[cinder] Gerrit breach and commit audit
Brian Rosmaita
rosmaita.fossdev at gmail.com
Wed Oct 21 14:34:50 UTC 2020
tl;dr The cinder deliverables repos look OK. Thanks to jungleboyj and
smcginnis for help in looking them over.
As you may have heard, there was a Gerrit breach in the 1 October to
yesterday time frame. Here's a link to the analysis of the breach:
http://lists.opendev.org/pipermail/service-announce/2020-October/000011.html
The infra team has cleared all Gerrit HTTP passwords and removed any ssh
keys that were added after the breach.
If you are super-paranoid, feel free to look over the commits to any of
the cinder deliverables during the time frame of the breach. You can
find them here:
https://static.opendev.org/project/opendev.org/gerrit-diffs/
Like I said, some of us have looked them over and not noticed anything
suspect. What you'd be looking for is that an approval you've made or
your +2 vote on an approved patch may have been put there by someone
other than you. So if you see your +2 or +W on a patch that you have no
memory of actually looking at, that would be considered suspicious
activity. (On many levels.) If you notice such a situation, please
notify us immediately.
cheers,
brian
More information about the openstack-discuss
mailing list