How to format a patch for a security bug

Security bugs cannot be patched and reviewed via gerrit because there is no "private" section for patches in gerrit. Therefore the patch must be reviewed in the Launchpad bug comments. This page describes how to format the patch so that other reviewers can easily download and review it.

To create the patch

After creating your patch locally on a branch and committing it as one commit ready for review, the following will export the patch to a text file that can be copied around:

 $ git format-patch --stdout HEAD~1 >path/to/local/file.patch`

To review the patch

When a reviewer gets the text file, they can run the command below to apply the patch as a commit (with commit message and appropriate date/author info). Then it can be easily cherry-picked and backported.

 $ git am <~path/to/local/file.patch

However, the patch proposer might not have used the above command to format the patch. The proposer might have only captured the output of `git show`. In that case, you can grab the patch with

 $ git apply path/to/local/file.patch

You won't get the commit message, but you'll have something locally you can work with.