[openstack-dev] [all] formatting security patches

John Dickinson me at not.mn
Thu Aug 6 23:47:43 UTC 2015


I suspect that many people do not know that the life of a security patch to an OpenStack project looks different than normal patches. Gerrit is public, so patches for private security bugs can't be proposed or reviewed there. Instead, they need to be proposed to and reviewed in the comments of the Launchpad bug report.

What we want to avoid is someone filing a security bug and then proposing the patch to gerrit for review.

https://security.openstack.org/#how-to-propose-and-review-a-security-patch has been created to show how to create and apply a security patch. (I've summarized it below)

When you, the patch author, want to propose a patch, you should export it and attach it to the Launchpad bug review as a comment. How do you export the patch? Like this:

# check out the committed patch locally, then do this
git format-patch --stdout HEAD~1 >path/to/local/file.patch

Now you have a local file you can attach to comments, email around, or whatever you want. It contains not only the patch diff, but the author, timestamp, and other metadata needed for someone to apply it locally to their own repo.

Now, if you, as a patch reviewer, want to test out a patch, download it from the Launchpad bug report and run the following:

git am <path/to/local/file.patch

This will apply it as a commit locally, and you the patch reviewer can rebase it, cherry-pick it for backporting, or whatever.

Happy security bug fixing!


--John




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150806/e06d1b94/attachment.pgp>


More information about the OpenStack-dev mailing list