This information is valid only for developers who have been granted access to this repository.

The git security repository is for collaboration among developers for not yet disclosed security issues. The repository is quite special:

1. It is not publicly accessible.
2. It will often rebase or reset/fast-forward to the main repository.

The repository is located at github as a private repository, you need to add it as another remote repository to your existing phpmyadmin clone.

Open terminal window, cd to your repository and add the remote one:

$ git remote add security git@github.com:phpmyadmin/phpmyadmin-security.git
$ git remote update security

First you need to choose where you will base your patches, this should be latest stable release and we will later merge changes to QA and master branches.

For example we will work on QA_5_2 and the security patches will be in QA_5_2-security branch.

First check whether QA_5_2-security branch already exists:

git branch QA_5_2-security security/QA_5_2-security

If this fails, we should create it:

git branch QA_5_2-security origin/QA_5_2

And checkout it to work on it:

git checkout QA_5_2-security

To get latest updates of security branch, do following:

git checkout QA_5_2-security
git pull security QA_5_2-security`

Once you have done some changes, you can push it to the security repo:

git push security QA_5_2-security

Once the patches are ready, you need to merge changes to main git repository.

$ git remote update security # update patches from security repo
$ git checkout QA_5_2 # change working copy to maintenance branch
$ git merge security/QA_5_2-security # merge security branch

Now you can publish it as usual, but most likely you will want to merge changes to other branches as well:

$ git checkout QA_6_0 # checkout QA branch
$ git merge QA_5_2 # merge changes
$ git checkout master # checkout master branch
$ git merge QA_6_0 # merge changes

Once the changes are merged, you should delete the corresponding branch in the security repository to avoid confusion when other security issues arise:

git push security :QA_5_2-security

The advisories are prepared as draft in the website administration. Once they are ready to publish, just remove the draft flag and they will appear on the website.

You need to update all branches present in the security repository, to their refs in the main repository.

You might need to replace origin/heads by origin.

$ git push PMA-SECURITY origin/heads/master:master-security
$ git push PMA-SECURITY origin/heads/QA_5_2:QA_5_2-security
$ git push PMA-SECURITY origin/heads/QA_4_9:QA_4_9-security