[tripleo][core] gerrit breach and auditing all tripleo commits since Oct 01

Giulio Fidente gfidente at redhat.com
Wed Oct 21 11:42:18 UTC 2020 

On 10/21/20 9:15 AM, Marios Andreou wrote:
> Hi folks,
> 
> as you are undoubtedly aware, gerrit was down yesterday. There was this
> email to service-announce [1] with more information about what happened
> (kudos Julia Kreger who sent [2] where I saw that). There is a list of
> changes [3] since October 1st that we should audit out of precaution and
> to be responsible and accountable to our community and users.
> 
> As you can expect there are a great number of changes. I put a full
> commit list at [5]. I mined those from [3] - see [4] for info about the
> 'mining' and even better if someone has time to verify that I didn't
> miss any repos or commits.
> 
> Please I need help from all core reviewers. We need to check that the
> commits in [5] appear valid and correct - remember the concern is for
> any changes that may have been merged by a compromised account. I
> propose that we do this via Gerrit and that we leave a comment -
> 'CHECKED' - on each review that we check? Hopefully we can cover all of
> these before the end of the week by distributing our efforts. I am open
> to other suggestions though if folks feel this is better done via some
> document/spreadsheet etc.
> 
> Of course as stated in [1] it is a good idea for everyone to double
> check their account activity and make sure nothing is off,
> 
> Thank you in advance for your help,
> 
> marios
> 
> [1] http://lists.opendev.org/pipermail/service-announce/2020-October/000011.html
> [2] http://lists.openstack.org/pipermail/openstack-discuss/2020-October/018148.html
> [3] https://static.opendev.org/project/opendev.org/gerrit-diffs/
> [4] https://gist.github.com/marios/a44a55998531354dc3d634dddeadf1c0
> [5] https://gist.github.com/marios/d1b774c827769373b67d3988105140dd

thanks a lot Marios for looking into this and organizing activities

do I understand correctly that our most immediate responsibility is to
go through the list of commits in [5] and compare what is actually in
the git repos with what was proposed in gerrit?
-- 
Giulio Fidente
GPG KEY: 08D733BA

More information about the openstack-discuss mailing list