[cinder] Gerrit breach and commit audit

Brian Rosmaita rosmaita.fossdev at gmail.com
Wed Oct 21 14:34:50 UTC 2020


tl;dr The cinder deliverables repos look OK.  Thanks to jungleboyj and 
smcginnis for help in looking them over.

As you may have heard, there was a Gerrit breach in the 1 October to 
yesterday time frame.  Here's a link to the analysis of the breach:

http://lists.opendev.org/pipermail/service-announce/2020-October/000011.html

The infra team has cleared all Gerrit HTTP passwords and removed any ssh 
keys that were added after the breach.

If you are super-paranoid, feel free to look over the commits to any of 
the cinder deliverables during the time frame of the breach.  You can 
find them here:

https://static.opendev.org/project/opendev.org/gerrit-diffs/

Like I said, some of us have looked them over and not noticed anything 
suspect.  What you'd be looking for is that an approval you've made or 
your +2 vote on an approved patch may have been put there by someone 
other than you.  So if you see your +2 or +W on a patch that you have no 
memory of actually looking at, that would be considered suspicious 
activity.  (On many levels.)  If you notice such a situation, please 
notify us immediately.


cheers,
brian



More information about the openstack-discuss mailing list