[tripleo][core] gerrit breach and auditing all tripleo commits since Oct 01

Marios Andreou marios at redhat.com
Wed Oct 21 07:15:30 UTC 2020


Hi folks,

as you are undoubtedly aware, gerrit was down yesterday. There was this
email to service-announce [1] with more information about what happened
(kudos Julia Kreger who sent [2] where I saw that). There is a list of
changes [3] since October 1st that we should audit out of precaution and to
be responsible and accountable to our community and users.

As you can expect there are a great number of changes. I put a full commit
list at [5]. I mined those from [3] - see [4] for info about the 'mining'
and even better if someone has time to verify that I didn't miss any repos
or commits.

Please I need help from all core reviewers. We need to check that the
commits in [5] appear valid and correct - remember the concern is for any
changes that may have been merged by a compromised account. I propose that
we do this via Gerrit and that we leave a comment - 'CHECKED' - on each
review that we check? Hopefully we can cover all of these before the end of
the week by distributing our efforts. I am open to other suggestions though
if folks feel this is better done via some document/spreadsheet etc.

Of course as stated in [1] it is a good idea for everyone to double check
their account activity and make sure nothing is off,

Thank you in advance for your help,

marios

[1]
http://lists.opendev.org/pipermail/service-announce/2020-October/000011.html
[2]
http://lists.openstack.org/pipermail/openstack-discuss/2020-October/018148.html
[3] https://static.opendev.org/project/opendev.org/gerrit-diffs/
[4] https://gist.github.com/marios/a44a55998531354dc3d634dddeadf1c0
[5] https://gist.github.com/marios/d1b774c827769373b67d3988105140dd
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20201021/72b414e3/attachment.html>


More information about the openstack-discuss mailing list