How to perform security fixes

Latest revision as of 00:28, 6 September 2012

Make sure you're not alone on this. Draft it on Gerrit first (though that's not 100% secure) or share it with a colleague through secure channels or private mailing lists for review.

[edit] Steps

[edit] 1: Commit

Locally (on your workstation) check out the currently relevant wmf branch(es). Write the fix there and test it. Then commit to your local topic branch. You also may want to check if this commit applies cleanly to the other active wmf branch (if there is two, there is usually two, e.g. wmf/1.20wmf9 and wmf/1.20wmf10), so you're prepared to handle the merge conflict later on.

Note: Commits (especially security related ones) should, of course, always add release notes!

# Create a topic branch
jdoe@laptop:~/Dev/mediawiki/core$ git checkout -b fix-my-bug master

# Fix the security bug

# Add the file (or files) to the staging area
jdoe@laptop:~/Dev/mediawiki/core (fix-my-bug)$ git add path/to/file.php RELEASE-NOTES-1.20

# Confirm your stage contains what you want to do commit (no more, no less)
jdoe@laptop:~/Dev/mediawiki/core (fix-my-bug)$ git status

jdoe@laptop:~/Dev/mediawiki/core (fix-my-bug)$ git commit

[edit] 2: Apply on fenari

# Convert the commit to a git patch file
jdoe@laptop:~/Dev/mediawiki/core (fix-my-bug)$ git format-patch HEAD^ --stdout > ~/fix-my-bug.patch

# Copy it to your home directory on fenari (scp defaults: protocol=ssh, username=local username, target directory=home directory)
jdoe@laptop:~/Dev/mediawiki/core (fix-my-bug)$ scp ~/fix-my-bug.patch fenari.wikimedia.org

# Log into fenari and go to the git dir
jdoe@laptop:~/Dev/mediawiki/core$ ssh fenari.wikimedia.org
jdoe@fenari:~$ cd /h/w/common/php-1.20wmf10
# Sign off uses your .gitconfig (on fenari) to determine name and e-mail address.
jdoe@fenari:/h/w/common/php-1.20wmf10 (wmf/1.20wmf10)$ git am --signoff < ~/fix-my-bug.patch

If there are other active branches, apply the patch there as well (see roadmap).
You may want to verify at this point that the bug is fixed on test.wikipedia.org.

[edit] 3: Deploy

[edit] 4: Push to gerrit & make release

Todo: These could be moved to a generic "Backport and do a minor release" how-to page, then put a link here.

[edit] Push to gerrit

# Commit to the wmf branch in gerrit. Especially important because the clone on fenari is
# now 1 commit ahead of the gerrit repository
jdoe@laptop:~/Dev/mediawiki/core (fix-my-bug)$ git push gerrit HEAD:refs/for/wmf/1.20wmf10
# Creates new gerrit change, self-merge this one through the web interface
# Okay, since it is already deployed anyway.

# Now for the release. First to master.
jdoe@laptop:~/Dev/mediawiki/core (fix-my-bug)$ git push gerrit HEAD:refs/for/master

# Make note of the git commit hash 
jdoe@laptop:~/Dev/mediawiki/core (fix-my-bug)$ git show HEAD --stat

# Then to the other release branch(es).
jdoe@laptop:~/Dev/mediawiki/core (fix-my-bug)$ git checkout -b fix-my-bug/REL1_19 gerrit/REL1_19
jdoe@laptop:~/Dev/mediawiki/core (fix-my-bug/REL1_19)$ git cherry-pick 9023aa2d830029da5745e92212f03ddbc71da4c2
# Make sure to update the release notes properly (probably causes a conflict, either way update the right file)
jdoe@laptop:~/Dev/mediawiki/core (fix-my-bug/REL1_19)$ git add RELEASE-NOTES-1.19
jdoe@laptop:~/Dev/mediawiki/core (fix-my-bug/REL1_19)$ git commit --amend
jdoe@laptop:~/Dev/mediawiki/core (fix-my-bug/REL1_19)$ git push gerrit HEAD:refs/for/REL1_19

# Creates a new gerrit change for each push. Merge as appropiate.

[edit] Make release

TODO: Something with make-release from mediawiki/tools/release.git

[edit] See also

Example of a backport commit to a release branch

@@ Line 7: / Line 7: @@
 Locally (on your workstation) check out the currently relevant wmf branch(es). Write the fix there and test it. Then commit to your local topic branch. You also may want to check if this commit applies cleanly to the other active wmf branch (if there is two, there is usually two, e.g. wmf/1.20wmf9 and wmf/1.20wmf10), so you're prepared to handle the merge conflict later on.
-'''Note:''' This commit must contain release notes!
+'''Note:''' Commits (especially security related ones) should, of course, always add release notes!
 <pre>
 # Create a topic branch
 jdoe@laptop:~/Dev/mediawiki/core$ git checkout -b fix-my-bug master
 # Fix the security bug
 # Add the file (or files) to the staging area
 jdoe@laptop:~/Dev/mediawiki/core (fix-my-bug)$ git add path/to/file.php RELEASE-NOTES-1.20
@@ Line 25: / Line 27: @@
 <pre>
 # Convert the commit to a git patch file
-jdoe@laptop:~/Dev/mediawiki/core (fix-my-bug)$ git format-patch HEAD --stdout > ~/fix-my-bug.patch
+jdoe@laptop:~/Dev/mediawiki/core (fix-my-bug)$ git format-patch HEAD^ --stdout > ~/fix-my-bug.patch
 # Copy it to your home directory on fenari (scp defaults: protocol=ssh, username=local username, target directory=home directory)
@@ Line 36: / Line 38: @@
 jdoe@fenari:/h/w/common/php-1.20wmf10 (wmf/1.20wmf10)$ git am --signoff < ~/fix-my-bug.patch
-# If there are other active branches, apply the patch there as well
 </pre>
-You may want to verify at this point that the bug is fixed on [[test.wikipedia.org]].
+* If there are other active branches, apply the patch there as well (see [[mw:MediaWiki_1.20/Roadmap#Timeline|roadmap]]).
+* You may want to verify at this point that the bug is fixed on [[test.wikipedia.org]].
 === 3: Deploy ===
 : See also [[How to deploy code]]
 <pre>
-jdoe@fenari:/h/w/common$ sync-file php-1.20wmf10/path/to/file.php 'API security fix'
+jdoe@fenari:/h/w/common$ sync-file php-1.20wmf10/path/to/file.php 'Deploy security fix'
 </pre>

How to perform security fixes

Latest revision as of 00:28, 6 September 2012

Contents

[edit] Steps

[edit] 1: Commit

[edit] 2: Apply on fenari

[edit] 3: Deploy

[edit] 4: Push to gerrit & make release

[edit] Push to gerrit

[edit] Make release

[edit] See also

Personal tools

Namespaces

Variants

Views

Actions

Search

Navigation

Ops documentation

Wiki

Toolbox