To summarize the result of our audit, ALL the changes merged during this period  (code, doc, everything...) on ALL the repos that we own have been checked and everything seems OK.

Thanks everybody for joining this audit!

Le jeu. 22 oct. 2020 à 08:44, Sebastien Boyron <sboyron@redhat.com> a écrit :
Hi, 

I've done a pass on the remaining diff, nothing suspicious. 

I think we can go ahead with the next step.

SEBASTIEN BOYRON
TECHNICAL ACCOUNT MANAGER
Partnering with you to help achieve your business goals.
Red Hat
Global Customer Success

+33645408878
sboyron@redhat.com 




On Thu, Oct 22, 2020 at 8:20 AM Herve Beraud <hberaud@redhat.com> wrote:
Thanks everybody for your help :)

Le mer. 21 oct. 2020 à 19:22, Michael Johnson <johnsomor@gmail.com> a écrit :
I looked at a few starting and the bottom and repos I am familiar
with. Everything looked fine in those.

Michael

On Wed, Oct 21, 2020 at 9:40 AM Ben Nemec <openstack@nemebean.com> wrote:
>
>
>
> On 10/21/20 10:47 AM, Herve Beraud wrote:
> > Here is an etherpad to coordinate us and to help us to track our audit.
> >
> > This etherpad identifies all gerrit-diff owned by oslo.
> >
> > Please put your name on the line that you decide to assign to you and
> > strike her when the corresponding project is audited.
> >
> > https://etherpad.opendev.org/p/oslo-gerrit-breach-audit
>
> Thanks for doing that! I took a look at a few projects and they all
> looked good. It shouldn't take too long to knock this out if everyone
> checks a handful of projects.
>
> >
> > It can help to measure our advancement.
> >
> > Thank you in advance for your help,
> >
> > Le mer. 21 oct. 2020 à 12:00, Herve Beraud <hberaud@redhat.com
> > <mailto:hberaud@redhat.com>> a écrit :
> >
> >     Hello,
> >
> >     As every team we are also concerned by the gerrit breach and we must
> >     take a look at our changes during this time frame on all our
> >     deliverables [1].
> >
> >     The list of deliverables owned by Oslo is very huge, we need a
> >     methodical approach and also external help to check all these
> >     repositories.
> >
> >     Fortunately oslo was in feature freeze during the majority of this
> >     period so I think it will reduce the scope of our investigation to
> >     our master branches.
> >
> >     Due to the criticality of the problem I propose the following action
> >     plan:
> >     - first, split our deliverables in group and assign volunteer on them
> >     - second, focus us on changes against our scripts, executable files
> >     and CI config;
> >     - third, inspect documentation;
> >     - fourth, inspect other kinds of changes that I missed in previous
> >     points.
> >
> >     I wrote a script [2][3] to help the release team to extract relevant
> >     changes (*.py, *.sh), all the rest (*.yaml, *.rst) have been ignored
> >     for now, we could adapt this script to lead our investigation.
> >
> >     Example of script usage against our openstack/oslo.messaging repos:
> >     ```
> >     $ cd oslo.messaging
> >     $ curl
> >     https://gist.githubusercontent.com/4383/511359cc2080e06295944c5f40bd1033/raw/c0e21b41570abed076c72d11dcc102dd9d43a067/check.sh
> >     | sh
> >     ```
> >
> >     Are you interested to follow this action plan?
> >
> >     Ben as you are the security liaison are you interested in
> >     coordinating these groups/actions?
> >
> >     Else any volunteer?
> >
> >     Feel free to propose another approach or to propose changes on this one.
> >
> >     Please ensure to double check your account activity [4] and make
> >     sure nothing is off.
> >
> >     Special congrats to Julia Kreger and for her excellent job [5].
> >
> >     Thank you in advance for your help,
> >
> >     [1]
> >     https://governance.openstack.org/tc/reference/projects/oslo.html#deliverables
> >     <https://governance.openstack.org/tc/reference/projects/release-management.html>
> >     [2] https://gist.github.com/4383/511359cc2080e06295944c5f40bd1033
> >     [3]
> >     https://gist.githubusercontent.com/4383/511359cc2080e06295944c5f40bd1033/raw/c0e21b41570abed076c72d11dcc102dd9d43a067/check.sh
> >     [4]
> >     http://lists.opendev.org/pipermail/service-announce/2020-October/000011.html
> >     [5]
> >     http://lists.openstack.org/pipermail/openstack-discuss/2020-October/018148.html
> >
> >     --
> >     Hervé Beraud
> >     Senior Software Engineer
> >     Red Hat - Openstack Oslo
> >     irc: hberaud
> >     -----BEGIN PGP SIGNATURE-----
> >
> >     wsFcBAABCAAQBQJb4AwCCRAHwXRBNkGNegAALSkQAHrotwCiL3VMwDR0vcja10Q+
> >     Kf31yCutl5bAlS7tOKpPQ9XN4oC0ZSThyNNFVrg8ail0SczHXsC4rOrsPblgGRN+
> >     RQLoCm2eO1AkB0ubCYLaq0XqSaO+Uk81QxAPkyPCEGT6SRxXr2lhADK0T86kBnMP
> >     F8RvGolu3EFjlqCVgeOZaR51PqwUlEhZXZuuNKrWZXg/oRiY4811GmnvzmUhgK5G
> >     5+f8mUg74hfjDbR2VhjTeaLKp0PhskjOIKY3vqHXofLuaqFDD+WrAy/NgDGvN22g
> >     glGfj472T3xyHnUzM8ILgAGSghfzZF5Skj2qEeci9cB6K3Hm3osj+PbvfsXE/7Kw
> >     m/xtm+FjnaywZEv54uCmVIzQsRIm1qJscu20Qw6Q0UiPpDFqD7O6tWSRKdX11UTZ
> >     hwVQTMh9AKQDBEh2W9nnFi9kzSSNu4OQ1dRMcYHWfd9BEkccezxHwUM4Xyov5Fe0
> >     qnbfzTB1tYkjU78loMWFaLa00ftSxP/DtQ//iYVyfVNfcCwfDszXLOqlkvGmY1/Y
> >     F1ON0ONekDZkGJsDoS6QdiUSn8RZ2mHArGEWMV00EV5DCIbCXRvywXV43ckx8Z+3
> >     B8qUJhBqJ8RS2F+vTs3DTaXqcktgJ4UkhYC2c1gImcPRyGrK9VY0sCT+1iA+wp/O
> >     v6rDpkeNksZ9fFSyoY2o
> >     =ECSj
> >     -----END PGP SIGNATURE-----
> >
> >
> >
> > --
> > Hervé Beraud
> > Senior Software Engineer
> > Red Hat - Openstack Oslo
> > irc: hberaud
> > -----BEGIN PGP SIGNATURE-----
> >
> > wsFcBAABCAAQBQJb4AwCCRAHwXRBNkGNegAALSkQAHrotwCiL3VMwDR0vcja10Q+
> > Kf31yCutl5bAlS7tOKpPQ9XN4oC0ZSThyNNFVrg8ail0SczHXsC4rOrsPblgGRN+
> > RQLoCm2eO1AkB0ubCYLaq0XqSaO+Uk81QxAPkyPCEGT6SRxXr2lhADK0T86kBnMP
> > F8RvGolu3EFjlqCVgeOZaR51PqwUlEhZXZuuNKrWZXg/oRiY4811GmnvzmUhgK5G
> > 5+f8mUg74hfjDbR2VhjTeaLKp0PhskjOIKY3vqHXofLuaqFDD+WrAy/NgDGvN22g
> > glGfj472T3xyHnUzM8ILgAGSghfzZF5Skj2qEeci9cB6K3Hm3osj+PbvfsXE/7Kw
> > m/xtm+FjnaywZEv54uCmVIzQsRIm1qJscu20Qw6Q0UiPpDFqD7O6tWSRKdX11UTZ
> > hwVQTMh9AKQDBEh2W9nnFi9kzSSNu4OQ1dRMcYHWfd9BEkccezxHwUM4Xyov5Fe0
> > qnbfzTB1tYkjU78loMWFaLa00ftSxP/DtQ//iYVyfVNfcCwfDszXLOqlkvGmY1/Y
> > F1ON0ONekDZkGJsDoS6QdiUSn8RZ2mHArGEWMV00EV5DCIbCXRvywXV43ckx8Z+3
> > B8qUJhBqJ8RS2F+vTs3DTaXqcktgJ4UkhYC2c1gImcPRyGrK9VY0sCT+1iA+wp/O
> > v6rDpkeNksZ9fFSyoY2o
> > =ECSj
> > -----END PGP SIGNATURE-----
> >
>



--
Hervé Beraud
Senior Software Engineer
Red Hat - Openstack Oslo
irc: hberaud
-----BEGIN PGP SIGNATURE-----

wsFcBAABCAAQBQJb4AwCCRAHwXRBNkGNegAALSkQAHrotwCiL3VMwDR0vcja10Q+
Kf31yCutl5bAlS7tOKpPQ9XN4oC0ZSThyNNFVrg8ail0SczHXsC4rOrsPblgGRN+
RQLoCm2eO1AkB0ubCYLaq0XqSaO+Uk81QxAPkyPCEGT6SRxXr2lhADK0T86kBnMP
F8RvGolu3EFjlqCVgeOZaR51PqwUlEhZXZuuNKrWZXg/oRiY4811GmnvzmUhgK5G
5+f8mUg74hfjDbR2VhjTeaLKp0PhskjOIKY3vqHXofLuaqFDD+WrAy/NgDGvN22g
glGfj472T3xyHnUzM8ILgAGSghfzZF5Skj2qEeci9cB6K3Hm3osj+PbvfsXE/7Kw
m/xtm+FjnaywZEv54uCmVIzQsRIm1qJscu20Qw6Q0UiPpDFqD7O6tWSRKdX11UTZ
hwVQTMh9AKQDBEh2W9nnFi9kzSSNu4OQ1dRMcYHWfd9BEkccezxHwUM4Xyov5Fe0
qnbfzTB1tYkjU78loMWFaLa00ftSxP/DtQ//iYVyfVNfcCwfDszXLOqlkvGmY1/Y
F1ON0ONekDZkGJsDoS6QdiUSn8RZ2mHArGEWMV00EV5DCIbCXRvywXV43ckx8Z+3
B8qUJhBqJ8RS2F+vTs3DTaXqcktgJ4UkhYC2c1gImcPRyGrK9VY0sCT+1iA+wp/O
v6rDpkeNksZ9fFSyoY2o
=ECSj
-----END PGP SIGNATURE-----



--
Hervé Beraud
Senior Software Engineer
Red Hat - Openstack Oslo
irc: hberaud
-----BEGIN PGP SIGNATURE-----

wsFcBAABCAAQBQJb4AwCCRAHwXRBNkGNegAALSkQAHrotwCiL3VMwDR0vcja10Q+
Kf31yCutl5bAlS7tOKpPQ9XN4oC0ZSThyNNFVrg8ail0SczHXsC4rOrsPblgGRN+
RQLoCm2eO1AkB0ubCYLaq0XqSaO+Uk81QxAPkyPCEGT6SRxXr2lhADK0T86kBnMP
F8RvGolu3EFjlqCVgeOZaR51PqwUlEhZXZuuNKrWZXg/oRiY4811GmnvzmUhgK5G
5+f8mUg74hfjDbR2VhjTeaLKp0PhskjOIKY3vqHXofLuaqFDD+WrAy/NgDGvN22g
glGfj472T3xyHnUzM8ILgAGSghfzZF5Skj2qEeci9cB6K3Hm3osj+PbvfsXE/7Kw
m/xtm+FjnaywZEv54uCmVIzQsRIm1qJscu20Qw6Q0UiPpDFqD7O6tWSRKdX11UTZ
hwVQTMh9AKQDBEh2W9nnFi9kzSSNu4OQ1dRMcYHWfd9BEkccezxHwUM4Xyov5Fe0
qnbfzTB1tYkjU78loMWFaLa00ftSxP/DtQ//iYVyfVNfcCwfDszXLOqlkvGmY1/Y
F1ON0ONekDZkGJsDoS6QdiUSn8RZ2mHArGEWMV00EV5DCIbCXRvywXV43ckx8Z+3
B8qUJhBqJ8RS2F+vTs3DTaXqcktgJ4UkhYC2c1gImcPRyGrK9VY0sCT+1iA+wp/O
v6rDpkeNksZ9fFSyoY2o
=ECSj
-----END PGP SIGNATURE-----