Hi folks,

as you are undoubtedly aware, gerrit was down yesterday. There was this email to service-announce [1] with more information about what happened (kudos Julia Kreger who sent [2] where I saw that). There is a list of changes [3] since October 1st that we should audit out of precaution and to be responsible and accountable to our community and users.

As you can expect there are a great number of changes. I put a full commit list at [5]. I mined those from [3] - see [4] for info about the 'mining' and even better if someone has time to verify that I didn't miss any repos or commits.

Please I need help from all core reviewers. We need to check that the commits in [5] appear valid and correct - remember the concern is for any changes that may have been merged by a compromised account. I propose that we do this via Gerrit and that we leave a comment - 'CHECKED' - on each review that we check? Hopefully we can cover all of these before the end of the week by distributing our efforts. I am open to other suggestions though if folks feel this is better done via some document/spreadsheet etc.

Of course as stated in [1] it is a good idea for everyone to double check their account activity and make sure nothing is off,

Thank you in advance for your help,

marios

[1] http://lists.opendev.org/pipermail/service-announce/2020-October/000011.html
[2] http://lists.openstack.org/pipermail/openstack-discuss/2020-October/018148.html
[3] https://static.opendev.org/project/opendev.org/gerrit-diffs/
[4] https://gist.github.com/marios/a44a55998531354dc3d634dddeadf1c0
[5] https://gist.github.com/marios/d1b774c827769373b67d3988105140dd