Page MenuHomePhabricator

Applying security patches should be robust and also give some useful output
Open, MediumPublic

Description

When applying the security patches with scap apply-patches --train, it immediately completed leaving me to wonder whether the patches actually got applied. I eventually looked at the available patches and checked the affected repositories to confirm.

It would be nice to print the list that got applied / or already applied.

Beside that, it is a great functionality. It definitely saves a noticeable amount of time. Thanks for that!

Also, apply-patches can fail in various cases, if patches don't all apply cleanly. It should never fail for that, and should be atomic: either all patches have been applied, or none.

Event Timeline

hashar created this task.Dec 1 2020, 6:07 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 1 2020, 6:07 PM
LarsWirzenius triaged this task as Medium priority.Dec 2 2020, 1:18 PM

Would output like the following be acceptable:

Applying 2 security patches.
Applying patch 01-xyzzy: OK
Applying patch-02-blugh: OK
All security patches applied OK.

In other words: list every patch, and be explicit about whether each patch applied OK, and also be explicit at the end that all applied OK.

Is more needed?

hashar added a comment.Dec 3 2020, 4:42 PM

The lack of output surprised me and I was left wondering whether the patches actually applied.

The proposal looks good, cConsider using the full file path which carries the MediaWiki version but most importantly the repository name.

LarsWirzenius renamed this task from Applying security patches should give some output to Applying security patches should be robust and also give some useful output.Fri, Jan 15, 12:57 PM
LarsWirzenius updated the task description. (Show Details)

Noting here that I ran into a situation with a patch that didn't apply cleanly under --no-3way, but did with the traditional instructions:

USERNAME@deploy1001:/srv/mediawiki-staging/php-[VERSION]$ git apply --check --3way /srv/patches/[VERSION]/core/[NUMBER]-T[NUMBER].patch
USERNAME@deploy1001:/srv/mediawiki-staging/php-[VERSION]$ git am --3way /srv/patches/[VERSION]/core/[NUMBER]-T[NUMBER].patch

From memory, I think this is a fairly common scenario.