Hello,

As every team we are also concerned by the gerrit breach and we must take a look at our changes during this time frame on all our deliverables [1].

The list of deliverables owned by Oslo is very huge, we need a methodical approach and also external help to check all these repositories.

Fortunately oslo was in feature freeze during the majority of this period so I think it will reduce the scope of our investigation to our master branches.

Due to the criticality of the problem I propose the following action plan:

- first, split our deliverables in group and assign volunteer on them

- second, focus us on changes against our scripts, executable files and CI config;

- third, inspect documentation;

- fourth, inspect other kinds of changes that I missed in previous points.

I wrote a script [2][3] to help the release team to extract relevant changes (*.py, *.sh), all the rest (*.yaml, *.rst) have been ignored for now, we could adapt this script to lead our investigation.

Example of script usage against our openstack/oslo.messaging repos:

```

$ cd oslo.messaging

$ curl https://gist.githubusercontent.com/4383/511359cc2080e06295944c5f40bd1033/raw/c0e21b41570abed076c72d11dcc102dd9d43a067/check.sh | sh

```

Are you interested to follow this action plan?

Ben as you are the security liaison are you interested in coordinating these groups/actions?

Else any volunteer?

Feel free to propose another approach or to propose changes on this one.

Please ensure to double check your account activity [4] and make sure nothing is off.

Special congrats to Julia Kreger and for her excellent job [5].

Thank you in advance for your help,