[oslo][core] gerrit breach and auditing all oslo deliverables [1] since Oct 01
Hello,
As every team we are also concerned by the gerrit breach and we must take a look at our changes during this time frame on all our deliverables [1].
The list of deliverables owned by Oslo is very huge, we need a methodical approach and also external help to check all these repositories.
Fortunately oslo was in feature freeze during the majority of this period so I think it will reduce the scope of our investigation to our master branches.
Due to the criticality of the problem I propose the following action plan: - first, split our deliverables in group and assign volunteer on them - second, focus us on changes against our scripts, executable files and CI config; - third, inspect documentation; - fourth, inspect other kinds of changes that I missed in previous points.
I wrote a script [2][3] to help the release team to extract relevant changes (*.py, *.sh), all the rest (*.yaml, *.rst) have been ignored for now, we could adapt this script to lead our investigation.
Example of script usage against our openstack/oslo.messaging repos: ``` $ cd oslo.messaging $ curl https://gist.githubusercontent.com/4383/511359cc2080e06295944c5f40bd1033/raw... | sh ```
Are you interested to follow this action plan?
Ben as you are the security liaison are you interested in coordinating these groups/actions?
Else any volunteer?
Feel free to propose another approach or to propose changes on this one.
Please ensure to double check your account activity [4] and make sure nothing is off.
Special congrats to Julia Kreger and for her excellent job [5].
Thank you in advance for your help,
[1] https://governance.openstack.org/tc/reference/projects/oslo.html#deliverable... https://governance.openstack.org/tc/reference/projects/release-management.html [2] https://gist.github.com/4383/511359cc2080e06295944c5f40bd1033 [3] https://gist.githubusercontent.com/4383/511359cc2080e06295944c5f40bd1033/raw... [4] http://lists.opendev.org/pipermail/service-announce/2020-October/000011.html [5] http://lists.openstack.org/pipermail/openstack-discuss/2020-October/018148.h...
Here is an etherpad to coordinate us and to help us to track our audit.
This etherpad identifies all gerrit-diff owned by oslo.
Please put your name on the line that you decide to assign to you and strike her when the corresponding project is audited.
https://etherpad.opendev.org/p/oslo-gerrit-breach-audit
It can help to measure our advancement.
Thank you in advance for your help,
Le mer. 21 oct. 2020 à 12:00, Herve Beraud hberaud@redhat.com a écrit :
Hello,
As every team we are also concerned by the gerrit breach and we must take a look at our changes during this time frame on all our deliverables [1].
The list of deliverables owned by Oslo is very huge, we need a methodical approach and also external help to check all these repositories.
Fortunately oslo was in feature freeze during the majority of this period so I think it will reduce the scope of our investigation to our master branches.
Due to the criticality of the problem I propose the following action plan:
- first, split our deliverables in group and assign volunteer on them
- second, focus us on changes against our scripts, executable files and CI
config;
- third, inspect documentation;
- fourth, inspect other kinds of changes that I missed in previous points.
I wrote a script [2][3] to help the release team to extract relevant changes (*.py, *.sh), all the rest (*.yaml, *.rst) have been ignored for now, we could adapt this script to lead our investigation.
Example of script usage against our openstack/oslo.messaging repos:
$ cd oslo.messaging $ curl https://gist.githubusercontent.com/4383/511359cc2080e06295944c5f40bd1033/raw/c0e21b41570abed076c72d11dcc102dd9d43a067/check.sh | sh
Are you interested to follow this action plan?
Ben as you are the security liaison are you interested in coordinating these groups/actions?
Else any volunteer?
Feel free to propose another approach or to propose changes on this one.
Please ensure to double check your account activity [4] and make sure nothing is off.
Special congrats to Julia Kreger and for her excellent job [5].
Thank you in advance for your help,
[1] https://governance.openstack.org/tc/reference/projects/oslo.html#deliverable... https://governance.openstack.org/tc/reference/projects/release-management.html [2] https://gist.github.com/4383/511359cc2080e06295944c5f40bd1033 [3] https://gist.githubusercontent.com/4383/511359cc2080e06295944c5f40bd1033/raw... [4] http://lists.opendev.org/pipermail/service-announce/2020-October/000011.html [5] http://lists.openstack.org/pipermail/openstack-discuss/2020-October/018148.h...
-- Hervé Beraud Senior Software Engineer Red Hat - Openstack Oslo irc: hberaud -----BEGIN PGP SIGNATURE-----
wsFcBAABCAAQBQJb4AwCCRAHwXRBNkGNegAALSkQAHrotwCiL3VMwDR0vcja10Q+ Kf31yCutl5bAlS7tOKpPQ9XN4oC0ZSThyNNFVrg8ail0SczHXsC4rOrsPblgGRN+ RQLoCm2eO1AkB0ubCYLaq0XqSaO+Uk81QxAPkyPCEGT6SRxXr2lhADK0T86kBnMP F8RvGolu3EFjlqCVgeOZaR51PqwUlEhZXZuuNKrWZXg/oRiY4811GmnvzmUhgK5G 5+f8mUg74hfjDbR2VhjTeaLKp0PhskjOIKY3vqHXofLuaqFDD+WrAy/NgDGvN22g glGfj472T3xyHnUzM8ILgAGSghfzZF5Skj2qEeci9cB6K3Hm3osj+PbvfsXE/7Kw m/xtm+FjnaywZEv54uCmVIzQsRIm1qJscu20Qw6Q0UiPpDFqD7O6tWSRKdX11UTZ hwVQTMh9AKQDBEh2W9nnFi9kzSSNu4OQ1dRMcYHWfd9BEkccezxHwUM4Xyov5Fe0 qnbfzTB1tYkjU78loMWFaLa00ftSxP/DtQ//iYVyfVNfcCwfDszXLOqlkvGmY1/Y F1ON0ONekDZkGJsDoS6QdiUSn8RZ2mHArGEWMV00EV5DCIbCXRvywXV43ckx8Z+3 B8qUJhBqJ8RS2F+vTs3DTaXqcktgJ4UkhYC2c1gImcPRyGrK9VY0sCT+1iA+wp/O v6rDpkeNksZ9fFSyoY2o =ECSj -----END PGP SIGNATURE-----
On 10/21/20 10:47 AM, Herve Beraud wrote:
Here is an etherpad to coordinate us and to help us to track our audit.
This etherpad identifies all gerrit-diff owned by oslo.
Please put your name on the line that you decide to assign to you and strike her when the corresponding project is audited.
Thanks for doing that! I took a look at a few projects and they all looked good. It shouldn't take too long to knock this out if everyone checks a handful of projects.
It can help to measure our advancement.
Thank you in advance for your help,
Le mer. 21 oct. 2020 à 12:00, Herve Beraud <hberaud@redhat.com mailto:hberaud@redhat.com> a écrit :
Hello, As every team we are also concerned by the gerrit breach and we must take a look at our changes during this time frame on all our deliverables [1]. The list of deliverables owned by Oslo is very huge, we need a methodical approach and also external help to check all these repositories. Fortunately oslo was in feature freeze during the majority of this period so I think it will reduce the scope of our investigation to our master branches. Due to the criticality of the problem I propose the following action plan: - first, split our deliverables in group and assign volunteer on them - second, focus us on changes against our scripts, executable files and CI config; - third, inspect documentation; - fourth, inspect other kinds of changes that I missed in previous points. I wrote a script [2][3] to help the release team to extract relevant changes (*.py, *.sh), all the rest (*.yaml, *.rst) have been ignored for now, we could adapt this script to lead our investigation. Example of script usage against our openstack/oslo.messaging repos: ``` $ cd oslo.messaging $ curl https://gist.githubusercontent.com/4383/511359cc2080e06295944c5f40bd1033/raw/c0e21b41570abed076c72d11dcc102dd9d43a067/check.sh | sh ``` Are you interested to follow this action plan? Ben as you are the security liaison are you interested in coordinating these groups/actions? Else any volunteer? Feel free to propose another approach or to propose changes on this one. Please ensure to double check your account activity [4] and make sure nothing is off. Special congrats to Julia Kreger and for her excellent job [5]. Thank you in advance for your help, [1] https://governance.openstack.org/tc/reference/projects/oslo.html#deliverables <https://governance.openstack.org/tc/reference/projects/release-management.html> [2] https://gist.github.com/4383/511359cc2080e06295944c5f40bd1033 [3] https://gist.githubusercontent.com/4383/511359cc2080e06295944c5f40bd1033/raw/c0e21b41570abed076c72d11dcc102dd9d43a067/check.sh [4] http://lists.opendev.org/pipermail/service-announce/2020-October/000011.html [5] http://lists.openstack.org/pipermail/openstack-discuss/2020-October/018148.html -- Hervé Beraud Senior Software Engineer Red Hat - Openstack Oslo irc: hberaud -----BEGIN PGP SIGNATURE----- wsFcBAABCAAQBQJb4AwCCRAHwXRBNkGNegAALSkQAHrotwCiL3VMwDR0vcja10Q+ Kf31yCutl5bAlS7tOKpPQ9XN4oC0ZSThyNNFVrg8ail0SczHXsC4rOrsPblgGRN+ RQLoCm2eO1AkB0ubCYLaq0XqSaO+Uk81QxAPkyPCEGT6SRxXr2lhADK0T86kBnMP F8RvGolu3EFjlqCVgeOZaR51PqwUlEhZXZuuNKrWZXg/oRiY4811GmnvzmUhgK5G 5+f8mUg74hfjDbR2VhjTeaLKp0PhskjOIKY3vqHXofLuaqFDD+WrAy/NgDGvN22g glGfj472T3xyHnUzM8ILgAGSghfzZF5Skj2qEeci9cB6K3Hm3osj+PbvfsXE/7Kw m/xtm+FjnaywZEv54uCmVIzQsRIm1qJscu20Qw6Q0UiPpDFqD7O6tWSRKdX11UTZ hwVQTMh9AKQDBEh2W9nnFi9kzSSNu4OQ1dRMcYHWfd9BEkccezxHwUM4Xyov5Fe0 qnbfzTB1tYkjU78loMWFaLa00ftSxP/DtQ//iYVyfVNfcCwfDszXLOqlkvGmY1/Y F1ON0ONekDZkGJsDoS6QdiUSn8RZ2mHArGEWMV00EV5DCIbCXRvywXV43ckx8Z+3 B8qUJhBqJ8RS2F+vTs3DTaXqcktgJ4UkhYC2c1gImcPRyGrK9VY0sCT+1iA+wp/O v6rDpkeNksZ9fFSyoY2o =ECSj -----END PGP SIGNATURE-----
-- Hervé Beraud Senior Software Engineer Red Hat - Openstack Oslo irc: hberaud -----BEGIN PGP SIGNATURE-----
wsFcBAABCAAQBQJb4AwCCRAHwXRBNkGNegAALSkQAHrotwCiL3VMwDR0vcja10Q+ Kf31yCutl5bAlS7tOKpPQ9XN4oC0ZSThyNNFVrg8ail0SczHXsC4rOrsPblgGRN+ RQLoCm2eO1AkB0ubCYLaq0XqSaO+Uk81QxAPkyPCEGT6SRxXr2lhADK0T86kBnMP F8RvGolu3EFjlqCVgeOZaR51PqwUlEhZXZuuNKrWZXg/oRiY4811GmnvzmUhgK5G 5+f8mUg74hfjDbR2VhjTeaLKp0PhskjOIKY3vqHXofLuaqFDD+WrAy/NgDGvN22g glGfj472T3xyHnUzM8ILgAGSghfzZF5Skj2qEeci9cB6K3Hm3osj+PbvfsXE/7Kw m/xtm+FjnaywZEv54uCmVIzQsRIm1qJscu20Qw6Q0UiPpDFqD7O6tWSRKdX11UTZ hwVQTMh9AKQDBEh2W9nnFi9kzSSNu4OQ1dRMcYHWfd9BEkccezxHwUM4Xyov5Fe0 qnbfzTB1tYkjU78loMWFaLa00ftSxP/DtQ//iYVyfVNfcCwfDszXLOqlkvGmY1/Y F1ON0ONekDZkGJsDoS6QdiUSn8RZ2mHArGEWMV00EV5DCIbCXRvywXV43ckx8Z+3 B8qUJhBqJ8RS2F+vTs3DTaXqcktgJ4UkhYC2c1gImcPRyGrK9VY0sCT+1iA+wp/O v6rDpkeNksZ9fFSyoY2o =ECSj -----END PGP SIGNATURE-----
I looked at a few starting and the bottom and repos I am familiar with. Everything looked fine in those.
Michael
On Wed, Oct 21, 2020 at 9:40 AM Ben Nemec openstack@nemebean.com wrote:
On 10/21/20 10:47 AM, Herve Beraud wrote:
Here is an etherpad to coordinate us and to help us to track our audit.
This etherpad identifies all gerrit-diff owned by oslo.
Please put your name on the line that you decide to assign to you and strike her when the corresponding project is audited.
Thanks for doing that! I took a look at a few projects and they all looked good. It shouldn't take too long to knock this out if everyone checks a handful of projects.
It can help to measure our advancement.
Thank you in advance for your help,
Le mer. 21 oct. 2020 à 12:00, Herve Beraud <hberaud@redhat.com mailto:hberaud@redhat.com> a écrit :
Hello, As every team we are also concerned by the gerrit breach and we must take a look at our changes during this time frame on all our deliverables [1]. The list of deliverables owned by Oslo is very huge, we need a methodical approach and also external help to check all these repositories. Fortunately oslo was in feature freeze during the majority of this period so I think it will reduce the scope of our investigation to our master branches. Due to the criticality of the problem I propose the following action plan: - first, split our deliverables in group and assign volunteer on them - second, focus us on changes against our scripts, executable files and CI config; - third, inspect documentation; - fourth, inspect other kinds of changes that I missed in previous points. I wrote a script [2][3] to help the release team to extract relevant changes (*.py, *.sh), all the rest (*.yaml, *.rst) have been ignored for now, we could adapt this script to lead our investigation. Example of script usage against our openstack/oslo.messaging repos: ``` $ cd oslo.messaging $ curl https://gist.githubusercontent.com/4383/511359cc2080e06295944c5f40bd1033/raw/c0e21b41570abed076c72d11dcc102dd9d43a067/check.sh | sh ``` Are you interested to follow this action plan? Ben as you are the security liaison are you interested in coordinating these groups/actions? Else any volunteer? Feel free to propose another approach or to propose changes on this one. Please ensure to double check your account activity [4] and make sure nothing is off. Special congrats to Julia Kreger and for her excellent job [5]. Thank you in advance for your help, [1] https://governance.openstack.org/tc/reference/projects/oslo.html#deliverables <https://governance.openstack.org/tc/reference/projects/release-management.html> [2] https://gist.github.com/4383/511359cc2080e06295944c5f40bd1033 [3] https://gist.githubusercontent.com/4383/511359cc2080e06295944c5f40bd1033/raw/c0e21b41570abed076c72d11dcc102dd9d43a067/check.sh [4] http://lists.opendev.org/pipermail/service-announce/2020-October/000011.html [5] http://lists.openstack.org/pipermail/openstack-discuss/2020-October/018148.html -- Hervé Beraud Senior Software Engineer Red Hat - Openstack Oslo irc: hberaud -----BEGIN PGP SIGNATURE----- wsFcBAABCAAQBQJb4AwCCRAHwXRBNkGNegAALSkQAHrotwCiL3VMwDR0vcja10Q+ Kf31yCutl5bAlS7tOKpPQ9XN4oC0ZSThyNNFVrg8ail0SczHXsC4rOrsPblgGRN+ RQLoCm2eO1AkB0ubCYLaq0XqSaO+Uk81QxAPkyPCEGT6SRxXr2lhADK0T86kBnMP F8RvGolu3EFjlqCVgeOZaR51PqwUlEhZXZuuNKrWZXg/oRiY4811GmnvzmUhgK5G 5+f8mUg74hfjDbR2VhjTeaLKp0PhskjOIKY3vqHXofLuaqFDD+WrAy/NgDGvN22g glGfj472T3xyHnUzM8ILgAGSghfzZF5Skj2qEeci9cB6K3Hm3osj+PbvfsXE/7Kw m/xtm+FjnaywZEv54uCmVIzQsRIm1qJscu20Qw6Q0UiPpDFqD7O6tWSRKdX11UTZ hwVQTMh9AKQDBEh2W9nnFi9kzSSNu4OQ1dRMcYHWfd9BEkccezxHwUM4Xyov5Fe0 qnbfzTB1tYkjU78loMWFaLa00ftSxP/DtQ//iYVyfVNfcCwfDszXLOqlkvGmY1/Y F1ON0ONekDZkGJsDoS6QdiUSn8RZ2mHArGEWMV00EV5DCIbCXRvywXV43ckx8Z+3 B8qUJhBqJ8RS2F+vTs3DTaXqcktgJ4UkhYC2c1gImcPRyGrK9VY0sCT+1iA+wp/O v6rDpkeNksZ9fFSyoY2o =ECSj -----END PGP SIGNATURE-----
-- Hervé Beraud Senior Software Engineer Red Hat - Openstack Oslo irc: hberaud -----BEGIN PGP SIGNATURE-----
wsFcBAABCAAQBQJb4AwCCRAHwXRBNkGNegAALSkQAHrotwCiL3VMwDR0vcja10Q+ Kf31yCutl5bAlS7tOKpPQ9XN4oC0ZSThyNNFVrg8ail0SczHXsC4rOrsPblgGRN+ RQLoCm2eO1AkB0ubCYLaq0XqSaO+Uk81QxAPkyPCEGT6SRxXr2lhADK0T86kBnMP F8RvGolu3EFjlqCVgeOZaR51PqwUlEhZXZuuNKrWZXg/oRiY4811GmnvzmUhgK5G 5+f8mUg74hfjDbR2VhjTeaLKp0PhskjOIKY3vqHXofLuaqFDD+WrAy/NgDGvN22g glGfj472T3xyHnUzM8ILgAGSghfzZF5Skj2qEeci9cB6K3Hm3osj+PbvfsXE/7Kw m/xtm+FjnaywZEv54uCmVIzQsRIm1qJscu20Qw6Q0UiPpDFqD7O6tWSRKdX11UTZ hwVQTMh9AKQDBEh2W9nnFi9kzSSNu4OQ1dRMcYHWfd9BEkccezxHwUM4Xyov5Fe0 qnbfzTB1tYkjU78loMWFaLa00ftSxP/DtQ//iYVyfVNfcCwfDszXLOqlkvGmY1/Y F1ON0ONekDZkGJsDoS6QdiUSn8RZ2mHArGEWMV00EV5DCIbCXRvywXV43ckx8Z+3 B8qUJhBqJ8RS2F+vTs3DTaXqcktgJ4UkhYC2c1gImcPRyGrK9VY0sCT+1iA+wp/O v6rDpkeNksZ9fFSyoY2o =ECSj -----END PGP SIGNATURE-----
Thanks everybody for your help :)
Le mer. 21 oct. 2020 à 19:22, Michael Johnson johnsomor@gmail.com a écrit :
I looked at a few starting and the bottom and repos I am familiar with. Everything looked fine in those.
Michael
On Wed, Oct 21, 2020 at 9:40 AM Ben Nemec openstack@nemebean.com wrote:
On 10/21/20 10:47 AM, Herve Beraud wrote:
Here is an etherpad to coordinate us and to help us to track our audit.
This etherpad identifies all gerrit-diff owned by oslo.
Please put your name on the line that you decide to assign to you and strike her when the corresponding project is audited.
Thanks for doing that! I took a look at a few projects and they all looked good. It shouldn't take too long to knock this out if everyone checks a handful of projects.
It can help to measure our advancement.
Thank you in advance for your help,
Le mer. 21 oct. 2020 à 12:00, Herve Beraud <hberaud@redhat.com mailto:hberaud@redhat.com> a écrit :
Hello, As every team we are also concerned by the gerrit breach and we
must
take a look at our changes during this time frame on all our deliverables [1]. The list of deliverables owned by Oslo is very huge, we need a methodical approach and also external help to check all these repositories. Fortunately oslo was in feature freeze during the majority of this period so I think it will reduce the scope of our investigation to our master branches. Due to the criticality of the problem I propose the following
action
plan: - first, split our deliverables in group and assign volunteer on
them
- second, focus us on changes against our scripts, executable files and CI config; - third, inspect documentation; - fourth, inspect other kinds of changes that I missed in previous points. I wrote a script [2][3] to help the release team to extract
relevant
changes (*.py, *.sh), all the rest (*.yaml, *.rst) have been
ignored
for now, we could adapt this script to lead our investigation. Example of script usage against our openstack/oslo.messaging repos: ``` $ cd oslo.messaging $ curl
https://gist.githubusercontent.com/4383/511359cc2080e06295944c5f40bd1033/raw...
| sh ``` Are you interested to follow this action plan? Ben as you are the security liaison are you interested in coordinating these groups/actions? Else any volunteer? Feel free to propose another approach or to propose changes on
this one.
Please ensure to double check your account activity [4] and make sure nothing is off. Special congrats to Julia Kreger and for her excellent job [5]. Thank you in advance for your help, [1]
https://governance.openstack.org/tc/reference/projects/oslo.html#deliverable...
<
https://governance.openstack.org/tc/reference/projects/release-management.ht...
[2] https://gist.github.com/4383/511359cc2080e06295944c5f40bd1033 [3]
https://gist.githubusercontent.com/4383/511359cc2080e06295944c5f40bd1033/raw...
[4]
http://lists.opendev.org/pipermail/service-announce/2020-October/000011.html
[5]
http://lists.openstack.org/pipermail/openstack-discuss/2020-October/018148.h...
-- Hervé Beraud Senior Software Engineer Red Hat - Openstack Oslo irc: hberaud -----BEGIN PGP SIGNATURE----- wsFcBAABCAAQBQJb4AwCCRAHwXRBNkGNegAALSkQAHrotwCiL3VMwDR0vcja10Q+ Kf31yCutl5bAlS7tOKpPQ9XN4oC0ZSThyNNFVrg8ail0SczHXsC4rOrsPblgGRN+ RQLoCm2eO1AkB0ubCYLaq0XqSaO+Uk81QxAPkyPCEGT6SRxXr2lhADK0T86kBnMP F8RvGolu3EFjlqCVgeOZaR51PqwUlEhZXZuuNKrWZXg/oRiY4811GmnvzmUhgK5G 5+f8mUg74hfjDbR2VhjTeaLKp0PhskjOIKY3vqHXofLuaqFDD+WrAy/NgDGvN22g glGfj472T3xyHnUzM8ILgAGSghfzZF5Skj2qEeci9cB6K3Hm3osj+PbvfsXE/7Kw m/xtm+FjnaywZEv54uCmVIzQsRIm1qJscu20Qw6Q0UiPpDFqD7O6tWSRKdX11UTZ hwVQTMh9AKQDBEh2W9nnFi9kzSSNu4OQ1dRMcYHWfd9BEkccezxHwUM4Xyov5Fe0 qnbfzTB1tYkjU78loMWFaLa00ftSxP/DtQ//iYVyfVNfcCwfDszXLOqlkvGmY1/Y F1ON0ONekDZkGJsDoS6QdiUSn8RZ2mHArGEWMV00EV5DCIbCXRvywXV43ckx8Z+3 B8qUJhBqJ8RS2F+vTs3DTaXqcktgJ4UkhYC2c1gImcPRyGrK9VY0sCT+1iA+wp/O v6rDpkeNksZ9fFSyoY2o =ECSj -----END PGP SIGNATURE-----
-- Hervé Beraud Senior Software Engineer Red Hat - Openstack Oslo irc: hberaud -----BEGIN PGP SIGNATURE-----
wsFcBAABCAAQBQJb4AwCCRAHwXRBNkGNegAALSkQAHrotwCiL3VMwDR0vcja10Q+ Kf31yCutl5bAlS7tOKpPQ9XN4oC0ZSThyNNFVrg8ail0SczHXsC4rOrsPblgGRN+ RQLoCm2eO1AkB0ubCYLaq0XqSaO+Uk81QxAPkyPCEGT6SRxXr2lhADK0T86kBnMP F8RvGolu3EFjlqCVgeOZaR51PqwUlEhZXZuuNKrWZXg/oRiY4811GmnvzmUhgK5G 5+f8mUg74hfjDbR2VhjTeaLKp0PhskjOIKY3vqHXofLuaqFDD+WrAy/NgDGvN22g glGfj472T3xyHnUzM8ILgAGSghfzZF5Skj2qEeci9cB6K3Hm3osj+PbvfsXE/7Kw m/xtm+FjnaywZEv54uCmVIzQsRIm1qJscu20Qw6Q0UiPpDFqD7O6tWSRKdX11UTZ hwVQTMh9AKQDBEh2W9nnFi9kzSSNu4OQ1dRMcYHWfd9BEkccezxHwUM4Xyov5Fe0 qnbfzTB1tYkjU78loMWFaLa00ftSxP/DtQ//iYVyfVNfcCwfDszXLOqlkvGmY1/Y F1ON0ONekDZkGJsDoS6QdiUSn8RZ2mHArGEWMV00EV5DCIbCXRvywXV43ckx8Z+3 B8qUJhBqJ8RS2F+vTs3DTaXqcktgJ4UkhYC2c1gImcPRyGrK9VY0sCT+1iA+wp/O v6rDpkeNksZ9fFSyoY2o =ECSj -----END PGP SIGNATURE-----
Hi,
I've done a pass on the remaining diff, nothing suspicious.
I think we can go ahead with the next step.
*SEBASTIEN BOYRON* TECHNICAL ACCOUNT MANAGER Partnering with you to help achieve your business goals. Red Hat Global Customer Success
+33645408878 sboyron@redhat.com
On Thu, Oct 22, 2020 at 8:20 AM Herve Beraud hberaud@redhat.com wrote:
Thanks everybody for your help :)
Le mer. 21 oct. 2020 à 19:22, Michael Johnson johnsomor@gmail.com a écrit :
I looked at a few starting and the bottom and repos I am familiar with. Everything looked fine in those.
Michael
On Wed, Oct 21, 2020 at 9:40 AM Ben Nemec openstack@nemebean.com wrote:
On 10/21/20 10:47 AM, Herve Beraud wrote:
Here is an etherpad to coordinate us and to help us to track our
audit.
This etherpad identifies all gerrit-diff owned by oslo.
Please put your name on the line that you decide to assign to you and strike her when the corresponding project is audited.
Thanks for doing that! I took a look at a few projects and they all looked good. It shouldn't take too long to knock this out if everyone checks a handful of projects.
It can help to measure our advancement.
Thank you in advance for your help,
Le mer. 21 oct. 2020 à 12:00, Herve Beraud <hberaud@redhat.com mailto:hberaud@redhat.com> a écrit :
Hello, As every team we are also concerned by the gerrit breach and we
must
take a look at our changes during this time frame on all our deliverables [1]. The list of deliverables owned by Oslo is very huge, we need a methodical approach and also external help to check all these repositories. Fortunately oslo was in feature freeze during the majority of this period so I think it will reduce the scope of our investigation to our master branches. Due to the criticality of the problem I propose the following
action
plan: - first, split our deliverables in group and assign volunteer on
them
- second, focus us on changes against our scripts, executable
files
and CI config; - third, inspect documentation; - fourth, inspect other kinds of changes that I missed in previous points. I wrote a script [2][3] to help the release team to extract
relevant
changes (*.py, *.sh), all the rest (*.yaml, *.rst) have been
ignored
for now, we could adapt this script to lead our investigation. Example of script usage against our openstack/oslo.messaging
repos:
``` $ cd oslo.messaging $ curl
https://gist.githubusercontent.com/4383/511359cc2080e06295944c5f40bd1033/raw...
| sh ``` Are you interested to follow this action plan? Ben as you are the security liaison are you interested in coordinating these groups/actions? Else any volunteer? Feel free to propose another approach or to propose changes on
this one.
Please ensure to double check your account activity [4] and make sure nothing is off. Special congrats to Julia Kreger and for her excellent job [5]. Thank you in advance for your help, [1]
https://governance.openstack.org/tc/reference/projects/oslo.html#deliverable...
<
https://governance.openstack.org/tc/reference/projects/release-management.ht...
[2] https://gist.github.com/4383/511359cc2080e06295944c5f40bd1033 [3]
https://gist.githubusercontent.com/4383/511359cc2080e06295944c5f40bd1033/raw...
[4]
http://lists.opendev.org/pipermail/service-announce/2020-October/000011.html
[5]
http://lists.openstack.org/pipermail/openstack-discuss/2020-October/018148.h...
-- Hervé Beraud Senior Software Engineer Red Hat - Openstack Oslo irc: hberaud -----BEGIN PGP SIGNATURE----- wsFcBAABCAAQBQJb4AwCCRAHwXRBNkGNegAALSkQAHrotwCiL3VMwDR0vcja10Q+ Kf31yCutl5bAlS7tOKpPQ9XN4oC0ZSThyNNFVrg8ail0SczHXsC4rOrsPblgGRN+ RQLoCm2eO1AkB0ubCYLaq0XqSaO+Uk81QxAPkyPCEGT6SRxXr2lhADK0T86kBnMP F8RvGolu3EFjlqCVgeOZaR51PqwUlEhZXZuuNKrWZXg/oRiY4811GmnvzmUhgK5G 5+f8mUg74hfjDbR2VhjTeaLKp0PhskjOIKY3vqHXofLuaqFDD+WrAy/NgDGvN22g glGfj472T3xyHnUzM8ILgAGSghfzZF5Skj2qEeci9cB6K3Hm3osj+PbvfsXE/7Kw m/xtm+FjnaywZEv54uCmVIzQsRIm1qJscu20Qw6Q0UiPpDFqD7O6tWSRKdX11UTZ hwVQTMh9AKQDBEh2W9nnFi9kzSSNu4OQ1dRMcYHWfd9BEkccezxHwUM4Xyov5Fe0 qnbfzTB1tYkjU78loMWFaLa00ftSxP/DtQ//iYVyfVNfcCwfDszXLOqlkvGmY1/Y F1ON0ONekDZkGJsDoS6QdiUSn8RZ2mHArGEWMV00EV5DCIbCXRvywXV43ckx8Z+3 B8qUJhBqJ8RS2F+vTs3DTaXqcktgJ4UkhYC2c1gImcPRyGrK9VY0sCT+1iA+wp/O v6rDpkeNksZ9fFSyoY2o =ECSj -----END PGP SIGNATURE-----
-- Hervé Beraud Senior Software Engineer Red Hat - Openstack Oslo irc: hberaud -----BEGIN PGP SIGNATURE-----
wsFcBAABCAAQBQJb4AwCCRAHwXRBNkGNegAALSkQAHrotwCiL3VMwDR0vcja10Q+ Kf31yCutl5bAlS7tOKpPQ9XN4oC0ZSThyNNFVrg8ail0SczHXsC4rOrsPblgGRN+ RQLoCm2eO1AkB0ubCYLaq0XqSaO+Uk81QxAPkyPCEGT6SRxXr2lhADK0T86kBnMP F8RvGolu3EFjlqCVgeOZaR51PqwUlEhZXZuuNKrWZXg/oRiY4811GmnvzmUhgK5G 5+f8mUg74hfjDbR2VhjTeaLKp0PhskjOIKY3vqHXofLuaqFDD+WrAy/NgDGvN22g glGfj472T3xyHnUzM8ILgAGSghfzZF5Skj2qEeci9cB6K3Hm3osj+PbvfsXE/7Kw m/xtm+FjnaywZEv54uCmVIzQsRIm1qJscu20Qw6Q0UiPpDFqD7O6tWSRKdX11UTZ hwVQTMh9AKQDBEh2W9nnFi9kzSSNu4OQ1dRMcYHWfd9BEkccezxHwUM4Xyov5Fe0 qnbfzTB1tYkjU78loMWFaLa00ftSxP/DtQ//iYVyfVNfcCwfDszXLOqlkvGmY1/Y F1ON0ONekDZkGJsDoS6QdiUSn8RZ2mHArGEWMV00EV5DCIbCXRvywXV43ckx8Z+3 B8qUJhBqJ8RS2F+vTs3DTaXqcktgJ4UkhYC2c1gImcPRyGrK9VY0sCT+1iA+wp/O v6rDpkeNksZ9fFSyoY2o =ECSj -----END PGP SIGNATURE-----
-- Hervé Beraud Senior Software Engineer Red Hat - Openstack Oslo irc: hberaud -----BEGIN PGP SIGNATURE-----
wsFcBAABCAAQBQJb4AwCCRAHwXRBNkGNegAALSkQAHrotwCiL3VMwDR0vcja10Q+ Kf31yCutl5bAlS7tOKpPQ9XN4oC0ZSThyNNFVrg8ail0SczHXsC4rOrsPblgGRN+ RQLoCm2eO1AkB0ubCYLaq0XqSaO+Uk81QxAPkyPCEGT6SRxXr2lhADK0T86kBnMP F8RvGolu3EFjlqCVgeOZaR51PqwUlEhZXZuuNKrWZXg/oRiY4811GmnvzmUhgK5G 5+f8mUg74hfjDbR2VhjTeaLKp0PhskjOIKY3vqHXofLuaqFDD+WrAy/NgDGvN22g glGfj472T3xyHnUzM8ILgAGSghfzZF5Skj2qEeci9cB6K3Hm3osj+PbvfsXE/7Kw m/xtm+FjnaywZEv54uCmVIzQsRIm1qJscu20Qw6Q0UiPpDFqD7O6tWSRKdX11UTZ hwVQTMh9AKQDBEh2W9nnFi9kzSSNu4OQ1dRMcYHWfd9BEkccezxHwUM4Xyov5Fe0 qnbfzTB1tYkjU78loMWFaLa00ftSxP/DtQ//iYVyfVNfcCwfDszXLOqlkvGmY1/Y F1ON0ONekDZkGJsDoS6QdiUSn8RZ2mHArGEWMV00EV5DCIbCXRvywXV43ckx8Z+3 B8qUJhBqJ8RS2F+vTs3DTaXqcktgJ4UkhYC2c1gImcPRyGrK9VY0sCT+1iA+wp/O v6rDpkeNksZ9fFSyoY2o =ECSj -----END PGP SIGNATURE-----
To summarize the result of our audit, ALL the changes merged during this period (code, doc, everything...) on ALL the repos that we own have been checked and everything seems OK.
Thanks everybody for joining this audit!
Le jeu. 22 oct. 2020 à 08:44, Sebastien Boyron sboyron@redhat.com a écrit :
Hi,
I've done a pass on the remaining diff, nothing suspicious.
I think we can go ahead with the next step.
*SEBASTIEN BOYRON* TECHNICAL ACCOUNT MANAGER Partnering with you to help achieve your business goals. Red Hat Global Customer Success
+33645408878 sboyron@redhat.com
On Thu, Oct 22, 2020 at 8:20 AM Herve Beraud hberaud@redhat.com wrote:
Thanks everybody for your help :)
Le mer. 21 oct. 2020 à 19:22, Michael Johnson johnsomor@gmail.com a écrit :
I looked at a few starting and the bottom and repos I am familiar with. Everything looked fine in those.
Michael
On Wed, Oct 21, 2020 at 9:40 AM Ben Nemec openstack@nemebean.com wrote:
On 10/21/20 10:47 AM, Herve Beraud wrote:
Here is an etherpad to coordinate us and to help us to track our
audit.
This etherpad identifies all gerrit-diff owned by oslo.
Please put your name on the line that you decide to assign to you and strike her when the corresponding project is audited.
Thanks for doing that! I took a look at a few projects and they all looked good. It shouldn't take too long to knock this out if everyone checks a handful of projects.
It can help to measure our advancement.
Thank you in advance for your help,
Le mer. 21 oct. 2020 à 12:00, Herve Beraud <hberaud@redhat.com mailto:hberaud@redhat.com> a écrit :
Hello, As every team we are also concerned by the gerrit breach and we
must
take a look at our changes during this time frame on all our deliverables [1]. The list of deliverables owned by Oslo is very huge, we need a methodical approach and also external help to check all these repositories. Fortunately oslo was in feature freeze during the majority of
this
period so I think it will reduce the scope of our investigation
to
our master branches. Due to the criticality of the problem I propose the following
action
plan: - first, split our deliverables in group and assign volunteer on
them
- second, focus us on changes against our scripts, executable
files
and CI config; - third, inspect documentation; - fourth, inspect other kinds of changes that I missed in
previous
points. I wrote a script [2][3] to help the release team to extract
relevant
changes (*.py, *.sh), all the rest (*.yaml, *.rst) have been
ignored
for now, we could adapt this script to lead our investigation. Example of script usage against our openstack/oslo.messaging
repos:
``` $ cd oslo.messaging $ curl
https://gist.githubusercontent.com/4383/511359cc2080e06295944c5f40bd1033/raw...
| sh ``` Are you interested to follow this action plan? Ben as you are the security liaison are you interested in coordinating these groups/actions? Else any volunteer? Feel free to propose another approach or to propose changes on
this one.
Please ensure to double check your account activity [4] and make sure nothing is off. Special congrats to Julia Kreger and for her excellent job [5]. Thank you in advance for your help, [1]
https://governance.openstack.org/tc/reference/projects/oslo.html#deliverable...
<
https://governance.openstack.org/tc/reference/projects/release-management.ht...
[2]
https://gist.github.com/4383/511359cc2080e06295944c5f40bd1033
[3]
https://gist.githubusercontent.com/4383/511359cc2080e06295944c5f40bd1033/raw...
[4]
http://lists.opendev.org/pipermail/service-announce/2020-October/000011.html
[5]
http://lists.openstack.org/pipermail/openstack-discuss/2020-October/018148.h...
-- Hervé Beraud Senior Software Engineer Red Hat - Openstack Oslo irc: hberaud -----BEGIN PGP SIGNATURE----- wsFcBAABCAAQBQJb4AwCCRAHwXRBNkGNegAALSkQAHrotwCiL3VMwDR0vcja10Q+ Kf31yCutl5bAlS7tOKpPQ9XN4oC0ZSThyNNFVrg8ail0SczHXsC4rOrsPblgGRN+ RQLoCm2eO1AkB0ubCYLaq0XqSaO+Uk81QxAPkyPCEGT6SRxXr2lhADK0T86kBnMP F8RvGolu3EFjlqCVgeOZaR51PqwUlEhZXZuuNKrWZXg/oRiY4811GmnvzmUhgK5G 5+f8mUg74hfjDbR2VhjTeaLKp0PhskjOIKY3vqHXofLuaqFDD+WrAy/NgDGvN22g glGfj472T3xyHnUzM8ILgAGSghfzZF5Skj2qEeci9cB6K3Hm3osj+PbvfsXE/7Kw m/xtm+FjnaywZEv54uCmVIzQsRIm1qJscu20Qw6Q0UiPpDFqD7O6tWSRKdX11UTZ hwVQTMh9AKQDBEh2W9nnFi9kzSSNu4OQ1dRMcYHWfd9BEkccezxHwUM4Xyov5Fe0 qnbfzTB1tYkjU78loMWFaLa00ftSxP/DtQ//iYVyfVNfcCwfDszXLOqlkvGmY1/Y F1ON0ONekDZkGJsDoS6QdiUSn8RZ2mHArGEWMV00EV5DCIbCXRvywXV43ckx8Z+3 B8qUJhBqJ8RS2F+vTs3DTaXqcktgJ4UkhYC2c1gImcPRyGrK9VY0sCT+1iA+wp/O v6rDpkeNksZ9fFSyoY2o =ECSj -----END PGP SIGNATURE-----
-- Hervé Beraud Senior Software Engineer Red Hat - Openstack Oslo irc: hberaud -----BEGIN PGP SIGNATURE-----
wsFcBAABCAAQBQJb4AwCCRAHwXRBNkGNegAALSkQAHrotwCiL3VMwDR0vcja10Q+ Kf31yCutl5bAlS7tOKpPQ9XN4oC0ZSThyNNFVrg8ail0SczHXsC4rOrsPblgGRN+ RQLoCm2eO1AkB0ubCYLaq0XqSaO+Uk81QxAPkyPCEGT6SRxXr2lhADK0T86kBnMP F8RvGolu3EFjlqCVgeOZaR51PqwUlEhZXZuuNKrWZXg/oRiY4811GmnvzmUhgK5G 5+f8mUg74hfjDbR2VhjTeaLKp0PhskjOIKY3vqHXofLuaqFDD+WrAy/NgDGvN22g glGfj472T3xyHnUzM8ILgAGSghfzZF5Skj2qEeci9cB6K3Hm3osj+PbvfsXE/7Kw m/xtm+FjnaywZEv54uCmVIzQsRIm1qJscu20Qw6Q0UiPpDFqD7O6tWSRKdX11UTZ hwVQTMh9AKQDBEh2W9nnFi9kzSSNu4OQ1dRMcYHWfd9BEkccezxHwUM4Xyov5Fe0 qnbfzTB1tYkjU78loMWFaLa00ftSxP/DtQ//iYVyfVNfcCwfDszXLOqlkvGmY1/Y F1ON0ONekDZkGJsDoS6QdiUSn8RZ2mHArGEWMV00EV5DCIbCXRvywXV43ckx8Z+3 B8qUJhBqJ8RS2F+vTs3DTaXqcktgJ4UkhYC2c1gImcPRyGrK9VY0sCT+1iA+wp/O v6rDpkeNksZ9fFSyoY2o =ECSj -----END PGP SIGNATURE-----
-- Hervé Beraud Senior Software Engineer Red Hat - Openstack Oslo irc: hberaud -----BEGIN PGP SIGNATURE-----
wsFcBAABCAAQBQJb4AwCCRAHwXRBNkGNegAALSkQAHrotwCiL3VMwDR0vcja10Q+ Kf31yCutl5bAlS7tOKpPQ9XN4oC0ZSThyNNFVrg8ail0SczHXsC4rOrsPblgGRN+ RQLoCm2eO1AkB0ubCYLaq0XqSaO+Uk81QxAPkyPCEGT6SRxXr2lhADK0T86kBnMP F8RvGolu3EFjlqCVgeOZaR51PqwUlEhZXZuuNKrWZXg/oRiY4811GmnvzmUhgK5G 5+f8mUg74hfjDbR2VhjTeaLKp0PhskjOIKY3vqHXofLuaqFDD+WrAy/NgDGvN22g glGfj472T3xyHnUzM8ILgAGSghfzZF5Skj2qEeci9cB6K3Hm3osj+PbvfsXE/7Kw m/xtm+FjnaywZEv54uCmVIzQsRIm1qJscu20Qw6Q0UiPpDFqD7O6tWSRKdX11UTZ hwVQTMh9AKQDBEh2W9nnFi9kzSSNu4OQ1dRMcYHWfd9BEkccezxHwUM4Xyov5Fe0 qnbfzTB1tYkjU78loMWFaLa00ftSxP/DtQ//iYVyfVNfcCwfDszXLOqlkvGmY1/Y F1ON0ONekDZkGJsDoS6QdiUSn8RZ2mHArGEWMV00EV5DCIbCXRvywXV43ckx8Z+3 B8qUJhBqJ8RS2F+vTs3DTaXqcktgJ4UkhYC2c1gImcPRyGrK9VY0sCT+1iA+wp/O v6rDpkeNksZ9fFSyoY2o =ECSj -----END PGP SIGNATURE-----
participants (4)
-
Ben Nemec
-
Herve Beraud
-
Michael Johnson
-
Sebastien Boyron