Hi Mark, Am Mittwoch, den 21.04.2021, 17:11 -0400 schrieb Mark H Weaver: > Hello Guix, > > Raghav Gururajan has pushed another misleading "cosmetic changes" > commit. This one is *far* worse than the examples I gave before. > This one removes the security fixes for CVE-2018-19876 and > cairo-CVE-2020-35492 that I had applied in commit > bc16eacc99e801ac30cbe2aa649a2be3ca5c102a. > > Behold, Raghav's "cosmetic changes" to our 'cairo' package: In particular, it is also worse than the glib example you've used, since at least the glib one is followed up by an update. This one is not, at least as far as I can tell.
https://git.savannah.gnu.org/cgit/guix.git/commit/?h=wip-gnome&id=d975ed975456a2c8e855eb024b5487c4c460684a > > With this in mind, does anyone else find it worrisome that Raghav has > commit access? > > Mark It is indeed worrying, that those patches seem to have made it to wip- gnome with little review. I believe we inherited this from before work was done on savannah, as I can't seem to find them within our mailing lists. As a side note, that's why I make it a habit not to push any patches, that I've edited too heavily, instead sending them back to the mailing list in hope for another reviewer. Even if those changes seem merely cosmetic to me, they might have a larger impact than I can imagine. However, in taking more time to let patches sit on the mailing list, I fear that I might come off as "unwilling" to those contributors, whose work I help review, including Raghav, and also that my involvement in some patch discussion tells other committers "don't worry, I got this, do something else". I don't think we need to strip Raghav's commit rights yet, but at the same time we ought to more closely monitor what's going on in wip- gnome. Being 3 GNOME releases and one c-u merge late, there isn't much room to allow for fuck-ups, and as we all know, that's when most of them happen. Regards, Leo
