Hello,
As every team we are also concerned
by the gerrit breach and we must take a look at our changes during this
time frame on all our deliverables [1].
The list of deliverables owned by Oslo is very huge, we need a methodical approach and also external help to check all these repositories.
Fortunately oslo was in feature freeze during the majority of this period so I think it will reduce the scope of our investigation to our master branches.
Due to the criticality of the problem I propose the following action plan:
- first, split our deliverables in group and assign volunteer on them
- second, focus us on changes against our scripts, executable files and CI config;
- third, inspect documentation;
- fourth, inspect other kinds of changes that I missed in previous points.
I
wrote a script [2][3] to help the release team to extract relevant changes (*.py,
*.sh), all the rest (*.yaml, *.rst) have been ignored
for now, we could adapt this script to lead our investigation.
Example of script usage against our openstack/oslo.messaging repos:
```
$ cd oslo.messaging
```
Are you interested to follow this action plan?
Ben as you are the security liaison are you interested in coordinating these groups/actions?
Else any volunteer?
Feel free to propose another approach or to propose changes on this one.
Please ensure to double check your account activity [4] and make sure nothing is off.
Special congrats to Julia Kreger and for her excellent job [5].
Thank you in advance for your help,
--
Hervé Beraud
Senior Software Engineer
Red Hat - Openstack Oslo
irc: hberaud
-----BEGIN PGP SIGNATURE-----
wsFcBAABCAAQBQJb4AwCCRAHwXRBNkGNegAALSkQAHrotwCiL3VMwDR0vcja10Q+
Kf31yCutl5bAlS7tOKpPQ9XN4oC0ZSThyNNFVrg8ail0SczHXsC4rOrsPblgGRN+
RQLoCm2eO1AkB0ubCYLaq0XqSaO+Uk81QxAPkyPCEGT6SRxXr2lhADK0T86kBnMP
F8RvGolu3EFjlqCVgeOZaR51PqwUlEhZXZuuNKrWZXg/oRiY4811GmnvzmUhgK5G
5+f8mUg74hfjDbR2VhjTeaLKp0PhskjOIKY3vqHXofLuaqFDD+WrAy/NgDGvN22g
glGfj472T3xyHnUzM8ILgAGSghfzZF5Skj2qEeci9cB6K3Hm3osj+PbvfsXE/7Kw
m/xtm+FjnaywZEv54uCmVIzQsRIm1qJscu20Qw6Q0UiPpDFqD7O6tWSRKdX11UTZ
hwVQTMh9AKQDBEh2W9nnFi9kzSSNu4OQ1dRMcYHWfd9BEkccezxHwUM4Xyov5Fe0
qnbfzTB1tYkjU78loMWFaLa00ftSxP/DtQ//iYVyfVNfcCwfDszXLOqlkvGmY1/Y
F1ON0ONekDZkGJsDoS6QdiUSn8RZ2mHArGEWMV00EV5DCIbCXRvywXV43ckx8Z+3
B8qUJhBqJ8RS2F+vTs3DTaXqcktgJ4UkhYC2c1gImcPRyGrK9VY0sCT+1iA+wp/O
v6rDpkeNksZ9fFSyoY2o
=ECSj
-----END PGP SIGNATURE-----