-22  2:41 ` Mark H Weaver
2021-04-22  3:17   ` Raghav Gururajan
2021-04-22  4:05     ` Raghav Gururajan
2021-04-22  4:33       ` Mark H Weaver
2021-04-22  5:02         ` Raghav Gururajan
2021-04-22 17:21       ` Mark H Weaver
2021-04-22 21:49         ` Raghav Gururajan
2021-04-24  8:09           ` Mark H Weaver
2021-04-30  0:58             ` aviva
2021-04-22 18:37       ` Leo Famulari
2021-04-22 18:48         ` Mark H Weaver
2021-04-22 21:50         ` Raghav Gururajan
2021-04-22  4:08     ` Mark H Weaver
2021-04-22 11:39       ` 宋文武
2021-04-22 13:28         ` Mark H Weaver
2021-04-22 20:01       ` Léo Le Bouter
2021-04-22 21:08         ` Christopher Baines
2021-04-22 21:09         ` Leo Prikler
2021-04-22 21:21         ` Mark H Weaver
2021-04-23 17:52           ` Maxim Cournoyer
2021-04-23 18:00             ` Raghav Gururajan
2021-04-23 18:38               ` Maxim Cournoyer
2021-04-23 22:06                 ` Raghav Gururajan
2021-04-23 18:50             ` Léo Le Bouter
2021-04-23 19:15               ` Leo Prikler
2021-04-23 19:18               ` Leo Famulari
2021-04-23 19:33                 ` Léo Le Bouter
2021-04-23 20:12                   ` Leo Famulari
2021-04-26 17:06                     ` Giovanni Biscuolo
2021-04-26 17:32                       ` Leo Famulari
2021-04-26 21:56                         ` Giovanni Biscuolo
2021-04-26 23:01                           ` Leo Famulari
2021-04-24  7:46                   ` Mark H Weaver
2021-04-26 14:59                     ` Léo Le Bouter
2021-04-26 15:23                       ` Tobias Geerinckx-Rice
2021-04-26 17:21                         ` Ludovic Courtès
2021-04-26 20:07                           ` Pjotr Prins
2021-04-26 17:46                         ` Léo Le Bouter
2021-04-28 15:52                           ` Marius Bakke
2021-04-29  9:13                             ` Léo Le Bouter
2021-04-29 11:46                               ` Leo Prikler
2021-04-29 11:57                                 ` Léo Le Bouter
2021-04-29 11:41                             ` Arun Isaac
2021-04-29 12:44                               ` Pierre Neidhardt
2021-04-29 14:14                                 ` Pjotr Prins
2021-04-30 17:40                                   ` Pierre Neidhardt
2021-04-30 19:56                                     ` Pjotr Prins
2021-05-01  7:23                                       ` Arun Isaac
2021-05-01 12:40                                         ` Pjotr Prins
2021-05-01  9:15                                       ` Pierre Neidhardt
2021-05-01 10:18                                         ` Yasuaki Kudo
2021-05-03  7:18                                           ` Pierre Neidhardt
2021-05-01 14:50                                     ` Giovanni Biscuolo
2021-05-03  7:25                                       ` Pierre Neidhardt
2021-05-04  2:18                                         ` Bengt Richter
2021-05-04  6:55                                           ` Pierre Neidhardt
2021-05-04 15:43                                             ` Ludovic Courtès
2021-05-06 17:18                                               ` Pierre Neidhardt
2021-04-29 16:21                               ` Arun Isaac
2021-04-26 19:31                 ` Léo Le Bouter
2021-04-27 18:10                   ` Andreas Enge

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=d7ffd29309632e700e858514b51e7749321b42cc.camel@student.tugraz.at \
    --to=leo.prikler@student.tugraz.at \
    --cc=guix-devel@gnu.org \
    --cc=mhw@netris.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.