[oslo][core] gerrit breach and auditing all oslo deliverables [1] since Oct 01
Herve Beraud
hberaud at redhat.com
Thu Oct 22 06:12:30 UTC 2020
Thanks everybody for your help :)
Le mer. 21 oct. 2020 à 19:22, Michael Johnson <johnsomor at gmail.com> a
écrit :
> I looked at a few starting and the bottom and repos I am familiar
> with. Everything looked fine in those.
>
> Michael
>
> On Wed, Oct 21, 2020 at 9:40 AM Ben Nemec <openstack at nemebean.com> wrote:
> >
> >
> >
> > On 10/21/20 10:47 AM, Herve Beraud wrote:
> > > Here is an etherpad to coordinate us and to help us to track our audit.
> > >
> > > This etherpad identifies all gerrit-diff owned by oslo.
> > >
> > > Please put your name on the line that you decide to assign to you and
> > > strike her when the corresponding project is audited.
> > >
> > > https://etherpad.opendev.org/p/oslo-gerrit-breach-audit
> >
> > Thanks for doing that! I took a look at a few projects and they all
> > looked good. It shouldn't take too long to knock this out if everyone
> > checks a handful of projects.
> >
> > >
> > > It can help to measure our advancement.
> > >
> > > Thank you in advance for your help,
> > >
> > > Le mer. 21 oct. 2020 à 12:00, Herve Beraud <hberaud at redhat.com
> > > <mailto:hberaud at redhat.com>> a écrit :
> > >
> > > Hello,
> > >
> > > As every team we are also concerned by the gerrit breach and we
> must
> > > take a look at our changes during this time frame on all our
> > > deliverables [1].
> > >
> > > The list of deliverables owned by Oslo is very huge, we need a
> > > methodical approach and also external help to check all these
> > > repositories.
> > >
> > > Fortunately oslo was in feature freeze during the majority of this
> > > period so I think it will reduce the scope of our investigation to
> > > our master branches.
> > >
> > > Due to the criticality of the problem I propose the following
> action
> > > plan:
> > > - first, split our deliverables in group and assign volunteer on
> them
> > > - second, focus us on changes against our scripts, executable files
> > > and CI config;
> > > - third, inspect documentation;
> > > - fourth, inspect other kinds of changes that I missed in previous
> > > points.
> > >
> > > I wrote a script [2][3] to help the release team to extract
> relevant
> > > changes (*.py, *.sh), all the rest (*.yaml, *.rst) have been
> ignored
> > > for now, we could adapt this script to lead our investigation.
> > >
> > > Example of script usage against our openstack/oslo.messaging repos:
> > > ```
> > > $ cd oslo.messaging
> > > $ curl
> > >
> https://gist.githubusercontent.com/4383/511359cc2080e06295944c5f40bd1033/raw/c0e21b41570abed076c72d11dcc102dd9d43a067/check.sh
> > > | sh
> > > ```
> > >
> > > Are you interested to follow this action plan?
> > >
> > > Ben as you are the security liaison are you interested in
> > > coordinating these groups/actions?
> > >
> > > Else any volunteer?
> > >
> > > Feel free to propose another approach or to propose changes on
> this one.
> > >
> > > Please ensure to double check your account activity [4] and make
> > > sure nothing is off.
> > >
> > > Special congrats to Julia Kreger and for her excellent job [5].
> > >
> > > Thank you in advance for your help,
> > >
> > > [1]
> > >
> https://governance.openstack.org/tc/reference/projects/oslo.html#deliverables
> > > <
> https://governance.openstack.org/tc/reference/projects/release-management.html
> >
> > > [2] https://gist.github.com/4383/511359cc2080e06295944c5f40bd1033
> > > [3]
> > >
> https://gist.githubusercontent.com/4383/511359cc2080e06295944c5f40bd1033/raw/c0e21b41570abed076c72d11dcc102dd9d43a067/check.sh
> > > [4]
> > >
> http://lists.opendev.org/pipermail/service-announce/2020-October/000011.html
> > > [5]
> > >
> http://lists.openstack.org/pipermail/openstack-discuss/2020-October/018148.html
> > >
> > > --
> > > Hervé Beraud
> > > Senior Software Engineer
> > > Red Hat - Openstack Oslo
> > > irc: hberaud
> > > -----BEGIN PGP SIGNATURE-----
> > >
> > > wsFcBAABCAAQBQJb4AwCCRAHwXRBNkGNegAALSkQAHrotwCiL3VMwDR0vcja10Q+
> > > Kf31yCutl5bAlS7tOKpPQ9XN4oC0ZSThyNNFVrg8ail0SczHXsC4rOrsPblgGRN+
> > > RQLoCm2eO1AkB0ubCYLaq0XqSaO+Uk81QxAPkyPCEGT6SRxXr2lhADK0T86kBnMP
> > > F8RvGolu3EFjlqCVgeOZaR51PqwUlEhZXZuuNKrWZXg/oRiY4811GmnvzmUhgK5G
> > > 5+f8mUg74hfjDbR2VhjTeaLKp0PhskjOIKY3vqHXofLuaqFDD+WrAy/NgDGvN22g
> > > glGfj472T3xyHnUzM8ILgAGSghfzZF5Skj2qEeci9cB6K3Hm3osj+PbvfsXE/7Kw
> > > m/xtm+FjnaywZEv54uCmVIzQsRIm1qJscu20Qw6Q0UiPpDFqD7O6tWSRKdX11UTZ
> > > hwVQTMh9AKQDBEh2W9nnFi9kzSSNu4OQ1dRMcYHWfd9BEkccezxHwUM4Xyov5Fe0
> > > qnbfzTB1tYkjU78loMWFaLa00ftSxP/DtQ//iYVyfVNfcCwfDszXLOqlkvGmY1/Y
> > > F1ON0ONekDZkGJsDoS6QdiUSn8RZ2mHArGEWMV00EV5DCIbCXRvywXV43ckx8Z+3
> > > B8qUJhBqJ8RS2F+vTs3DTaXqcktgJ4UkhYC2c1gImcPRyGrK9VY0sCT+1iA+wp/O
> > > v6rDpkeNksZ9fFSyoY2o
> > > =ECSj
> > > -----END PGP SIGNATURE-----
> > >
> > >
> > >
> > > --
> > > Hervé Beraud
> > > Senior Software Engineer
> > > Red Hat - Openstack Oslo
> > > irc: hberaud
> > > -----BEGIN PGP SIGNATURE-----
> > >
> > > wsFcBAABCAAQBQJb4AwCCRAHwXRBNkGNegAALSkQAHrotwCiL3VMwDR0vcja10Q+
> > > Kf31yCutl5bAlS7tOKpPQ9XN4oC0ZSThyNNFVrg8ail0SczHXsC4rOrsPblgGRN+
> > > RQLoCm2eO1AkB0ubCYLaq0XqSaO+Uk81QxAPkyPCEGT6SRxXr2lhADK0T86kBnMP
> > > F8RvGolu3EFjlqCVgeOZaR51PqwUlEhZXZuuNKrWZXg/oRiY4811GmnvzmUhgK5G
> > > 5+f8mUg74hfjDbR2VhjTeaLKp0PhskjOIKY3vqHXofLuaqFDD+WrAy/NgDGvN22g
> > > glGfj472T3xyHnUzM8ILgAGSghfzZF5Skj2qEeci9cB6K3Hm3osj+PbvfsXE/7Kw
> > > m/xtm+FjnaywZEv54uCmVIzQsRIm1qJscu20Qw6Q0UiPpDFqD7O6tWSRKdX11UTZ
> > > hwVQTMh9AKQDBEh2W9nnFi9kzSSNu4OQ1dRMcYHWfd9BEkccezxHwUM4Xyov5Fe0
> > > qnbfzTB1tYkjU78loMWFaLa00ftSxP/DtQ//iYVyfVNfcCwfDszXLOqlkvGmY1/Y
> > > F1ON0ONekDZkGJsDoS6QdiUSn8RZ2mHArGEWMV00EV5DCIbCXRvywXV43ckx8Z+3
> > > B8qUJhBqJ8RS2F+vTs3DTaXqcktgJ4UkhYC2c1gImcPRyGrK9VY0sCT+1iA+wp/O
> > > v6rDpkeNksZ9fFSyoY2o
> > > =ECSj
> > > -----END PGP SIGNATURE-----
> > >
> >
>
>
--
Hervé Beraud
Senior Software Engineer
Red Hat - Openstack Oslo
irc: hberaud
-----BEGIN PGP SIGNATURE-----
wsFcBAABCAAQBQJb4AwCCRAHwXRBNkGNegAALSkQAHrotwCiL3VMwDR0vcja10Q+
Kf31yCutl5bAlS7tOKpPQ9XN4oC0ZSThyNNFVrg8ail0SczHXsC4rOrsPblgGRN+
RQLoCm2eO1AkB0ubCYLaq0XqSaO+Uk81QxAPkyPCEGT6SRxXr2lhADK0T86kBnMP
F8RvGolu3EFjlqCVgeOZaR51PqwUlEhZXZuuNKrWZXg/oRiY4811GmnvzmUhgK5G
5+f8mUg74hfjDbR2VhjTeaLKp0PhskjOIKY3vqHXofLuaqFDD+WrAy/NgDGvN22g
glGfj472T3xyHnUzM8ILgAGSghfzZF5Skj2qEeci9cB6K3Hm3osj+PbvfsXE/7Kw
m/xtm+FjnaywZEv54uCmVIzQsRIm1qJscu20Qw6Q0UiPpDFqD7O6tWSRKdX11UTZ
hwVQTMh9AKQDBEh2W9nnFi9kzSSNu4OQ1dRMcYHWfd9BEkccezxHwUM4Xyov5Fe0
qnbfzTB1tYkjU78loMWFaLa00ftSxP/DtQ//iYVyfVNfcCwfDszXLOqlkvGmY1/Y
F1ON0ONekDZkGJsDoS6QdiUSn8RZ2mHArGEWMV00EV5DCIbCXRvywXV43ckx8Z+3
B8qUJhBqJ8RS2F+vTs3DTaXqcktgJ4UkhYC2c1gImcPRyGrK9VY0sCT+1iA+wp/O
v6rDpkeNksZ9fFSyoY2o
=ECSj
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20201022/23cf69cc/attachment-0001.html>
More information about the openstack-discuss
mailing list