Hi Léo, Léo Le Bouter <lle-b...@zaclys.net> writes:
> I don't share your analysis, the security fixes werent stripped because > glib/cairo was also updated to latest version in subsequent commits > which were pushed all at once. 'glib' was updated, but 'cairo' wasn't, presumably because there's no newer stable release of 'cairo' to update to. > Careful review was done, and that's why I signed-off and GPG-signed the > commits. Nobody was put at risk by these commits and no security fixes > were stripped. Those are bold claims, given the contents of our git repository. Here's Raghav's commit on the 'core-updates' branch, which bears your digital signature (according to my 'git' client), where the security fixes for CVE-2018-19876 and CVE-2020-35492 were removed, in a commit whose summary line is "gnu: cairo: Make some cosmetic changes": https://git.sv.gnu.org/cgit/guix.git/commit/?h=core-updates&id=f94cdc86f644984ca83164d40b17e7eed6e22091 I have two questions for you: (1) Do you deny that you digitally signed that commit? (2) Do you deny that there's anything wrong with that commit? Thanks, Mark -- Support Richard Stallman against the vicious misinformation campaign against him and the FSF. See <https://stallmansupport.org> for more.