
<div dir="ltr"><div>Thanks everybody for your help :)<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Le mer. 21 oct. 2020 à 19:22, Michael Johnson <<a href="mailto:johnsomor@gmail.com">johnsomor@gmail.com</a>> a écrit :<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">I looked at a few starting and the bottom and repos I am familiar<br>

with. Everything looked fine in those.<br>

<br>

Michael<br>

<br>

On Wed, Oct 21, 2020 at 9:40 AM Ben Nemec <<a href="mailto:openstack@nemebean.com" target="_blank">openstack@nemebean.com</a>> wrote:<br>

><br>

><br>

><br>

> On 10/21/20 10:47 AM, Herve Beraud wrote:<br>

> > Here is an etherpad to coordinate us and to help us to track our audit.<br>

> ><br>

> > This etherpad identifies all gerrit-diff owned by oslo.<br>

> ><br>

> > Please put your name on the line that you decide to assign to you and<br>

> > strike her when the corresponding project is audited.<br>

> ><br>

> > <a href="https://etherpad.opendev.org/p/oslo-gerrit-breach-audit" rel="noreferrer" target="_blank">https://etherpad.opendev.org/p/oslo-gerrit-breach-audit</a><br>

><br>

> Thanks for doing that! I took a look at a few projects and they all<br>

> looked good. It shouldn't take too long to knock this out if everyone<br>

> checks a handful of projects.<br>

><br>

> ><br>

> > It can help to measure our advancement.<br>

> ><br>

> > Thank you in advance for your help,<br>

> ><br>

> > Le mer. 21 oct. 2020 à 12:00, Herve Beraud <<a href="mailto:hberaud@redhat.com" target="_blank">hberaud@redhat.com</a><br>

> > <mailto:<a href="mailto:hberaud@redhat.com" target="_blank">hberaud@redhat.com</a>>> a écrit :<br>

> ><br>

> >     Hello,<br>

> ><br>

> >     As every team we are also concerned by the gerrit breach and we must<br>

> >     take a look at our changes during this time frame on all our<br>

> >     deliverables [1].<br>

> ><br>

> >     The list of deliverables owned by Oslo is very huge, we need a<br>

> >     methodical approach and also external help to check all these<br>

> >     repositories.<br>

> ><br>

> >     Fortunately oslo was in feature freeze during the majority of this<br>

> >     period so I think it will reduce the scope of our investigation to<br>

> >     our master branches.<br>

> ><br>

> >     Due to the criticality of the problem I propose the following action<br>

> >     plan:<br>

> >     - first, split our deliverables in group and assign volunteer on them<br>

> >     - second, focus us on changes against our scripts, executable files<br>

> >     and CI config;<br>

> >     - third, inspect documentation;<br>

> >     - fourth, inspect other kinds of changes that I missed in previous<br>

> >     points.<br>

> ><br>

> >     I wrote a script [2][3] to help the release team to extract relevant<br>

> >     changes (*.py, *.sh), all the rest (*.yaml, *.rst) have been ignored<br>

> >     for now, we could adapt this script to lead our investigation.<br>

> ><br>

> >     Example of script usage against our openstack/oslo.messaging repos:<br>

> >     ```<br>

> >     $ cd oslo.messaging<br>

> >     $ curl<br>

> >     <a href="https://gist.githubusercontent.com/4383/511359cc2080e06295944c5f40bd1033/raw/c0e21b41570abed076c72d11dcc102dd9d43a067/check.sh" rel="noreferrer" target="_blank">https://gist.githubusercontent.com/4383/511359cc2080e06295944c5f40bd1033/raw/c0e21b41570abed076c72d11dcc102dd9d43a067/check.sh</a><br>

> >     | sh<br>

> >     ```<br>

> ><br>

> >     Are you interested to follow this action plan?<br>

> ><br>

> >     Ben as you are the security liaison are you interested in<br>

> >     coordinating these groups/actions?<br>

> ><br>

> >     Else any volunteer?<br>

> ><br>

> >     Feel free to propose another approach or to propose changes on this one.<br>

> ><br>

> >     Please ensure to double check your account activity [4] and make<br>

> >     sure nothing is off.<br>

> ><br>

> >     Special congrats to Julia Kreger and for her excellent job [5].<br>

> ><br>

> >     Thank you in advance for your help,<br>

> ><br>

> >     [1]<br>

> >     <a href="https://governance.openstack.org/tc/reference/projects/oslo.html#deliverables" rel="noreferrer" target="_blank">https://governance.openstack.org/tc/reference/projects/oslo.html#deliverables</a><br>

> >     <<a href="https://governance.openstack.org/tc/reference/projects/release-management.html" rel="noreferrer" target="_blank">https://governance.openstack.org/tc/reference/projects/release-management.html</a>><br>

> >     [2] <a href="https://gist.github.com/4383/511359cc2080e06295944c5f40bd1033" rel="noreferrer" target="_blank">https://gist.github.com/4383/511359cc2080e06295944c5f40bd1033</a><br>

> >     [3]<br>

> >     <a href="https://gist.githubusercontent.com/4383/511359cc2080e06295944c5f40bd1033/raw/c0e21b41570abed076c72d11dcc102dd9d43a067/check.sh" rel="noreferrer" target="_blank">https://gist.githubusercontent.com/4383/511359cc2080e06295944c5f40bd1033/raw/c0e21b41570abed076c72d11dcc102dd9d43a067/check.sh</a><br>

> >     [4]<br>

> >     <a href="http://lists.opendev.org/pipermail/service-announce/2020-October/000011.html" rel="noreferrer" target="_blank">http://lists.opendev.org/pipermail/service-announce/2020-October/000011.html</a><br>

> >     [5]<br>

> >     <a href="http://lists.openstack.org/pipermail/openstack-discuss/2020-October/018148.html" rel="noreferrer" target="_blank">http://lists.openstack.org/pipermail/openstack-discuss/2020-October/018148.html</a><br>

> ><br>

> >     --<br>

> >     Hervé Beraud<br>

> >     Senior Software Engineer<br>

> >     Red Hat - Openstack Oslo<br>

> >     irc: hberaud<br>

> >     -----BEGIN PGP SIGNATURE-----<br>

> ><br>

> >     wsFcBAABCAAQBQJb4AwCCRAHwXRBNkGNegAALSkQAHrotwCiL3VMwDR0vcja10Q+<br>

> >     Kf31yCutl5bAlS7tOKpPQ9XN4oC0ZSThyNNFVrg8ail0SczHXsC4rOrsPblgGRN+<br>

> >     RQLoCm2eO1AkB0ubCYLaq0XqSaO+Uk81QxAPkyPCEGT6SRxXr2lhADK0T86kBnMP<br>

> >     F8RvGolu3EFjlqCVgeOZaR51PqwUlEhZXZuuNKrWZXg/oRiY4811GmnvzmUhgK5G<br>

> >     5+f8mUg74hfjDbR2VhjTeaLKp0PhskjOIKY3vqHXofLuaqFDD+WrAy/NgDGvN22g<br>

> >     glGfj472T3xyHnUzM8ILgAGSghfzZF5Skj2qEeci9cB6K3Hm3osj+PbvfsXE/7Kw<br>

> >     m/xtm+FjnaywZEv54uCmVIzQsRIm1qJscu20Qw6Q0UiPpDFqD7O6tWSRKdX11UTZ<br>

> >     hwVQTMh9AKQDBEh2W9nnFi9kzSSNu4OQ1dRMcYHWfd9BEkccezxHwUM4Xyov5Fe0<br>

> >     qnbfzTB1tYkjU78loMWFaLa00ftSxP/DtQ//iYVyfVNfcCwfDszXLOqlkvGmY1/Y<br>

> >     F1ON0ONekDZkGJsDoS6QdiUSn8RZ2mHArGEWMV00EV5DCIbCXRvywXV43ckx8Z+3<br>

> >     B8qUJhBqJ8RS2F+vTs3DTaXqcktgJ4UkhYC2c1gImcPRyGrK9VY0sCT+1iA+wp/O<br>

> >     v6rDpkeNksZ9fFSyoY2o<br>

> >     =ECSj<br>

> >     -----END PGP SIGNATURE-----<br>

> ><br>

> ><br>

> ><br>

> > --<br>

> > Hervé Beraud<br>

> > Senior Software Engineer<br>

> > Red Hat - Openstack Oslo<br>

> > irc: hberaud<br>

> > -----BEGIN PGP SIGNATURE-----<br>

> ><br>

> > wsFcBAABCAAQBQJb4AwCCRAHwXRBNkGNegAALSkQAHrotwCiL3VMwDR0vcja10Q+<br>

> > Kf31yCutl5bAlS7tOKpPQ9XN4oC0ZSThyNNFVrg8ail0SczHXsC4rOrsPblgGRN+<br>

> > RQLoCm2eO1AkB0ubCYLaq0XqSaO+Uk81QxAPkyPCEGT6SRxXr2lhADK0T86kBnMP<br>

> > F8RvGolu3EFjlqCVgeOZaR51PqwUlEhZXZuuNKrWZXg/oRiY4811GmnvzmUhgK5G<br>

> > 5+f8mUg74hfjDbR2VhjTeaLKp0PhskjOIKY3vqHXofLuaqFDD+WrAy/NgDGvN22g<br>

> > glGfj472T3xyHnUzM8ILgAGSghfzZF5Skj2qEeci9cB6K3Hm3osj+PbvfsXE/7Kw<br>

> > m/xtm+FjnaywZEv54uCmVIzQsRIm1qJscu20Qw6Q0UiPpDFqD7O6tWSRKdX11UTZ<br>

> > hwVQTMh9AKQDBEh2W9nnFi9kzSSNu4OQ1dRMcYHWfd9BEkccezxHwUM4Xyov5Fe0<br>

> > qnbfzTB1tYkjU78loMWFaLa00ftSxP/DtQ//iYVyfVNfcCwfDszXLOqlkvGmY1/Y<br>

> > F1ON0ONekDZkGJsDoS6QdiUSn8RZ2mHArGEWMV00EV5DCIbCXRvywXV43ckx8Z+3<br>

> > B8qUJhBqJ8RS2F+vTs3DTaXqcktgJ4UkhYC2c1gImcPRyGrK9VY0sCT+1iA+wp/O<br>

> > v6rDpkeNksZ9fFSyoY2o<br>

> > =ECSj<br>

> > -----END PGP SIGNATURE-----<br>

> ><br>

><br>

<br>

</blockquote></div><br clear="all"><br>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div>Hervé Beraud</div><div>Senior Software Engineer<br></div><div>Red Hat - Openstack Oslo</div><div>irc: hberaud</div><div>-----BEGIN PGP SIGNATURE-----<br><br>wsFcBAABCAAQBQJb4AwCCRAHwXRBNkGNegAALSkQAHrotwCiL3VMwDR0vcja10Q+<br>Kf31yCutl5bAlS7tOKpPQ9XN4oC0ZSThyNNFVrg8ail0SczHXsC4rOrsPblgGRN+<br>RQLoCm2eO1AkB0ubCYLaq0XqSaO+Uk81QxAPkyPCEGT6SRxXr2lhADK0T86kBnMP<br>F8RvGolu3EFjlqCVgeOZaR51PqwUlEhZXZuuNKrWZXg/oRiY4811GmnvzmUhgK5G<br>5+f8mUg74hfjDbR2VhjTeaLKp0PhskjOIKY3vqHXofLuaqFDD+WrAy/NgDGvN22g<br>glGfj472T3xyHnUzM8ILgAGSghfzZF5Skj2qEeci9cB6K3Hm3osj+PbvfsXE/7Kw<br>m/xtm+FjnaywZEv54uCmVIzQsRIm1qJscu20Qw6Q0UiPpDFqD7O6tWSRKdX11UTZ<br>hwVQTMh9AKQDBEh2W9nnFi9kzSSNu4OQ1dRMcYHWfd9BEkccezxHwUM4Xyov5Fe0<br>qnbfzTB1tYkjU78loMWFaLa00ftSxP/DtQ//iYVyfVNfcCwfDszXLOqlkvGmY1/Y<br>F1ON0ONekDZkGJsDoS6QdiUSn8RZ2mHArGEWMV00EV5DCIbCXRvywXV43ckx8Z+3<br>B8qUJhBqJ8RS2F+vTs3DTaXqcktgJ4UkhYC2c1gImcPRyGrK9VY0sCT+1iA+wp/O<br>v6rDpkeNksZ9fFSyoY2o<br>=ECSj<br>-----END PGP SIGNATURE-----<br><br></div></div></div></div></div></div></div></div></div></div></div></div></div>