Re: A "cosmetic changes" commit that removes security fixes

[Leo Prikler]

Hi Mark,

Am Mittwoch, den 21.04.2021, 17:11 -0400 schrieb Mark H Weaver:
> Hello Guix,
> 
> Raghav Gururajan has pushed another misleading "cosmetic changes"
> commit.  This one is *far* worse than the examples I gave before.
> This one removes the security fixes for CVE-2018-19876 and
> cairo-CVE-2020-35492 that I had applied in commit
> bc16eacc99e801ac30cbe2aa649a2be3ca5c102a.
> 
> Behold, Raghav's "cosmetic changes" to our 'cairo' package:
In particular, it is also worse than the glib example you've used,
since at least the glib one is followed up by an update.  This one is
not, at least as far as I can tell.

https://git.savannah.gnu.org/cgit/guix.git/commit/?h=wip-gnome&id=d975ed975456a2c8e855eb024b5487c4c460684a
> 
> With this in mind, does anyone else find it worrisome that Raghav has
> commit access?
> 
>       Mark
It is indeed worrying, that those patches seem to have made it to wip-
gnome with little review.  I believe we inherited this from before work
was done on savannah, as I can't seem to find them within our mailing
lists.  As a side note, that's why I make it a habit not to push any
patches, that I've edited too heavily, instead sending them back to the
mailing list in hope for another reviewer.  Even if those changes seem
merely cosmetic to me, they might have a larger impact than I can
imagine.  However, in taking more time to let patches sit on the
mailing list, I fear that I might come off as "unwilling" to those
contributors, whose work I help review, including Raghav, and also that
my involvement in some patch discussion tells other committers "don't
worry, I got this, do something else".

I don't think we need to strip Raghav's commit rights yet, but at the
same time we ought to more closely monitor what's going on in wip-
gnome.  Being 3 GNOME releases and one c-u merge late, there isn't much
room to allow for fuck-ups, and as we all know, that's when most of
them happen.

Regards,
Leo