Re: A "cosmetic changes" commit that removes security fixes

[Giovanni Biscuolo]

Hello Guix,

Leo Famulari <leo@famulari.name> writes:

[...]

> And in the case of GNOME, we have already fallen short of our goals
> several times, having missed multiple upgrades.

I regret not to be able to contribute more to Guix, but please nobody
should feel guilty not to be able to keep-up with upstream's upgrading
rate (whatever rate it is), better safe than up-to-date :-)

> I too have felt the temptation to cut corners with Git when I know that
> the final result will be "okay". But Guix is not just about the final
> product (a release, or a merge). We also have the --commit option to
> Guix commands, and `guix time-machine`. So the Git history is important
> too.

Yes, please this should be stressed: Guix *is* it's official (master,
core-updates...) git repo branches.

Just to understand: /if/ at any point in time a user is able to afford
the effort to build the entire core-updates /or/ staging branch she
should be confident the result is state-of-the-art secure.  Am I wrong
with this assumption?

> And I have also spent several hours at a time, focused on completing
> (after several restarts) a complicated rebase involving dozens of
> commits. And I've done that many times.

I think this is the most expensive activity of Guix maintainers, for the
very reason that Guix *is* git

> I do think that Mark is being hyperbolic about the wip-gnome branch. The
> name says "work in progress" and we don't hold those branches to a high
> standard.

I understand your point but please consider that /unless/ a wip-branch
is private (or privately shared out-of-Guix-git) that branch it's a
pubblic collective work in progress and sometimes (seldom? often? I
really don't know) that work could be completed by someone else, so even
in wip- branches committers should exercise some degree of discipline,
especially when dealing with "commit message completeness" and more with
security related patches.  In other words, IMHO a certain degree of
safety must be assured also on wip- branches.

Probably the policy about wip-branches, whatever it is ("do what you
want" or something in line with my comments above), should be documented
in the contributing section of the Guix manual.

> But what happened on core-updates *must not happen again*.

Please no.

> For a task as large as "updating GNOME in Guix", history tells me that
> it has to be a group effort. In many cases, the hardest part of a
> project is coordination and leadership, not coding. I hope that this
> current effort continues, and that more people decide to join.

OK but please consider that /if/ Guix cannot "update GNOME in Guix" for
whatever reason, GNOME should not be updated.


Thanks! Giovanni.

-- 
Giovanni Biscuolo

Xelera IT Infrastructures

signature.asc
Description: PGP signature