[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Cosmetic changes commits as a potential security risk (was Re: Quest
From: |
Raghav Gururajan |
Subject: |
Re: Cosmetic changes commits as a potential security risk (was Re: Questionable "cosmetic changes" commits) |
Date: |
Sun, 20 Dec 2020 07:00:59 +0000 |
Hi Mark!
> Thanks for the explanation.
>
> Please keep in mind that every comment in Guix was deliberately put
> there by a Guix developer, which means that at least one developer
> thought the comment was worth including.
>
> I'm concerned that you felt so confident in your assessment that these
> comments were superfluous that you felt justified in removing them
> without telling anyone, let alone asking your mentors if they agreed.
>
> My larger concern is that these removals were effectively hidden within
> a commit that ostensibly only rearranged and reindented code.
My apologies, I should have mentioned in the commit message. Anyway, I will be
deferring from removing any existing comments.
> It occurs to me that commits that rearrange or reindent code are a
> potential security risk, because they obscure other changes made within
> the same commit. Even developers who try to keep an eye on changes
> being made to Guix tend to simply *assume* that commits like these are
> what they claim to be, because it's too tedious to verify them.
>
> If we allow unannounced changes to be obscured within "cosmetic changes"
> commits without reprimand, we invite the future possibility of
> deliberate corruption of our code base via such commits, by attackers
> who have compromised our developers' machines or signing keys.
I see. I haven't thought about this, but will consider it.
Thanks!
Regards,
RG.
- Re: Questionable "cosmetic changes" commits, (continued)
- Re: Questionable "cosmetic changes" commits, Raghav Gururajan, 2020/12/05
- Re: Questionable "cosmetic changes" commits, Christopher Baines, 2020/12/05
- Re: Questionable "cosmetic changes" commits, Bengt Richter, 2020/12/05
- Re: Questionable "cosmetic changes" commits, Raghav Gururajan, 2020/12/20
- Cosmetic changes commits as a potential security risk (was Re: Questionable "cosmetic changes" commits), Mark H Weaver, 2020/12/05
- Re: Questionable "cosmetic changes" commits, Raghav Gururajan, 2020/12/20
- Re: Cosmetic changes commits as a potential security risk (was Re: Questionable "cosmetic changes" commits),
Raghav Gururajan <=