Re: A "cosmetic changes" commit that removes security fixes

Hi Ludo, Thanks for the links, it's a good starting point. > For the record, you can read about Guix roles and responsibilities at: > > https://guix.gnu.org/en/blog/2019/gnu-guix-maintainer-collective-expands/ I think a good next step would be to store this information at a more accessible

Re: A "cosmetic changes" commit that removes security fixes

Hi, Pierre Neidhardt skribis: > Thanks for sharing. I've read it and it does not seem to be concerned > with the question of governance. For the record, you can read about Guix roles and responsibilities at: https://guix.gnu.org/en/blog/2019/gnu-guix-maintainer-collective-expands/ The

Re: A "cosmetic changes" commit that removes security fixes

Hi Bengt, >> This applies to GNU at the top level, but it does not specify how >> sub-projects (referred to as "packages" in the aforementioned document) >> are governed locally. This question is mostly left unanswered as I >> understand it. >> > > You may find some clues here: >

Re: A "cosmetic changes" commit that removes security fixes

Hi Pierre, On +2021-05-03 09:25:21 +0200, Pierre Neidhardt wrote: > Hi Giovanni, > > > Guix is a GNU project and AFAIU GNU project management is well > > documented: > > > > https://www.gnu.org/gnu/gnu-structure.html > > This applies to GNU at the top level, but it does not specify how >

Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes)

Hi Leo, Leo Prikler writes: > Am Montag, den 03.05.2021, 05:00 -0400 schrieb Mark H Weaver: >> Leo Prikler writes: >> >> > Am Samstag, den 01.05.2021, 23:13 -0400 schrieb Mark H Weaver: >> > > I don't think I fumbled on the facts at all. It's true that I >> > > didn't yet have _all_ of the

Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes)

Hi Mark, Am Montag, den 03.05.2021, 05:00 -0400 schrieb Mark H Weaver: > Leo Prikler writes: > > > Am Samstag, den 01.05.2021, 23:13 -0400 schrieb Mark H Weaver: > > > I don't think I fumbled on the facts at all. It's true that I > > > didn't > > > yet have _all_ of the relevant facts, but as

Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes)

Hi Leo, I think we're mostly going in circles at this point, so I think we should finish up this conversation, as Ludovic suggested. I'll let you have the last word on most of our conversation threads, but I feel compelled to briefly counter one claim of yours: Leo Prikler writes: > Am

Re: A "cosmetic changes" commit that removes security fixes

Hi Giovanni, > Guix is a GNU project and AFAIU GNU project management is well > documented: > > https://www.gnu.org/gnu/gnu-structure.html This applies to GNU at the top level, but it does not specify how sub-projects (referred to as "packages" in the aforementioned document) are governed

Re: A "cosmetic changes" commit that removes security fixes

Hi! Yasuaki Kudo writes: > I don't know the details of the case at all but let met mention this: > https://communityrule.info/ > It comes from the world of worker cooperatives and I think them "rules of the > community" is discussed a lot there as well  Thanks for sharing, I didn't know

Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes)

Hi Mark, Am Sonntag, den 02.05.2021, 17:02 -0400 schrieb Mark H Weaver: > Hi Leo, > > Leo Prikler writes: > > > Am Sonntag, den 02.05.2021, 15:29 -0400 schrieb Mark H Weaver: > > > > Likewise, there's no middle ground on assuming evil > > intentions, you either assume they exist or you don't.

Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes)

Hi Ludovic, Ludovic Courtès writes: > I’m sorry to inform you that this is not a philosophy or linguistics > mailing list. *lol* Indeed, this conversation has wandered quite far off-topic. Thanks for stepping in. > I invite you to continue this discussion off-list. We have a release > coming

Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes)

Hi Leo, Leo Prikler writes: > Am Sonntag, den 02.05.2021, 15:29 -0400 schrieb Mark H Weaver: >> >> Leo Prikler writes: >> >> > Let us assume for the sake of argument I were to introduce a bug >> > into Guix. There are a number of ways this can happen, but let's >> > focus on the important

Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes)

Leo, Mark, Mark H Weaver skribis: > This is a false dilemma , > because you've missed a very important case, namely: > > 5. You assume *nothing*. I’m sorry to inform you that this is not a philosophy or linguistics mailing list. I invite you to

Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes)

Hi Mark, Am Sonntag, den 02.05.2021, 15:29 -0400 schrieb Mark H Weaver: > Hi Leo, > > Leo Prikler writes: > > > Let us assume for > > the sake of argument I were to introduce a bug into Guix. There > > are a > > number of ways this can happen, but let's focus on the important > > distinction

Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes)

Hi Leo, Leo Prikler writes: > Let us assume for > the sake of argument I were to introduce a bug into Guix. There are a > number of ways this can happen, but let's focus on the important > distinction here, which is me purposefully introducing that bug vs. it > happening due to oversight. > >

Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes)

Am Sonntag, den 02.05.2021, 12:17 +0800 schrieb 宋文武: > Hello Leo, I see nothing wrong for assuming bad faith when security > fixes of packages are removed, in the end the truth matter, which I > believe is: You thought the patches for cario is not needed now on > core-updates, so you remove them.

Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes)

Am Samstag, den 01.05.2021, 23:13 -0400 schrieb Mark H Weaver: > Hi Leo, > > I took the liberty of refilling the quotations in your email to make > them more readable. Please do. > > Leo Prikler writes: > > > Am Samstag, den 01.05.2021, 18:12 -0400 schrieb Mark H Weaver: > > > Can you please

Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes)

Leo Famulari writes: > [...] > To clarify, Leo Prikler is not the same person that was involved in > removing the Cairo bug fixes. That was a different person, also named > Leo. > > Not me, either :) Um, my bad, thank you!

Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes)

On Sun, May 02, 2021 at 12:17:59PM +0800, 宋文武 wrote: > Hello Leo, I see nothing wrong for assuming bad faith when security > fixes of packages are removed, in the end the truth matter, which I > believe is: You thought the patches for cario is not needed now on > core-updates, so you remove them.

Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes)

宋文武 writes: > Leo Prikler writes: > >> Hi Mark, >> >> Am Samstag, den 01.05.2021, 18:12 -0400 schrieb Mark H Weaver: >>> Hi Leo, >>> >>> Leo Prikler writes: >>> >>> > Am Samstag, den 01.05.2021, 19:02 +0200 schrieb Giovanni Biscuolo: >>> > > I also spent some time re-reading messages that

Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes)

Leo Prikler writes: > Hi Mark, > > Am Samstag, den 01.05.2021, 18:12 -0400 schrieb Mark H Weaver: >> Hi Leo, >> >> Leo Prikler writes: >> >> > Am Samstag, den 01.05.2021, 19:02 +0200 schrieb Giovanni Biscuolo: >> > > I also spent some time re-reading messages that Mark sent in this >> > >

Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes)

Hi Leo, I took the liberty of refilling the quotations in your email to make them more readable. Leo Prikler writes: > Am Samstag, den 01.05.2021, 18:12 -0400 schrieb Mark H Weaver: >> Can you please point out which of my words led you to conclude that I >> was assuming bad faith? > > I am

Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes)

Hi Mark, Am Samstag, den 01.05.2021, 18:12 -0400 schrieb Mark H Weaver: > Hi Leo, > > Leo Prikler writes: > > > Am Samstag, den 01.05.2021, 19:02 +0200 schrieb Giovanni Biscuolo: > > > I also spent some time re-reading messages that Mark sent in this > > > thread and, like him, I really don't

Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes)

Mark H Weaver writes: > Leo Prikler writes: > >> Am Samstag, den 01.05.2021, 19:02 +0200 schrieb Giovanni Biscuolo: >>> If you want you can consider Mark used an /harsh/ tone but this is a >>> personal feeling, something one /could/ read "between the lines" even >>> if actually in a written

Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes)

Hi Leo, Leo Prikler writes: > Am Samstag, den 01.05.2021, 19:02 +0200 schrieb Giovanni Biscuolo: >> I also spent some time re-reading messages that Mark sent in this >> thread and, like him, I really don't understand what Mark did wrong. >> >> For sure Mark /insisted/ that Raghav and Léo did

Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes)

Hello Giovanni, I am not Mark or Ludo, but as a /generic other/, I'd still like to reply. Am Samstag, den 01.05.2021, 19:02 +0200 schrieb Giovanni Biscuolo: > Hello Mark and Ludovic, > > please forgive me if I'm going forward with this thread but, after > some > hesitation, I decided to write

Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes)

Hello Mark and Ludovic, please forgive me if I'm going forward with this thread but, after some hesitation, I decided to write this message because I /feel/ we could do better in dealing with issues like this one. Please when you'll read "you" consider it a /generic you/ ("you the reader") not

Re: A "cosmetic changes" commit that removes security fixes

Hi Pierre, Pierre Neidhardt writes: > I haven't really followed the issue, I have, very carefully ;-) > so I couldn't say whether the decision taken by the core maintainers > was right or not. From my point of view it was /but/ this is *not* relevant: what's relevant here is that /if/ we

Re: A "cosmetic changes" commit that removes security fixes

On Sat, May 01, 2021 at 12:53:43PM +0530, Arun Isaac wrote: > We may like to imagine that being a core maintainer is not a badge of > honor, but in reality, it *is* a badge of honor. A core maintainer is > not just a regular participant any more than the President is just a > public servant. If

Re: A "cosmetic changes" commit that removes security fixes

Hello! I don't know the details of the case at all but let met mention this: https://communityrule.info/ It comes from the world of worker cooperatives and I think them "rules of the community" is discussed a lot there as well  Cheers, Yasu > On May 1, 2021, at 18:16, Pierre Neidhardt wrote:

Re: A "cosmetic changes" commit that removes security fixes

Hi everyone, This decision aside, I share some of the general concerns raised by Pierre about core maintainership and the behind closed doors decision making process. > Being a core committer is *not* a badge of honour. It does not give > special privileges beyond what is expected. It does not

Re: A "cosmetic changes" commit that removes security fixes

On Fri, Apr 30, 2021 at 07:40:36PM +0200, Pierre Neidhardt wrote: > I trust that it is the case, but being the devil's advocate, I could > argue that from reading this thread does not make it obvious. Maybe the > decision process should be made more transparent? Let's not make this a big thing.

Re: A "cosmetic changes" commit that removes security fixes

On 4/24/21 4:09 AM, Mark H Weaver wrote: > Your recent responses in > this thread have been commendable. by who?

Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes)

On 4/28/21 12:43 PM, Mark H Weaver wrote: > I'm sorry if this comes off as obtuse, but having now re-read all of my > messages in this thread, I honestly do not see what I did wrong here. > I will need some help to understand. please save it

Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes)

Hello! In Guix i feel there's a precious source that's enriching my experience: mutualism There's a lot of building together, of helping each other out. It's a refreshing opportunity to see how positive cooperation brings a lot of good energy. Have a Happy Thursday! Matias

Re: A "cosmetic changes" commit that removes security fixes

Hi Guix, >> I'm sorry to say your commit privileges have been temporarily >> suspended. After one month, you are invited to get in touch with the >> maintainers collective and discuss next steps. > > I think this suspension goes too far and doesn't help de-escalate the > issue. I think Léo

Re: A "cosmetic changes" commit that removes security fixes

Peeps, I am not a core maintainer, but it should be obvious that core maintainers would not take a decision to revoke commit rights lightly. Since it hardly happens is it now a loss of face on both sides which it should not be. Marius representing the core maintainers clearly wrote: This is the

Re: A "cosmetic changes" commit that removes security fixes

On Thu, 2021-04-29 at 13:46 +0200, Leo Prikler wrote: > Am Donnerstag, den 29.04.2021, 11:13 +0200 schrieb Léo Le Bouter: > > On Wed, 2021-04-28 at 17:52 +0200, Marius Bakke wrote: > > > Léo, > > > > > > We maintainers have been disappointed by Marks harsh tone which > > > do > > > not > > > meet

Re: A "cosmetic changes" commit that removes security fixes

Am Donnerstag, den 29.04.2021, 11:13 +0200 schrieb Léo Le Bouter: > On Wed, 2021-04-28 at 17:52 +0200, Marius Bakke wrote: > > Léo, > > > > We maintainers have been disappointed by Marks harsh tone which do > > not > > meet the project's communication standards, but also by your > > apparent > >

Re: A "cosmetic changes" commit that removes security fixes

Hi Guix, I didn't want to get involved in this argument, but I feel I must register a dissenting opinion. > I'm sorry to say your commit privileges have been temporarily > suspended. After one month, you are invited to get in touch with the > maintainers collective and discuss next steps. I

Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes)

On Wed, 2021-04-28 at 12:43 -0400, Mark H Weaver wrote: > I'm sorry if this comes off as obtuse, but having now re-read all of > my > messages in this thread, I honestly do not see what I did wrong here. > I will need some help to understand. > > With very few exceptions, almost every sentence

Re: A "cosmetic changes" commit that removes security fixes

On Wed, 2021-04-28 at 17:52 +0200, Marius Bakke wrote: > Léo, > > We maintainers have been disappointed by Marks harsh tone which do > not > meet the project's communication standards, but also by your apparent > lack of will to reply constructively to legitimate criticism. > > This is the next

Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes)

If you'll allow me to comment Mark, I would say that I valued your commitment to discover how to avoid a repeat of the problem. It is nice to see someone truly care about a project and insist a problem does not repeat itself. In practical terms, putting a few smiley faces in emails probably

Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes)

Dear Leo, On Wed, Apr 28, 2021 at 01:55:25PM -0400, Leo Famulari wrote: > You should have sent a message that explained the problem and tried to > teach the solution. I've seen you do it many times before; That is perhaps fair comment. It is always best to be constructive and not too personal.

Re: Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes)

On Wed, Apr 28, 2021 at 12:43:53PM -0400, Mark H Weaver wrote: > I'm sorry if this comes off as obtuse, but having now re-read all of my > messages in this thread, I honestly do not see what I did wrong here. > I will need some help to understand. It's common advice that managers and leaders

Criticisms of my "tone" (was Re: A "cosmetic changes" commit that removes security fixes)

Hi Ludovic, Ludovic Courtès writes: > Mark H Weaver skribis: > >> Léo Le Bouter writes: >> >>> It seems you are more focused and spend more time sending accusations >>> here than collaboratively working to improve GNU Guix. I don't feel >>> like that's something great to do at all. >> >> I

Re: A "cosmetic changes" commit that removes security fixes

Léo, We maintainers have been disappointed by Marks harsh tone which do not meet the project's communication standards, but also by your apparent lack of will to reply constructively to legitimate criticism. This is the next in a series of incidents. The incidents are okay--we we all make

Re: A "cosmetic changes" commit that removes security fixes

Hello Léo, Am Mon, Apr 26, 2021 at 09:31:18PM +0200 schrieb Léo Le Bouter: > also consider other things like how people feel when they > contribute to GNU Guix, do they feel discouraged or rewarded by their > contributions indeed that is an important aspect. > I find that it can be tiring and

Re: A "cosmetic changes" commit that removes security fixes

On Mon, Apr 26, 2021 at 11:56:22PM +0200, Giovanni Biscuolo wrote: > No, I simply misunderstood, sorry for the noise! Okay, and thanks for asking! It's important to clarify these things; it's not just noise :) This kind of knowledge is something I picked up over time, but I'm not sure it's

Re: A "cosmetic changes" commit that removes security fixes

Leo Famulari writes: > On Mon, Apr 26, 2021 at 07:06:33PM +0200, Giovanni Biscuolo wrote: >> Just to understand: /if/ at any point in time a user is able to afford >> the effort to build the entire core-updates /or/ staging branch she >> should be confident the result is state-of-the-art secure.

Re: A "cosmetic changes" commit that removes security fixes

On Mon, Apr 26, 2021 at 07:21:14PM +0200, Ludovic Courtès wrote: > Hi Léo, > > Tobias Geerinckx-Rice skribis: > > >> https://git.sr.ht/~lle-bout/guix/commit/a045a48dd961f0c5c3d536dcc3fd21d9c08d2d50 > >> https://git.sr.ht/~lle-bout/guix/commit/6477daa338fbf1c9edacfc3690aca77cacfe0008 > >> Can

Re: A "cosmetic changes" commit that removes security fixes

On Fri, 2021-04-23 at 15:18 -0400, Leo Famulari wrote: > I have to agree with everybody in this thead. > > The commits in question were problematic (especially on core-updates, > which is not a "WIP" branch and thus cannot be rewritten to fix past > problems). I'm not confident that the security

Re: A "cosmetic changes" commit that removes security fixes

On Mon, 2021-04-26 at 17:23 +0200, Tobias Geerinckx-Rice wrote: > Hi Léo, > > > https://git.sr.ht/~lle-bout/guix/commit/a045a48dd961f0c5c3d536dcc3fd21d9c08d2d50 > > https://git.sr.ht/~lle-bout/guix/commit/6477daa338fbf1c9edacfc3690aca77cacfe0008 > > > > Can you please explain what went wrong

Re: A "cosmetic changes" commit that removes security fixes

On Mon, Apr 26, 2021 at 07:06:33PM +0200, Giovanni Biscuolo wrote: > Just to understand: /if/ at any point in time a user is able to afford > the effort to build the entire core-updates /or/ staging branch she > should be confident the result is state-of-the-art secure. Am I wrong > with this

Re: A "cosmetic changes" commit that removes security fixes

Hi Léo, Tobias Geerinckx-Rice skribis: >> https://git.sr.ht/~lle-bout/guix/commit/a045a48dd961f0c5c3d536dcc3fd21d9c08d2d50 >> https://git.sr.ht/~lle-bout/guix/commit/6477daa338fbf1c9edacfc3690aca77cacfe0008 >> Can you please explain what went wrong here? > > Is a reasonable question, shared by

Re: Another misleading commit log (was Re: A "cosmetic changes" commit that removes security fixes)

Hi Mark, Mark H Weaver skribis: > Léo Le Bouter writes: > >> On Thu, 2021-04-22 at 13:40 -0400, Mark H Weaver wrote: >>> This commit was digitally signed and pushed to the 'wip-gnome' branch >>> by >>> Raghav, but it's also "Signed-off-by: Léo Le Bouter", so I'm not sure >>> who bears primary

Re: A "cosmetic changes" commit that removes security fixes

Hello Guix, Leo Famulari writes: [...] > And in the case of GNOME, we have already fallen short of our goals > several times, having missed multiple upgrades. I regret not to be able to contribute more to Guix, but please nobody should feel guilty not to be able to keep-up with upstream's

Re: A "cosmetic changes" commit that removes security fixes

Hi Léo, https://git.sr.ht/~lle-bout/guix/commit/a045a48dd961f0c5c3d536dcc3fd21d9c08d2d50 https://git.sr.ht/~lle-bout/guix/commit/6477daa338fbf1c9edacfc3690aca77cacfe0008 Can you please explain what went wrong here? Is a reasonable question, shared by all of us, not just Mark. The

Re: A "cosmetic changes" commit that removes security fixes

On Sat, 2021-04-24 at 03:46 -0400, Mark H Weaver wrote: > Hi Léo, > > Léo Le Bouter writes: > > > On Fri, 2021-04-23 at 15:18 -0400, Leo Famulari wrote: > > > Léo and Raghav, you need to keep learning our workflow around > > > security updates. It's not okay to remove security patches and > >

Re: A "cosmetic changes" commit that removes security fixes

Hi Raghav, Raghav Gururajan writes: >> Thank you for these links. From the IRC log cited above, it now appears >> that Léo Le Bouter bears primary responsibility >> for these mistakes. In particular, according to the IRC >> logs, Léo wrote: >> >> raghavgururajan: the main issues on the

Re: A "cosmetic changes" commit that removes security fixes

Hi Léo, Léo Le Bouter writes: > On Fri, 2021-04-23 at 15:18 -0400, Leo Famulari wrote: >> Léo and Raghav, you need to keep learning our workflow around >> security updates. It's not okay to remove security patches and later >> update a package to a fixed version in a different commit. `git >>

Re: A "cosmetic changes" commit that removes security fixes

Hi Maxim! Oh, indeed, sorry for the confusion. I think I got tricked by seeing the changelog for 1.17.2 under their releases/ directory (https://www.cairographics.org/releases/ChangeLog.cairo-1.17.2). No worries! I was confused by that too, while I was working on cairo package. Regards,

Re: A "cosmetic changes" commit that removes security fixes

On Fri, Apr 23, 2021 at 09:33:07PM +0200, Léo Le Bouter wrote: > I knew about this but I didnt feel like telling Raghav to do yet > another rebase. I felt like Raghav was taking on with so much already. > The rebase was specially complicated because Raghav's commit changed > indentation, git has

Re: A "cosmetic changes" commit that removes security fixes

On Fri, 2021-04-23 at 15:18 -0400, Leo Famulari wrote: > Léo and Raghav, you need to keep learning our workflow around > security > updates. It's not okay to remove security patches and later update a > package to a fixed version in a different commit. `git rebase` is the > tool to learn for

Re: A "cosmetic changes" commit that removes security fixes

On Fri, Apr 23, 2021 at 08:50:37PM +0200, Léo Le Bouter wrote: > I think there is no problem in accepting criticism but there is a > certain way Mark presents criticism and I don't feel like I can respond > to it when it is written in such way. Over several emails Mark was > looking to point to

Re: A "cosmetic changes" commit that removes security fixes

Hi, Am Freitag, den 23.04.2021, 20:50 +0200 schrieb Léo Le Bouter: > I think there is no problem in accepting criticism but there is a > certain way Mark presents criticism and I don't feel like I can > respond > to it when it is written in such way. Over several emails Mark was > looking to

Re: A "cosmetic changes" commit that removes security fixes

On Fri, 2021-04-23 at 13:52 -0400, Maxim Cournoyer wrote: > Actually, there *is* a "new" stable release available on their > release > page, 1.17.2 [0] > > According to NVD [1], that latest version has no known CVE [1]. > > Léo, could it be that you had planned to do this update, but it >

Re: A "cosmetic changes" commit that removes security fixes

Hello Raghav, Raghav Gururajan writes: > Hi Maxim! > >> Actually, there *is* a "new" stable release available on their release >> page, 1.17.2 > > It seems 1.16.0 is the latest+stable version. > > Quoting their download, "Please download one of the latest >

Re: A "cosmetic changes" commit that removes security fixes

Hi Maxim! Actually, there *is* a "new" stable release available on their release page, 1.17.2 It seems 1.16.0 is the latest+stable version. Quoting their download, "Please download one of the latest [releases](https://cairographics.org/releases/) in order to get an API-stable version of

Re: A "cosmetic changes" commit that removes security fixes

Hi, Mark H Weaver writes: > Hi Léo, > > Léo Le Bouter writes: > >> I don't share your analysis, the security fixes werent stripped because >> glib/cairo was also updated to latest version in subsequent commits >> which were pushed all at once. > > 'glib' was updated, but 'cairo' wasn't,

Re: Another misleading commit log (was Re: A "cosmetic changes" commit that removes security fixes)

Hi Guix! Thanks Mark for raising these issues. I definitely share your concerns, specifically regarding the two commits you mentioned and how they misleadingly have undesirable consequences:

Re: A "cosmetic changes" commit that removes security fixes

Hi Leo! Raghav and Léo, is wip-gnome based on core-updates? It was based on core-updates, but I recently re-created wip-gnome based on master. Regards, RG. OpenPGP_signature Description: OpenPGP digital signature

Re: A "cosmetic changes" commit that removes security fixes

Hi Mark! Thank you for these links. From the IRC log cited above, it now appears that Léo Le Bouter bears primary responsibility for these mistakes. In particular, according to the IRC logs, Léo wrote: raghavgururajan: the main issues on the rebasing were about security fixes on

Re: Another misleading commit log (was Re: A "cosmetic changes" commit that removes security fixes)

Léo Le Bouter writes: > On Thu, 2021-04-22 at 13:40 -0400, Mark H Weaver wrote: >> This commit was digitally signed and pushed to the 'wip-gnome' branch >> by >> Raghav, but it's also "Signed-off-by: Léo Le Bouter", so I'm not sure >> who bears primary responsibility for this one. > > It seems

Re: Another misleading commit log (was Re: A "cosmetic changes" commit that removes security fixes)

Léo, On Thu, 2021-04-22 at 13:40 -0400, Mark H Weaver wrote: This commit was digitally signed and pushed to the 'wip-gnome' branch by Raghav, but it's also "Signed-off-by: Léo Le Bouter", so I'm not sure who bears primary responsibility for this one. It seems you are more focused and

Re: A "cosmetic changes" commit that removes security fixes

Hi Léo, Léo Le Bouter writes: > I don't share your analysis, the security fixes werent stripped because > glib/cairo was also updated to latest version in subsequent commits > which were pushed all at once. 'glib' was updated, but 'cairo' wasn't, presumably because there's no newer stable

Re: A "cosmetic changes" commit that removes security fixes

Am Donnerstag, den 22.04.2021, 22:01 +0200 schrieb Léo Le Bouter: > On Thu, 2021-04-22 at 00:08 -0400, Mark H Weaver wrote: > > Hi Raghav, > > > > Raghav Gururajan writes: > > > > > > Those commits on 'core-updates' were digitally signed by Léo Le > > > > Bouter > > > > and have the same

Re: A "cosmetic changes" commit that removes security fixes

Léo Le Bouter writes: > On Thu, 2021-04-22 at 00:08 -0400, Mark H Weaver wrote: >> Hi Raghav, >> >> Raghav Gururajan writes: >> >> > > Those commits on 'core-updates' were digitally signed by Léo Le >> > > Bouter >> > > and have the same problems: they remove >> > > security >> > > fixes,

Re: Another misleading commit log (was Re: A "cosmetic changes" commit that removes security fixes)

On Thu, 2021-04-22 at 13:40 -0400, Mark H Weaver wrote: > This commit was digitally signed and pushed to the 'wip-gnome' branch > by > Raghav, but it's also "Signed-off-by: Léo Le Bouter", so I'm not sure > who bears primary responsibility for this one. It seems you are more focused and spend

Re: A "cosmetic changes" commit that removes security fixes

On Thu, 2021-04-22 at 00:08 -0400, Mark H Weaver wrote: > Hi Raghav, > > Raghav Gururajan writes: > > > > Those commits on 'core-updates' were digitally signed by Léo Le > > > Bouter > > > and have the same problems: they remove > > > security > > > fixes, and yet the summary lines indicate

Re: A "cosmetic changes" commit that removes security fixes

Hi Leo, Leo Famulari writes: > On Thu, Apr 22, 2021 at 12:05:36AM -0400, Raghav Gururajan wrote: >> Okay, I was able to retrace. When Leo and I were working outside savannah, >> there was master --> core-updates merge. Leo made these changes when he >> committed to his repo >>

Re: A "cosmetic changes" commit that removes security fixes

On Thu, Apr 22, 2021 at 12:05:36AM -0400, Raghav Gururajan wrote: > Okay, I was able to retrace. When Leo and I were working outside savannah, > there was master --> core-updates merge. Leo made these changes when he > committed to his repo > (https://logs.guix.gnu.org/guix/2021-03-26.log#000811),

Another misleading commit log (was Re: A "cosmetic changes" commit that removes security fixes)

Here's another commit with a blatantly misleading commit log: https://git.savannah.gnu.org/cgit/guix.git/commit/?h=wip-gnome=f5fc3c609e2f38ca1c0523deadb9f77d838fbf32 The summary line is "gnu: gdk-pixbuf: Add missing arguments", but in fact it does all of the following: (1) Ungrafts

Re: A "cosmetic changes" commit that removes security fixes

Hi Raghav, Raghav Gururajan writes: > Okay, I was able to retrace. When Leo and I were working outside > savannah, there was master --> core-updates merge. Leo made these > changes when he committed to his repo > (https://logs.guix.gnu.org/guix/2021-03-26.log#000811), from which I > pulled

Re: A "cosmetic changes" commit that removes security fixes

Hi, 宋文武 writes: > This patch is for core-updates: > From 15e28e84eaea8f68b6247ab53052f0dd50a544b2 Mon Sep 17 00:00:00 2001 > From: 宋文武 > Date: Thu, 22 Apr 2021 19:21:51 +0800 > Subject: [PATCH] gnu: cairo: Reintroduce security patches [security fixes]. > > Two patches were accidentally removed

Re: A "cosmetic changes" commit that removes security fixes

Mark H Weaver writes: > Hi Raghav, > > Raghav Gururajan writes: > >>> Those commits on 'core-updates' were digitally signed by Léo Le Bouter >>> and have the same problems: they remove security >>> fixes, and yet the summary lines indicate that only "cosmetic changes" >>> were made. >> >>

Re: A "cosmetic changes" commit that removes security fixes

Hi Mark! (1) These original summary lines are still misleading, because "ungraft" means to integrate the fixes from the replacement into the original, but here, the fixes are simply being deleted. I see. Now I get the idea. Thanks for explaining this. (2) These original commit

Re: A "cosmetic changes" commit that removes security fixes

Hi Raghav, Raghav Gururajan writes: > Okay, I was able to retrace. When Leo and I were working outside > savannah, there was master --> core-updates merge. Leo made these > changes when he committed to his repo > (https://logs.guix.gnu.org/guix/2021-03-26.log#000811), from which I > pulled

Re: A "cosmetic changes" commit that removes security fixes

Hi Raghav, Raghav Gururajan writes: >> Those commits on 'core-updates' were digitally signed by Léo Le Bouter >> and have the same problems: they remove security >> fixes, and yet the summary lines indicate that only "cosmetic changes" >> were made. > > Yeah, the commit title didn't mention

Re: A "cosmetic changes" commit that removes security fixes

Hi Mark! For glib, IIRC, we updated package to latest version and guix lint didn't show any more CVEs. Also, I think the change was added as part of the cosmetic change commit, to cleanly apply succeeding patches. For cairo, let me get back to you. Okay, I was able to retrace. When Leo and

Re: A "cosmetic changes" commit that removes security fixes

Hi Mark! Those commits on 'core-updates' were digitally signed by Léo Le Bouter and have the same problems: they remove security fixes, and yet the summary lines indicate that only "cosmetic changes" were made. Yeah, the commit title didn't mention the change but the commit message did.

Re: A "cosmetic changes" commit that removes security fixes

Hi Raghav, Raghav Gururajan writes: >> Raghav Gururajan has pushed another misleading "cosmetic changes" >> commit. [...] >> This one is *far* worse than the examples I gave before. >> This one removes the security fixes for CVE-2018-19876 and >> cairo-CVE-2020-35492 that I had applied in

Re: A "cosmetic changes" commit that removes security fixes

Hi Mark! Raghav Gururajan has pushed another misleading "cosmetic changes" commit. When you brought-up the concern (https://lists.gnu.org/archive/html/guix-devel/2020-12/msg8.html), which I am grateful for, I have worked myself to prevent that from happening. It was so hard for me

Re: A "cosmetic changes" commit that removes security fixes

Hi All! Sorry, I just saw this email and noticed its thread via web. I wasn't subscribed. > Raghav, can you explain why you created that commit? What's the > context & the goal? Why is it on current wip-gnome? What do you > expect to happen to it? The commit is not new. I cherry-picked from

Re: A "cosmetic changes" commit that removes security fixes

On Thu, Apr 22, 2021 at 12:16:13AM +0200, Leo Prikler wrote: > However, in taking more time to let patches sit on the > mailing list, I fear that I might come off as "unwilling" to those > contributors, whose work I help review, including Raghav, and also that > my involvement in some patch

Re: A "cosmetic changes" commit that removes security fixes

Hi all, Thanks for keeping a critical eye on WIP branches, Mark. Raghav, can you explain why you created that commit? What's the context & the goal? Why is it on current wip-gnome? What do you expect to happen to it? Léo, all the same questions for you, plus: Mark H Weaver writes:

Re: A "cosmetic changes" commit that removes security fixes

Hi Mark, Am Mittwoch, den 21.04.2021, 17:11 -0400 schrieb Mark H Weaver: > Hello Guix, > > Raghav Gururajan has pushed another misleading "cosmetic changes" > commit. This one is *far* worse than the examples I gave before. > This one removes the security fixes for CVE-2018-19876 and >

Re: A "cosmetic changes" commit that removes security fixes

... and here's another "cosmetic changes" commit from Raghav that removes all of the security fixes for 'glib' that I had added: https://git.savannah.gnu.org/cgit/guix.git/commit/?h=wip-gnome=40b58074895ee510cab496655e6bec8d95abe693 Also, both of these commits were marked as: