How to perform security fixes

This is a brief guide on how to perform security fixes. From commit draft to minor release.

Steps

1: Commit

Locally (on your workstation) check out the currently relevant wmf branch(es). Write the fix there and test it. Then commit to your local topic branch. You also may want to check if this commit applies cleanly to the other active wmf branch (if there is two, there is usually two, e.g. wmf/1.20wmf9 and wmf/1.20wmf10), so you're prepared to handle the merge conflict later on.

Note: Commits (especially security related one) should, of course, always add release notes!

# Create a topic branch
jdoe@laptop:~/Dev/mediawiki/core$ git checkout -b fix-my-bug master
# Fix the security bug
# Add the file (or files) to the staging area
jdoe@laptop:~/Dev/mediawiki/core (fix-my-bug)$ git add path/to/file.php RELEASE-NOTES-1.20

# Confirm your stage contains what you want to do commit (no more, no less)
jdoe@laptop:~/Dev/mediawiki/core (fix-my-bug)$ git status

jdoe@laptop:~/Dev/mediawiki/core (fix-my-bug)$ git commit

2: Apply on fenari

# Convert the commit to a git patch file
jdoe@laptop:~/Dev/mediawiki/core (fix-my-bug)$ git format-patch HEAD --stdout > ~/fix-my-bug.patch

# Copy it to your home directory on fenari (scp defaults: protocol=ssh, username=local username, target directory=home directory)
jdoe@laptop:~/Dev/mediawiki/core (fix-my-bug)$ scp ~/fix-my-bug.patch fenari.wikimedia.org

# Log into fenari and go to the git dir
jdoe@laptop:~/Dev/mediawiki/core$ ssh fenari.wikimedia.org
jdoe@fenari:~$ cd /h/w/common/php-1.20wmf10
# Sign off uses your .gitconfig (on fenari) to determine name and e-mail address.
jdoe@fenari:/h/w/common/php-1.20wmf10 (wmf/1.20wmf10)$ git am --signoff < ~/fix-my-bug.patch

# If there are other active branches, apply the patch there as well

You may want to verify at this point that the bug is fixed on test.wikipedia.org.

3: Deploy

See also How to deploy code

jdoe@fenari:/h/w/common$ sync-file php-1.20wmf10/path/to/file.php 'API security fix'

4: Push to gerrit & make release

Todo: These could be moved to a generic "Backport and do a minor release" how-to page, then put a link here.

Push to gerrit

# Commit to the wmf branch in gerrit. Especially important because the clone on fenari is
# now 1 commit ahead of the gerrit repository
jdoe@laptop:~/Dev/mediawiki/core (fix-my-bug)$ git push gerrit HEAD:refs/for/wmf/1.20wmf10
# Creates new gerrit change, self-merge this one through the web interface
# Okay, since it is already deployed anyway.

# Now for the release. First to master.
jdoe@laptop:~/Dev/mediawiki/core (fix-my-bug)$ git push gerrit HEAD:refs/for/master

# Make note of the git commit hash 
jdoe@laptop:~/Dev/mediawiki/core (fix-my-bug)$ git show HEAD --stat

# Then to the other release branch(es).
jdoe@laptop:~/Dev/mediawiki/core (fix-my-bug)$ git checkout -b fix-my-bug/REL1_19 gerrit/REL1_19
jdoe@laptop:~/Dev/mediawiki/core (fix-my-bug/REL1_19)$ git cherry-pick 9023aa2d830029da5745e92212f03ddbc71da4c2
# Make sure to update the release notes properly (probably causes a conflict, either way update the right file)
jdoe@laptop:~/Dev/mediawiki/core (fix-my-bug/REL1_19)$ git add RELEASE-NOTES-1.19
jdoe@laptop:~/Dev/mediawiki/core (fix-my-bug/REL1_19)$ git commit --amend
jdoe@laptop:~/Dev/mediawiki/core (fix-my-bug/REL1_19)$ git push gerrit HEAD:refs/for/REL1_19

# Creates a new gerrit change for each push. Merge as appropiate.

Make release

TODO: Something with make-release from mediawiki/tools/release.git

See also

• Example of a backport commit to a release branch