Open Stack

On Wed, Oct 21, 2020 at 2:42 PM Giulio Fidente <gfidente at redhat.com> wrote:

> On 10/21/20 9:15 AM, Marios Andreou wrote:
> > Hi folks,
> >
> > as you are undoubtedly aware, gerrit was down yesterday. There was this
> > email to service-announce [1] with more information about what happened
> > (kudos Julia Kreger who sent [2] where I saw that). There is a list of
> > changes [3] since October 1st that we should audit out of precaution and
> > to be responsible and accountable to our community and users.
> >
> > As you can expect there are a great number of changes. I put a full
> > commit list at [5]. I mined those from [3] - see [4] for info about the
> > 'mining' and even better if someone has time to verify that I didn't
> > miss any repos or commits.
> >
> > Please I need help from all core reviewers. We need to check that the
> > commits in [5] appear valid and correct - remember the concern is for
> > any changes that may have been merged by a compromised account. I
> > propose that we do this via Gerrit and that we leave a comment -
> > 'CHECKED' - on each review that we check? Hopefully we can cover all of
> > these before the end of the week by distributing our efforts. I am open
> > to other suggestions though if folks feel this is better done via some
> > document/spreadsheet etc.
> >
> > Of course as stated in [1] it is a good idea for everyone to double
> > check their account activity and make sure nothing is off,
> >
> > Thank you in advance for your help,
> >
> > marios
> >
> > [1]
> http://lists.opendev.org/pipermail/service-announce/2020-October/000011.html
> > [2]
> http://lists.openstack.org/pipermail/openstack-discuss/2020-October/018148.html
> > [3] https://static.opendev.org/project/opendev.org/gerrit-diffs/
> > [4] https://gist.github.com/marios/a44a55998531354dc3d634dddeadf1c0
> > [5] https://gist.github.com/marios/d1b774c827769373b67d3988105140dd
>
> thanks a lot Marios for looking into this and organizing activities
>
> do I understand correctly that our most immediate responsibility is to
> go through the list of commits in [5] and compare what is actually in
> the git repos with what was proposed in gerrit?
>

I don't think we need to worry that it was 'one of our accounts' that was
compromised, at least I expect we would have known by now if there was any
indication that this is the case.

The main concern is if the compromised admin account made any commits at
all. So the immediate check is to make sure that all those commits were in
fact merged by 'one of us' and not by any unknown account. For example with
the compromised account they may have updated a review and merged it
without us noticing. Unlikely I know, especially since we are quite an
active project but I think it is better we make sure.

Of course I may be wrong in my assessment here in which case I fully expect
that you will let me know ! I mean there is nothing wrong with doing what
you suggested but I don't know if there is a need to go that far in this
case. Verifying the person(s) that +2 and +A the review should be enough
for now, making sure we don't have any rogue merges.

thanks ;)

marios



> --
> Giulio Fidente
> GPG KEY: 08D733BA
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20201021/6ac4d0a8/attachment.html>