[openssl-users] Minimizing the pain of reformatting your OpenSSL patches

Dr. Matthias St. Pierre Matthias.St.Pierre at ncp-e.com
Thu Mar 19 08:40:00 UTC 2015


the upcoming security update imposes a special challenge to
all OpenSSL users who maintain their own patch sets.

The reason is the code reformat which has taken place in between
the last and the upcoming release, which renders existing patches

Matt Caswell has posted a detailed article explaining how you can
reformat your patches, see

This article inspired me to the following solution and I extended his
ideas a little. Here is the recipe which worked for me. It is a little
bit simpler than the solution of the blog, because it does not involve
cherry-picking. Also, I wrote a script helping me to do the bulk
conversion of many patches:

  Assuming, you have a branch "${branch}" containing all your
  patches, The script creates a copy of your branch, named
  "${branch}-pre-auto-reformat" which it then rebases to
  For every commit on the rebased branch, it does an automatic
  conversion, placing the results onto a new branch

Finally, you can rebase a copy "${upstream}-reformatted" of the
reformatted branch "${upstream}-post-auto-reformat" to the
upcoming release (say, 1.0.1m).

More details at the end of the mail.


The script is merely a demonstration which may serve as a starting
point for you and may not be 100% fool-proof. I hope it will turn out
to be useful for some of you. However, I don't take any
responsibilities if anything goes wrong. Use it at your own risk!


In following I describe the steps in more detail how you can

 1) get your patches into git (if you havn't done it yet)
 2) do the reformatting in git, with the help of the script
 3) rebase your patches to the current release
 4) recreate the patches using 'git format-patch'

If your patches are already maintained in a git repository,
you may skip step 1)

1) If you only have patches, no git repository, it's a good idea
to get your own clone of the git repository, in which you have an
own branch to maintain your patches.

   git clone git://git.openssl.org/openssl.git
   cd openssl

This will not only ease the transition, but also pay back in the future,
since the powerful capabilities features of git will make it easy in the
future to rebase your patches using just two commands, 'git rebase' and
'git format-patch'.

Just create a branch off the vanilla release from which your
patches depart (say, OpenSSL 1.0.1k)

   git checkout -b mypatches OpenSSL_1_0_1k

Apply your patches one-after-the-other, creating a single commit
for each patch with meaningful commit messages. Note that the header
line of your commit message will be used by 'git format-patch' to create
a filename for the patch. 

(If you don't know how to do this in git, you may want to consult

2) Now we assume that

  a) you already have an OpenSSL git repository
  b) your patches are on a branch called 'mypatches',
     which were branched from one of the stable branches
     before the reformatting (say OpenSSL_1_0_1-stable)
  c) your working copy is clean (no local changes or
     untracked files)
  d) you're running linux (if not, get yourself a Linux VM)

The attached script shows an example of how to automate
the procedure of reformatting every single commit on your
branch and recommitting it. It contains a lot of comments
to explain what it is doing. PLEASE READ THE COMMENTS

You just have to set the two variables 'branch' and 'upstream' 
at the beginning of the script (marked 'todo') to the name
of your branch and its upstream branch, respectively.

The script may fail on the first run when attempting to rebase
"${branch}-pre-auto-reformat". This case is anticipated, just
fix your conflicts, and run the script again
(see <http://git-scm.com/book/en/v2/Git-Branching-Rebasing>)

If any other error occurs, you are on your own ;-)

However, the script does not move existing branch labels, it operates
on new branches. So you may restart as often as you like, as long
as you remove the intermediate branches created by the script
(using 'git branch -D')

If you're still anxious to do this on your production repository, try
it on a copy of repository first.

3) After the script has succeeded, you can rebase your
reformatted branch to the head of the stable branch or
to the tag of the most recent release, e.g. to OpenSSL_1_0_1k:

git checkout -b mypatches-reformatted mypatches-post-auto-reformat
git rebase OpenSSL_1_0_1k

4) Now you can have git recreate your patches automatically
with a single command:

   git format-patch OpenSSL_1_0_1k..HEAD

or, more generally:

   git format-patch $(git merge-base HEAD OpenSSL_1_0_1-stable)..HEAD

-------------- next part --------------
A non-text attachment was scrubbed...
Name: reformat.sh
Type: application/x-shellscript
Size: 2432 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150319/7552a309/attachment-0001.bin>

More information about the openssl-users mailing list