On 10/21/20 9:15 AM, Marios Andreou wrote:
> Hi folks,
>
> as you are undoubtedly aware, gerrit was down yesterday. There was this
> email to service-announce [1] with more information about what happened
> (kudos Julia Kreger who sent [2] where I saw that). There is a list of
> changes [3] since October 1st that we should audit out of precaution and
> to be responsible and accountable to our community and users.
>
> As you can expect there are a great number of changes. I put a full
> commit list at [5]. I mined those from [3] - see [4] for info about the
> 'mining' and even better if someone has time to verify that I didn't
> miss any repos or commits.
>
> Please I need help from all core reviewers. We need to check that the
> commits in [5] appear valid and correct - remember the concern is for
> any changes that may have been merged by a compromised account. I
> propose that we do this via Gerrit and that we leave a comment -
> 'CHECKED' - on each review that we check? Hopefully we can cover all of
> these before the end of the week by distributing our efforts. I am open
> to other suggestions though if folks feel this is better done via some
> document/spreadsheet etc.
>
> Of course as stated in [1] it is a good idea for everyone to double
> check their account activity and make sure nothing is off,
>
> Thank you in advance for your help,
>
> marios
>
> [1] http://lists.opendev.org/pipermail/service-announce/2020-October/000011.html
> [2] http://lists.openstack.org/pipermail/openstack-discuss/2020-October/018148.html
> [3] https://static.opendev.org/project/opendev.org/gerrit-diffs/
> [4] https://gist.github.com/marios/a44a55998531354dc3d634dddeadf1c0
> [5] https://gist.github.com/marios/d1b774c827769373b67d3988105140dd
thanks a lot Marios for looking into this and organizing activities
do I understand correctly that our most immediate responsibility is to
go through the list of commits in [5] and compare what is actually in
the git repos with what was proposed in gerrit?
I don't think we need to worry that it was 'one of our accounts' that was compromised, at least I expect we would have known by now if there was any indication that this is the case.
The main concern is if the compromised admin account made any commits at all. So the immediate check is to make sure that all those commits were in fact merged by 'one of us' and not by any unknown account. For example with the compromised account they may have updated a review and merged it without us noticing. Unlikely I know, especially since we are quite an active project but I think it is better we make sure.
Of course I may be wrong in my assessment here in which case I fully expect that you will let me know ! I mean there is nothing wrong with doing what you suggested but I don't know if there is a need to go that far in this case. Verifying the person(s) that +2 and +A the review should be enough for now, making sure we don't have any rogue merges.
thanks ;)
marios
--
Giulio Fidente
GPG KEY: 08D733BA