Hi folks,
as you are undoubtedly aware, gerrit was down yesterday. There was this email to service-announce [1] with more information about what happened (kudos Julia Kreger who sent [2] where I saw that). There is a list of changes [3] since October 1st that we should audit out of precaution and to be responsible and accountable to our community and users.
As you can expect there are a great number of changes. I put a full commit list at [5]. I mined those from [3] - see [4] for info about the 'mining' and even better if someone has time to verify that I didn't miss any repos or commits.
Please I need help from all core reviewers. We need to check that the commits in [5] appear valid and correct - remember the concern is for any changes that may have been merged by a compromised account. I propose that we do this via Gerrit and that we leave a comment - 'CHECKED' - on each review that we check? Hopefully we can cover all of these before the end of the week by distributing our efforts. I am open to other suggestions though if folks feel this is better done via some document/spreadsheet etc.
Of course as stated in [1] it is a good idea for everyone to double check their account activity and make sure nothing is off,