On Wednesday, October 21, 2020, Jeremy Stanley <fungi@yuggoth.org> wrote:
On 2020-10-21 15:02:54 +0300 (+0300), Marios Andreou wrote:
[...]
> I don't think we need to worry that it was 'one of our accounts'
> that was compromised, at least I expect we would have known by now
> if there was any indication that this is the case.
>
> The main concern is if the compromised admin account made any
> commits at all. So the immediate check is to make sure that all
> those commits were in fact merged by 'one of us' and not by any
> unknown account.
[...]
Not quite. The main concern is that the attacker had access (via an
account in Gerrit's Administrators group) to add their own SSH key
or view/add/change the REST API key for any user of the service, so
could in theory have proposed a change masquerading as a regular
member of your team, +2'd it as another member of your team, and
approved it as yet a third member of your team, without necessarily
raising suspicion. While we consider this unlikely, it was entirely
possible for the first few weeks of this month.
Per my other reply on this thread, we already checked that every
commit corresponds to a change in Gerrit, so it should be sufficient
to just skim the last few week's changes and make sure you remember
reviewing/approving them.
I see.... hm potentially much more malicious than I thought then. Thanks for the clarification - I've mainly been checking that the merges were from known tripleo cores.
Rather it should be that each core should check the reviews merged by their account ID and make sure it corresponds to a valid +A that they (possibly) recall doing.
thanks again Jeremy for clarifying what we should focus on
--
Jeremy Stanley
--
_sent from my mobile - sorry for spacing spelling etc_