Re: A "cosmetic changes" commit that removes security fixes

[Mark H Weaver]

Hi Léo,

Léo Le Bouter <lle-bout@zaclys.net> writes:

> I don't share your analysis, the security fixes werent stripped because
> glib/cairo was also updated to latest version in subsequent commits
> which were pushed all at once.

'glib' was updated, but 'cairo' wasn't, presumably because there's no
newer stable release of 'cairo' to update to.

> Careful review was done, and that's why I signed-off and GPG-signed the
> commits. Nobody was put at risk by these commits and no security fixes
> were stripped.

Those are bold claims, given the contents of our git repository.

Here's Raghav's commit on the 'core-updates' branch, which bears your
digital signature (according to my 'git' client), where the security
fixes for CVE-2018-19876 and CVE-2020-35492 were removed, in a commit
whose summary line is "gnu: cairo: Make some cosmetic changes":

  
https://git.sv.gnu.org/cgit/guix.git/commit/?h=core-updates&id=f94cdc86f644984ca83164d40b17e7eed6e22091

I have two questions for you:

(1) Do you deny that you digitally signed that commit?
(2) Do you deny that there's anything wrong with that commit?

     Thanks,
       Mark

-- 
Support Richard Stallman against the vicious misinformation campaign
against him and the FSF.  See <https://stallmansupport.org> for more.