Probably the most optimal workflow would be to create a git branch (e.g. ubuntu-14.04) with custom gbp.conf and maintaining it by importing upstream in one commit, and updating changelog and other stuff, including refreshing patches in another commits, so that it would be easy to produce a patch file that Ubuntu security team can apply upon the mix of previous debian/ contents from Ubuntu archive and updated others from upstream. This would allow to use git-buildpackage to produce test builds instead of plain 'fakeroot dpkg-buildpackage'.