On 10/21/20 10:47 AM, Herve Beraud wrote:

Here is an etherpad to coordinate us and to help us to track our audit.

This etherpad identifies all gerrit-diff owned by oslo.

Please put your name on the line that you decide to assign to you and strike her when the corresponding project is audited.

https://etherpad.opendev.org/p/oslo-gerrit-breach-audit

Thanks for doing that! I took a look at a few projects and they all looked good. It shouldn't take too long to knock this out if everyone checks a handful of projects.

It can help to measure our advancement.

Thank you in advance for your help,

Le mer. 21 oct. 2020 à 12:00, Herve Beraud <hberaud@redhat.com mailto:hberaud@redhat.com> a écrit :

Hello,

As every team we are also concerned by the gerrit breach and we must
take a look at our changes during this time frame on all our
deliverables [1].

The list of deliverables owned by Oslo is very huge, we need a
methodical approach and also external help to check all these
repositories.

Fortunately oslo was in feature freeze during the majority of this
period so I think it will reduce the scope of our investigation to
our master branches.

Due to the criticality of the problem I propose the following action
plan:
- first, split our deliverables in group and assign volunteer on them
- second, focus us on changes against our scripts, executable files
and CI config;
- third, inspect documentation;
- fourth, inspect other kinds of changes that I missed in previous
points.

I wrote a script [2][3] to help the release team to extract relevant
changes (*.py, *.sh), all the rest (*.yaml, *.rst) have been ignored
for now, we could adapt this script to lead our investigation.

Example of script usage against our openstack/oslo.messaging repos:
```
$ cd oslo.messaging
$ curl
https://gist.githubusercontent.com/4383/511359cc2080e06295944c5f40bd1033/raw/c0e21b41570abed076c72d11dcc102dd9d43a067/check.sh
| sh
```

Are you interested to follow this action plan?

Ben as you are the security liaison are you interested in
coordinating these groups/actions?

Else any volunteer?

Feel free to propose another approach or to propose changes on this one.

Please ensure to double check your account activity [4] and make
sure nothing is off.

Special congrats to Julia Kreger and for her excellent job [5].

Thank you in advance for your help,

[1]
https://governance.openstack.org/tc/reference/projects/oslo.html#deliverables
<https://governance.openstack.org/tc/reference/projects/release-management.html>
[2] https://gist.github.com/4383/511359cc2080e06295944c5f40bd1033
[3]
https://gist.githubusercontent.com/4383/511359cc2080e06295944c5f40bd1033/raw/c0e21b41570abed076c72d11dcc102dd9d43a067/check.sh
[4]
http://lists.opendev.org/pipermail/service-announce/2020-October/000011.html
[5]
http://lists.openstack.org/pipermail/openstack-discuss/2020-October/018148.html

-- 
Hervé Beraud
Senior Software Engineer
Red Hat - Openstack Oslo
irc: hberaud
-----BEGIN PGP SIGNATURE-----

wsFcBAABCAAQBQJb4AwCCRAHwXRBNkGNegAALSkQAHrotwCiL3VMwDR0vcja10Q+
Kf31yCutl5bAlS7tOKpPQ9XN4oC0ZSThyNNFVrg8ail0SczHXsC4rOrsPblgGRN+
RQLoCm2eO1AkB0ubCYLaq0XqSaO+Uk81QxAPkyPCEGT6SRxXr2lhADK0T86kBnMP
F8RvGolu3EFjlqCVgeOZaR51PqwUlEhZXZuuNKrWZXg/oRiY4811GmnvzmUhgK5G
5+f8mUg74hfjDbR2VhjTeaLKp0PhskjOIKY3vqHXofLuaqFDD+WrAy/NgDGvN22g
glGfj472T3xyHnUzM8ILgAGSghfzZF5Skj2qEeci9cB6K3Hm3osj+PbvfsXE/7Kw
m/xtm+FjnaywZEv54uCmVIzQsRIm1qJscu20Qw6Q0UiPpDFqD7O6tWSRKdX11UTZ
hwVQTMh9AKQDBEh2W9nnFi9kzSSNu4OQ1dRMcYHWfd9BEkccezxHwUM4Xyov5Fe0
qnbfzTB1tYkjU78loMWFaLa00ftSxP/DtQ//iYVyfVNfcCwfDszXLOqlkvGmY1/Y
F1ON0ONekDZkGJsDoS6QdiUSn8RZ2mHArGEWMV00EV5DCIbCXRvywXV43ckx8Z+3
B8qUJhBqJ8RS2F+vTs3DTaXqcktgJ4UkhYC2c1gImcPRyGrK9VY0sCT+1iA+wp/O
v6rDpkeNksZ9fFSyoY2o
=ECSj
-----END PGP SIGNATURE-----

-- Hervé Beraud Senior Software Engineer Red Hat - Openstack Oslo irc: hberaud -----BEGIN PGP SIGNATURE-----

wsFcBAABCAAQBQJb4AwCCRAHwXRBNkGNegAALSkQAHrotwCiL3VMwDR0vcja10Q+ Kf31yCutl5bAlS7tOKpPQ9XN4oC0ZSThyNNFVrg8ail0SczHXsC4rOrsPblgGRN+ RQLoCm2eO1AkB0ubCYLaq0XqSaO+Uk81QxAPkyPCEGT6SRxXr2lhADK0T86kBnMP F8RvGolu3EFjlqCVgeOZaR51PqwUlEhZXZuuNKrWZXg/oRiY4811GmnvzmUhgK5G 5+f8mUg74hfjDbR2VhjTeaLKp0PhskjOIKY3vqHXofLuaqFDD+WrAy/NgDGvN22g glGfj472T3xyHnUzM8ILgAGSghfzZF5Skj2qEeci9cB6K3Hm3osj+PbvfsXE/7Kw m/xtm+FjnaywZEv54uCmVIzQsRIm1qJscu20Qw6Q0UiPpDFqD7O6tWSRKdX11UTZ hwVQTMh9AKQDBEh2W9nnFi9kzSSNu4OQ1dRMcYHWfd9BEkccezxHwUM4Xyov5Fe0 qnbfzTB1tYkjU78loMWFaLa00ftSxP/DtQ//iYVyfVNfcCwfDszXLOqlkvGmY1/Y F1ON0ONekDZkGJsDoS6QdiUSn8RZ2mHArGEWMV00EV5DCIbCXRvywXV43ckx8Z+3 B8qUJhBqJ8RS2F+vTs3DTaXqcktgJ4UkhYC2c1gImcPRyGrK9VY0sCT+1iA+wp/O v6rDpkeNksZ9fFSyoY2o =ECSj -----END PGP SIGNATURE-----

Thanks everybody for your help :)

Le mer. 21 oct. 2020 à 19:22, Michael Johnson johnsomor@gmail.com a écrit :

I looked at a few starting and the bottom and repos I am familiar with. Everything looked fine in those.

Michael

On Wed, Oct 21, 2020 at 9:40 AM Ben Nemec openstack@nemebean.com wrote:

...

On 10/21/20 10:47 AM, Herve Beraud wrote:

...

Here is an etherpad to coordinate us and to help us to track our audit.

This etherpad identifies all gerrit-diff owned by oslo.

Please put your name on the line that you decide to assign to you and strike her when the corresponding project is audited.

https://etherpad.opendev.org/p/oslo-gerrit-breach-audit

Thanks for doing that! I took a look at a few projects and they all looked good. It shouldn't take too long to knock this out if everyone checks a handful of projects.

...

It can help to measure our advancement.

Thank you in advance for your help,

Le mer. 21 oct. 2020 à 12:00, Herve Beraud <hberaud@redhat.com mailto:hberaud@redhat.com> a écrit :

Hello,

As every team we are also concerned by the gerrit breach and we

must

...

...

take a look at our changes during this time frame on all our
deliverables [1].

The list of deliverables owned by Oslo is very huge, we need a
methodical approach and also external help to check all these
repositories.

Fortunately oslo was in feature freeze during the majority of this
period so I think it will reduce the scope of our investigation to
our master branches.

Due to the criticality of the problem I propose the following

action

...

...

plan:
- first, split our deliverables in group and assign volunteer on

them

...

...

- second, focus us on changes against our scripts, executable files
and CI config;
- third, inspect documentation;
- fourth, inspect other kinds of changes that I missed in previous
points.

I wrote a script [2][3] to help the release team to extract

relevant

...

...

changes (*.py, *.sh), all the rest (*.yaml, *.rst) have been

ignored

...

...

for now, we could adapt this script to lead our investigation.

Example of script usage against our openstack/oslo.messaging repos:
```
$ cd oslo.messaging
$ curl

https://gist.githubusercontent.com/4383/511359cc2080e06295944c5f40bd1033/raw...

...

...

| sh
```

Are you interested to follow this action plan?

Ben as you are the security liaison are you interested in
coordinating these groups/actions?

Else any volunteer?

Feel free to propose another approach or to propose changes on

this one.

...

...

Please ensure to double check your account activity [4] and make
sure nothing is off.

Special congrats to Julia Kreger and for her excellent job [5].

Thank you in advance for your help,

[1]

https://governance.openstack.org/tc/reference/projects/oslo.html#deliverable...

...

...

<

https://governance.openstack.org/tc/reference/projects/release-management.ht...

...

...

[2] https://gist.github.com/4383/511359cc2080e06295944c5f40bd1033
[3]

https://gist.githubusercontent.com/4383/511359cc2080e06295944c5f40bd1033/raw...

...

...

[4]

http://lists.opendev.org/pipermail/service-announce/2020-October/000011.html

...

...

[5]

http://lists.openstack.org/pipermail/openstack-discuss/2020-October/018148.h...

...

...

--
Hervé Beraud
Senior Software Engineer
Red Hat - Openstack Oslo
irc: hberaud
-----BEGIN PGP SIGNATURE-----

wsFcBAABCAAQBQJb4AwCCRAHwXRBNkGNegAALSkQAHrotwCiL3VMwDR0vcja10Q+
Kf31yCutl5bAlS7tOKpPQ9XN4oC0ZSThyNNFVrg8ail0SczHXsC4rOrsPblgGRN+
RQLoCm2eO1AkB0ubCYLaq0XqSaO+Uk81QxAPkyPCEGT6SRxXr2lhADK0T86kBnMP
F8RvGolu3EFjlqCVgeOZaR51PqwUlEhZXZuuNKrWZXg/oRiY4811GmnvzmUhgK5G
5+f8mUg74hfjDbR2VhjTeaLKp0PhskjOIKY3vqHXofLuaqFDD+WrAy/NgDGvN22g
glGfj472T3xyHnUzM8ILgAGSghfzZF5Skj2qEeci9cB6K3Hm3osj+PbvfsXE/7Kw
m/xtm+FjnaywZEv54uCmVIzQsRIm1qJscu20Qw6Q0UiPpDFqD7O6tWSRKdX11UTZ
hwVQTMh9AKQDBEh2W9nnFi9kzSSNu4OQ1dRMcYHWfd9BEkccezxHwUM4Xyov5Fe0
qnbfzTB1tYkjU78loMWFaLa00ftSxP/DtQ//iYVyfVNfcCwfDszXLOqlkvGmY1/Y
F1ON0ONekDZkGJsDoS6QdiUSn8RZ2mHArGEWMV00EV5DCIbCXRvywXV43ckx8Z+3
B8qUJhBqJ8RS2F+vTs3DTaXqcktgJ4UkhYC2c1gImcPRyGrK9VY0sCT+1iA+wp/O
v6rDpkeNksZ9fFSyoY2o
=ECSj
-----END PGP SIGNATURE-----

-- Hervé Beraud Senior Software Engineer Red Hat - Openstack Oslo irc: hberaud -----BEGIN PGP SIGNATURE-----

wsFcBAABCAAQBQJb4AwCCRAHwXRBNkGNegAALSkQAHrotwCiL3VMwDR0vcja10Q+ Kf31yCutl5bAlS7tOKpPQ9XN4oC0ZSThyNNFVrg8ail0SczHXsC4rOrsPblgGRN+ RQLoCm2eO1AkB0ubCYLaq0XqSaO+Uk81QxAPkyPCEGT6SRxXr2lhADK0T86kBnMP F8RvGolu3EFjlqCVgeOZaR51PqwUlEhZXZuuNKrWZXg/oRiY4811GmnvzmUhgK5G 5+f8mUg74hfjDbR2VhjTeaLKp0PhskjOIKY3vqHXofLuaqFDD+WrAy/NgDGvN22g glGfj472T3xyHnUzM8ILgAGSghfzZF5Skj2qEeci9cB6K3Hm3osj+PbvfsXE/7Kw m/xtm+FjnaywZEv54uCmVIzQsRIm1qJscu20Qw6Q0UiPpDFqD7O6tWSRKdX11UTZ hwVQTMh9AKQDBEh2W9nnFi9kzSSNu4OQ1dRMcYHWfd9BEkccezxHwUM4Xyov5Fe0 qnbfzTB1tYkjU78loMWFaLa00ftSxP/DtQ//iYVyfVNfcCwfDszXLOqlkvGmY1/Y F1ON0ONekDZkGJsDoS6QdiUSn8RZ2mHArGEWMV00EV5DCIbCXRvywXV43ckx8Z+3 B8qUJhBqJ8RS2F+vTs3DTaXqcktgJ4UkhYC2c1gImcPRyGrK9VY0sCT+1iA+wp/O v6rDpkeNksZ9fFSyoY2o =ECSj -----END PGP SIGNATURE-----

To summarize the result of our audit, ALL the changes merged during this period (code, doc, everything...) on ALL the repos that we own have been checked and everything seems OK.

Thanks everybody for joining this audit!

Le jeu. 22 oct. 2020 à 08:44, Sebastien Boyron sboyron@redhat.com a écrit :

Hi,

I've done a pass on the remaining diff, nothing suspicious.

I think we can go ahead with the next step.

*SEBASTIEN BOYRON* TECHNICAL ACCOUNT MANAGER Partnering with you to help achieve your business goals. Red Hat Global Customer Success

+33645408878 sboyron@redhat.com

On Thu, Oct 22, 2020 at 8:20 AM Herve Beraud hberaud@redhat.com wrote:

...

Thanks everybody for your help :)

Le mer. 21 oct. 2020 à 19:22, Michael Johnson johnsomor@gmail.com a écrit :

...

I looked at a few starting and the bottom and repos I am familiar with. Everything looked fine in those.

Michael

On Wed, Oct 21, 2020 at 9:40 AM Ben Nemec openstack@nemebean.com wrote:

...

On 10/21/20 10:47 AM, Herve Beraud wrote:

...

Here is an etherpad to coordinate us and to help us to track our

audit.

...

...

This etherpad identifies all gerrit-diff owned by oslo.

Please put your name on the line that you decide to assign to you and strike her when the corresponding project is audited.

https://etherpad.opendev.org/p/oslo-gerrit-breach-audit

Thanks for doing that! I took a look at a few projects and they all looked good. It shouldn't take too long to knock this out if everyone checks a handful of projects.

...

It can help to measure our advancement.

Thank you in advance for your help,

Le mer. 21 oct. 2020 à 12:00, Herve Beraud <hberaud@redhat.com mailto:hberaud@redhat.com> a écrit :

Hello,

As every team we are also concerned by the gerrit breach and we

must

...

...

take a look at our changes during this time frame on all our
deliverables [1].

The list of deliverables owned by Oslo is very huge, we need a
methodical approach and also external help to check all these
repositories.

Fortunately oslo was in feature freeze during the majority of

this

...

...

period so I think it will reduce the scope of our investigation

to

...

...

our master branches.

Due to the criticality of the problem I propose the following

action

...

...

plan:
- first, split our deliverables in group and assign volunteer on

them

...

...

- second, focus us on changes against our scripts, executable

files

...

...

and CI config;
- third, inspect documentation;
- fourth, inspect other kinds of changes that I missed in

previous

...

...

points.

I wrote a script [2][3] to help the release team to extract

relevant

...

...

changes (*.py, *.sh), all the rest (*.yaml, *.rst) have been

ignored

...

...

for now, we could adapt this script to lead our investigation.

Example of script usage against our openstack/oslo.messaging

repos:

...

...

```
$ cd oslo.messaging
$ curl

https://gist.githubusercontent.com/4383/511359cc2080e06295944c5f40bd1033/raw...

...

...

| sh
```

Are you interested to follow this action plan?

Ben as you are the security liaison are you interested in
coordinating these groups/actions?

Else any volunteer?

Feel free to propose another approach or to propose changes on

this one.

...

...

Please ensure to double check your account activity [4] and make
sure nothing is off.

Special congrats to Julia Kreger and for her excellent job [5].

Thank you in advance for your help,

[1]

https://governance.openstack.org/tc/reference/projects/oslo.html#deliverable...

...

...

<

https://governance.openstack.org/tc/reference/projects/release-management.ht...

...

...

[2]

https://gist.github.com/4383/511359cc2080e06295944c5f40bd1033

...

...

[3]

https://gist.githubusercontent.com/4383/511359cc2080e06295944c5f40bd1033/raw...

...

...

[4]

http://lists.opendev.org/pipermail/service-announce/2020-October/000011.html

...

...

[5]

http://lists.openstack.org/pipermail/openstack-discuss/2020-October/018148.h...

...

...

--
Hervé Beraud
Senior Software Engineer
Red Hat - Openstack Oslo
irc: hberaud
-----BEGIN PGP SIGNATURE-----

wsFcBAABCAAQBQJb4AwCCRAHwXRBNkGNegAALSkQAHrotwCiL3VMwDR0vcja10Q+
Kf31yCutl5bAlS7tOKpPQ9XN4oC0ZSThyNNFVrg8ail0SczHXsC4rOrsPblgGRN+
RQLoCm2eO1AkB0ubCYLaq0XqSaO+Uk81QxAPkyPCEGT6SRxXr2lhADK0T86kBnMP
F8RvGolu3EFjlqCVgeOZaR51PqwUlEhZXZuuNKrWZXg/oRiY4811GmnvzmUhgK5G
5+f8mUg74hfjDbR2VhjTeaLKp0PhskjOIKY3vqHXofLuaqFDD+WrAy/NgDGvN22g
glGfj472T3xyHnUzM8ILgAGSghfzZF5Skj2qEeci9cB6K3Hm3osj+PbvfsXE/7Kw
m/xtm+FjnaywZEv54uCmVIzQsRIm1qJscu20Qw6Q0UiPpDFqD7O6tWSRKdX11UTZ
hwVQTMh9AKQDBEh2W9nnFi9kzSSNu4OQ1dRMcYHWfd9BEkccezxHwUM4Xyov5Fe0
qnbfzTB1tYkjU78loMWFaLa00ftSxP/DtQ//iYVyfVNfcCwfDszXLOqlkvGmY1/Y
F1ON0ONekDZkGJsDoS6QdiUSn8RZ2mHArGEWMV00EV5DCIbCXRvywXV43ckx8Z+3
B8qUJhBqJ8RS2F+vTs3DTaXqcktgJ4UkhYC2c1gImcPRyGrK9VY0sCT+1iA+wp/O
v6rDpkeNksZ9fFSyoY2o
=ECSj
-----END PGP SIGNATURE-----

-- Hervé Beraud Senior Software Engineer Red Hat - Openstack Oslo irc: hberaud -----BEGIN PGP SIGNATURE-----

wsFcBAABCAAQBQJb4AwCCRAHwXRBNkGNegAALSkQAHrotwCiL3VMwDR0vcja10Q+ Kf31yCutl5bAlS7tOKpPQ9XN4oC0ZSThyNNFVrg8ail0SczHXsC4rOrsPblgGRN+ RQLoCm2eO1AkB0ubCYLaq0XqSaO+Uk81QxAPkyPCEGT6SRxXr2lhADK0T86kBnMP F8RvGolu3EFjlqCVgeOZaR51PqwUlEhZXZuuNKrWZXg/oRiY4811GmnvzmUhgK5G 5+f8mUg74hfjDbR2VhjTeaLKp0PhskjOIKY3vqHXofLuaqFDD+WrAy/NgDGvN22g glGfj472T3xyHnUzM8ILgAGSghfzZF5Skj2qEeci9cB6K3Hm3osj+PbvfsXE/7Kw m/xtm+FjnaywZEv54uCmVIzQsRIm1qJscu20Qw6Q0UiPpDFqD7O6tWSRKdX11UTZ hwVQTMh9AKQDBEh2W9nnFi9kzSSNu4OQ1dRMcYHWfd9BEkccezxHwUM4Xyov5Fe0 qnbfzTB1tYkjU78loMWFaLa00ftSxP/DtQ//iYVyfVNfcCwfDszXLOqlkvGmY1/Y F1ON0ONekDZkGJsDoS6QdiUSn8RZ2mHArGEWMV00EV5DCIbCXRvywXV43ckx8Z+3 B8qUJhBqJ8RS2F+vTs3DTaXqcktgJ4UkhYC2c1gImcPRyGrK9VY0sCT+1iA+wp/O v6rDpkeNksZ9fFSyoY2o =ECSj -----END PGP SIGNATURE-----

-- Hervé Beraud Senior Software Engineer Red Hat - Openstack Oslo irc: hberaud -----BEGIN PGP SIGNATURE-----

wsFcBAABCAAQBQJb4AwCCRAHwXRBNkGNegAALSkQAHrotwCiL3VMwDR0vcja10Q+ Kf31yCutl5bAlS7tOKpPQ9XN4oC0ZSThyNNFVrg8ail0SczHXsC4rOrsPblgGRN+ RQLoCm2eO1AkB0ubCYLaq0XqSaO+Uk81QxAPkyPCEGT6SRxXr2lhADK0T86kBnMP F8RvGolu3EFjlqCVgeOZaR51PqwUlEhZXZuuNKrWZXg/oRiY4811GmnvzmUhgK5G 5+f8mUg74hfjDbR2VhjTeaLKp0PhskjOIKY3vqHXofLuaqFDD+WrAy/NgDGvN22g glGfj472T3xyHnUzM8ILgAGSghfzZF5Skj2qEeci9cB6K3Hm3osj+PbvfsXE/7Kw m/xtm+FjnaywZEv54uCmVIzQsRIm1qJscu20Qw6Q0UiPpDFqD7O6tWSRKdX11UTZ hwVQTMh9AKQDBEh2W9nnFi9kzSSNu4OQ1dRMcYHWfd9BEkccezxHwUM4Xyov5Fe0 qnbfzTB1tYkjU78loMWFaLa00ftSxP/DtQ//iYVyfVNfcCwfDszXLOqlkvGmY1/Y F1ON0ONekDZkGJsDoS6QdiUSn8RZ2mHArGEWMV00EV5DCIbCXRvywXV43ckx8Z+3 B8qUJhBqJ8RS2F+vTs3DTaXqcktgJ4UkhYC2c1gImcPRyGrK9VY0sCT+1iA+wp/O v6rDpkeNksZ9fFSyoY2o =ECSj -----END PGP SIGNATURE-----