I suspect that many people do not know that the life of a security patch to an OpenStack project looks different than normal patches. Gerrit is public, so patches for private security bugs can't be proposed or reviewed there. Instead, they need to be proposed to and reviewed in the comments of the Launchpad bug report.
What we want to avoid is someone filing a security bug and then proposing the patch to gerrit for review. https://security.openstack.org/#how-to-propose-and-review-a-security-patch has been created to show how to create and apply a security patch. (I've summarized it below) When you, the patch author, want to propose a patch, you should export it and attach it to the Launchpad bug review as a comment. How do you export the patch? Like this: # check out the committed patch locally, then do this git format-patch --stdout HEAD~1 >path/to/local/file.patch Now you have a local file you can attach to comments, email around, or whatever you want. It contains not only the patch diff, but the author, timestamp, and other metadata needed for someone to apply it locally to their own repo. Now, if you, as a patch reviewer, want to test out a patch, download it from the Launchpad bug report and run the following: git am <path/to/local/file.patch This will apply it as a commit locally, and you the patch reviewer can rebase it, cherry-pick it for backporting, or whatever. Happy security bug fixing! --John
signature.asc
Description: Message signed with OpenPGP using GPGMail
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
