[oslo][core] gerrit breach and auditing all oslo deliverables [1] since Oct 01

Michael Johnson johnsomor at gmail.com
Wed Oct 21 17:22:03 UTC 2020 

I looked at a few starting and the bottom and repos I am familiar
with. Everything looked fine in those.

Michael

On Wed, Oct 21, 2020 at 9:40 AM Ben Nemec <openstack at nemebean.com> wrote:
>
>
>
> On 10/21/20 10:47 AM, Herve Beraud wrote:
> > Here is an etherpad to coordinate us and to help us to track our audit.
> >
> > This etherpad identifies all gerrit-diff owned by oslo.
> >
> > Please put your name on the line that you decide to assign to you and
> > strike her when the corresponding project is audited.
> >
> > https://etherpad.opendev.org/p/oslo-gerrit-breach-audit
>
> Thanks for doing that! I took a look at a few projects and they all
> looked good. It shouldn't take too long to knock this out if everyone
> checks a handful of projects.
>
> >
> > It can help to measure our advancement.
> >
> > Thank you in advance for your help,
> >
> > Le mer. 21 oct. 2020 à 12:00, Herve Beraud <hberaud at redhat.com
> > <mailto:hberaud at redhat.com>> a écrit :
> >
> >     Hello,
> >
> >     As every team we are also concerned by the gerrit breach and we must
> >     take a look at our changes during this time frame on all our
> >     deliverables [1].
> >
> >     The list of deliverables owned by Oslo is very huge, we need a
> >     methodical approach and also external help to check all these
> >     repositories.
> >
> >     Fortunately oslo was in feature freeze during the majority of this
> >     period so I think it will reduce the scope of our investigation to
> >     our master branches.
> >
> >     Due to the criticality of the problem I propose the following action
> >     plan:
> >     - first, split our deliverables in group and assign volunteer on them
> >     - second, focus us on changes against our scripts, executable files
> >     and CI config;
> >     - third, inspect documentation;
> >     - fourth, inspect other kinds of changes that I missed in previous
> >     points.
> >
> >     I wrote a script [2][3] to help the release team to extract relevant
> >     changes (*.py, *.sh), all the rest (*.yaml, *.rst) have been ignored
> >     for now, we could adapt this script to lead our investigation.
> >
> >     Example of script usage against our openstack/oslo.messaging repos:
> >     ```
> >     $ cd oslo.messaging
> >     $ curl
> >     https://gist.githubusercontent.com/4383/511359cc2080e06295944c5f40bd1033/raw/c0e21b41570abed076c72d11dcc102dd9d43a067/check.sh
> >     | sh
> >     ```
> >
> >     Are you interested to follow this action plan?
> >
> >     Ben as you are the security liaison are you interested in
> >     coordinating these groups/actions?
> >
> >     Else any volunteer?
> >
> >     Feel free to propose another approach or to propose changes on this one.
> >
> >     Please ensure to double check your account activity [4] and make
> >     sure nothing is off.
> >
> >     Special congrats to Julia Kreger and for her excellent job [5].
> >
> >     Thank you in advance for your help,
> >
> >     [1]
> >     https://governance.openstack.org/tc/reference/projects/oslo.html#deliverables
> >     <https://governance.openstack.org/tc/reference/projects/release-management.html>
> >     [2] https://gist.github.com/4383/511359cc2080e06295944c5f40bd1033
> >     [3]
> >     https://gist.githubusercontent.com/4383/511359cc2080e06295944c5f40bd1033/raw/c0e21b41570abed076c72d11dcc102dd9d43a067/check.sh
> >     [4]
> >     http://lists.opendev.org/pipermail/service-announce/2020-October/000011.html
> >     [5]
> >     http://lists.openstack.org/pipermail/openstack-discuss/2020-October/018148.html
> >
> >     --
> >     Hervé Beraud
> >     Senior Software Engineer
> >     Red Hat - Openstack Oslo
> >     irc: hberaud
> >     -----BEGIN PGP SIGNATURE-----
> >
> >     wsFcBAABCAAQBQJb4AwCCRAHwXRBNkGNegAALSkQAHrotwCiL3VMwDR0vcja10Q+
> >     Kf31yCutl5bAlS7tOKpPQ9XN4oC0ZSThyNNFVrg8ail0SczHXsC4rOrsPblgGRN+
> >     RQLoCm2eO1AkB0ubCYLaq0XqSaO+Uk81QxAPkyPCEGT6SRxXr2lhADK0T86kBnMP
> >     F8RvGolu3EFjlqCVgeOZaR51PqwUlEhZXZuuNKrWZXg/oRiY4811GmnvzmUhgK5G
> >     5+f8mUg74hfjDbR2VhjTeaLKp0PhskjOIKY3vqHXofLuaqFDD+WrAy/NgDGvN22g
> >     glGfj472T3xyHnUzM8ILgAGSghfzZF5Skj2qEeci9cB6K3Hm3osj+PbvfsXE/7Kw
> >     m/xtm+FjnaywZEv54uCmVIzQsRIm1qJscu20Qw6Q0UiPpDFqD7O6tWSRKdX11UTZ
> >     hwVQTMh9AKQDBEh2W9nnFi9kzSSNu4OQ1dRMcYHWfd9BEkccezxHwUM4Xyov5Fe0
> >     qnbfzTB1tYkjU78loMWFaLa00ftSxP/DtQ//iYVyfVNfcCwfDszXLOqlkvGmY1/Y
> >     F1ON0ONekDZkGJsDoS6QdiUSn8RZ2mHArGEWMV00EV5DCIbCXRvywXV43ckx8Z+3
> >     B8qUJhBqJ8RS2F+vTs3DTaXqcktgJ4UkhYC2c1gImcPRyGrK9VY0sCT+1iA+wp/O
> >     v6rDpkeNksZ9fFSyoY2o
> >     =ECSj
> >     -----END PGP SIGNATURE-----
> >
> >
> >
> > --
> > Hervé Beraud
> > Senior Software Engineer
> > Red Hat - Openstack Oslo
> > irc: hberaud
> > -----BEGIN PGP SIGNATURE-----
> >
> > wsFcBAABCAAQBQJb4AwCCRAHwXRBNkGNegAALSkQAHrotwCiL3VMwDR0vcja10Q+
> > Kf31yCutl5bAlS7tOKpPQ9XN4oC0ZSThyNNFVrg8ail0SczHXsC4rOrsPblgGRN+
> > RQLoCm2eO1AkB0ubCYLaq0XqSaO+Uk81QxAPkyPCEGT6SRxXr2lhADK0T86kBnMP
> > F8RvGolu3EFjlqCVgeOZaR51PqwUlEhZXZuuNKrWZXg/oRiY4811GmnvzmUhgK5G
> > 5+f8mUg74hfjDbR2VhjTeaLKp0PhskjOIKY3vqHXofLuaqFDD+WrAy/NgDGvN22g
> > glGfj472T3xyHnUzM8ILgAGSghfzZF5Skj2qEeci9cB6K3Hm3osj+PbvfsXE/7Kw
> > m/xtm+FjnaywZEv54uCmVIzQsRIm1qJscu20Qw6Q0UiPpDFqD7O6tWSRKdX11UTZ
> > hwVQTMh9AKQDBEh2W9nnFi9kzSSNu4OQ1dRMcYHWfd9BEkccezxHwUM4Xyov5Fe0
> > qnbfzTB1tYkjU78loMWFaLa00ftSxP/DtQ//iYVyfVNfcCwfDszXLOqlkvGmY1/Y
> > F1ON0ONekDZkGJsDoS6QdiUSn8RZ2mHArGEWMV00EV5DCIbCXRvywXV43ckx8Z+3
> > B8qUJhBqJ8RS2F+vTs3DTaXqcktgJ4UkhYC2c1gImcPRyGrK9VY0sCT+1iA+wp/O
> > v6rDpkeNksZ9fFSyoY2o
> > =ECSj
> > -----END PGP SIGNATURE-----
> >
>

More information about the openstack-discuss mailing list