[oslo][core] gerrit breach and auditing all oslo deliverables [1] since Oct 01

Sebastien Boyron sboyron at redhat.com
Thu Oct 22 06:44:20 UTC 2020 

Hi,

I've done a pass on the remaining diff, nothing suspicious.

I think we can go ahead with the next step.

*SEBASTIEN BOYRON*
TECHNICAL ACCOUNT MANAGER
Partnering with you to help achieve your business goals.
Red Hat
Global Customer Success

+33645408878
sboyron at redhat.com




On Thu, Oct 22, 2020 at 8:20 AM Herve Beraud <hberaud at redhat.com> wrote:

> Thanks everybody for your help :)
>
> Le mer. 21 oct. 2020 à 19:22, Michael Johnson <johnsomor at gmail.com> a
> écrit :
>
>> I looked at a few starting and the bottom and repos I am familiar
>> with. Everything looked fine in those.
>>
>> Michael
>>
>> On Wed, Oct 21, 2020 at 9:40 AM Ben Nemec <openstack at nemebean.com> wrote:
>> >
>> >
>> >
>> > On 10/21/20 10:47 AM, Herve Beraud wrote:
>> > > Here is an etherpad to coordinate us and to help us to track our
>> audit.
>> > >
>> > > This etherpad identifies all gerrit-diff owned by oslo.
>> > >
>> > > Please put your name on the line that you decide to assign to you and
>> > > strike her when the corresponding project is audited.
>> > >
>> > > https://etherpad.opendev.org/p/oslo-gerrit-breach-audit
>> >
>> > Thanks for doing that! I took a look at a few projects and they all
>> > looked good. It shouldn't take too long to knock this out if everyone
>> > checks a handful of projects.
>> >
>> > >
>> > > It can help to measure our advancement.
>> > >
>> > > Thank you in advance for your help,
>> > >
>> > > Le mer. 21 oct. 2020 à 12:00, Herve Beraud <hberaud at redhat.com
>> > > <mailto:hberaud at redhat.com>> a écrit :
>> > >
>> > >     Hello,
>> > >
>> > >     As every team we are also concerned by the gerrit breach and we
>> must
>> > >     take a look at our changes during this time frame on all our
>> > >     deliverables [1].
>> > >
>> > >     The list of deliverables owned by Oslo is very huge, we need a
>> > >     methodical approach and also external help to check all these
>> > >     repositories.
>> > >
>> > >     Fortunately oslo was in feature freeze during the majority of this
>> > >     period so I think it will reduce the scope of our investigation to
>> > >     our master branches.
>> > >
>> > >     Due to the criticality of the problem I propose the following
>> action
>> > >     plan:
>> > >     - first, split our deliverables in group and assign volunteer on
>> them
>> > >     - second, focus us on changes against our scripts, executable
>> files
>> > >     and CI config;
>> > >     - third, inspect documentation;
>> > >     - fourth, inspect other kinds of changes that I missed in previous
>> > >     points.
>> > >
>> > >     I wrote a script [2][3] to help the release team to extract
>> relevant
>> > >     changes (*.py, *.sh), all the rest (*.yaml, *.rst) have been
>> ignored
>> > >     for now, we could adapt this script to lead our investigation.
>> > >
>> > >     Example of script usage against our openstack/oslo.messaging
>> repos:
>> > >     ```
>> > >     $ cd oslo.messaging
>> > >     $ curl
>> > >
>> https://gist.githubusercontent.com/4383/511359cc2080e06295944c5f40bd1033/raw/c0e21b41570abed076c72d11dcc102dd9d43a067/check.sh
>> > >     | sh
>> > >     ```
>> > >
>> > >     Are you interested to follow this action plan?
>> > >
>> > >     Ben as you are the security liaison are you interested in
>> > >     coordinating these groups/actions?
>> > >
>> > >     Else any volunteer?
>> > >
>> > >     Feel free to propose another approach or to propose changes on
>> this one.
>> > >
>> > >     Please ensure to double check your account activity [4] and make
>> > >     sure nothing is off.
>> > >
>> > >     Special congrats to Julia Kreger and for her excellent job [5].
>> > >
>> > >     Thank you in advance for your help,
>> > >
>> > >     [1]
>> > >
>> https://governance.openstack.org/tc/reference/projects/oslo.html#deliverables
>> > >     <
>> https://governance.openstack.org/tc/reference/projects/release-management.html
>> >
>> > >     [2] https://gist.github.com/4383/511359cc2080e06295944c5f40bd1033
>> > >     [3]
>> > >
>> https://gist.githubusercontent.com/4383/511359cc2080e06295944c5f40bd1033/raw/c0e21b41570abed076c72d11dcc102dd9d43a067/check.sh
>> > >     [4]
>> > >
>> http://lists.opendev.org/pipermail/service-announce/2020-October/000011.html
>> > >     [5]
>> > >
>> http://lists.openstack.org/pipermail/openstack-discuss/2020-October/018148.html
>> > >
>> > >     --
>> > >     Hervé Beraud
>> > >     Senior Software Engineer
>> > >     Red Hat - Openstack Oslo
>> > >     irc: hberaud
>> > >     -----BEGIN PGP SIGNATURE-----
>> > >
>> > >     wsFcBAABCAAQBQJb4AwCCRAHwXRBNkGNegAALSkQAHrotwCiL3VMwDR0vcja10Q+
>> > >     Kf31yCutl5bAlS7tOKpPQ9XN4oC0ZSThyNNFVrg8ail0SczHXsC4rOrsPblgGRN+
>> > >     RQLoCm2eO1AkB0ubCYLaq0XqSaO+Uk81QxAPkyPCEGT6SRxXr2lhADK0T86kBnMP
>> > >     F8RvGolu3EFjlqCVgeOZaR51PqwUlEhZXZuuNKrWZXg/oRiY4811GmnvzmUhgK5G
>> > >     5+f8mUg74hfjDbR2VhjTeaLKp0PhskjOIKY3vqHXofLuaqFDD+WrAy/NgDGvN22g
>> > >     glGfj472T3xyHnUzM8ILgAGSghfzZF5Skj2qEeci9cB6K3Hm3osj+PbvfsXE/7Kw
>> > >     m/xtm+FjnaywZEv54uCmVIzQsRIm1qJscu20Qw6Q0UiPpDFqD7O6tWSRKdX11UTZ
>> > >     hwVQTMh9AKQDBEh2W9nnFi9kzSSNu4OQ1dRMcYHWfd9BEkccezxHwUM4Xyov5Fe0
>> > >     qnbfzTB1tYkjU78loMWFaLa00ftSxP/DtQ//iYVyfVNfcCwfDszXLOqlkvGmY1/Y
>> > >     F1ON0ONekDZkGJsDoS6QdiUSn8RZ2mHArGEWMV00EV5DCIbCXRvywXV43ckx8Z+3
>> > >     B8qUJhBqJ8RS2F+vTs3DTaXqcktgJ4UkhYC2c1gImcPRyGrK9VY0sCT+1iA+wp/O
>> > >     v6rDpkeNksZ9fFSyoY2o
>> > >     =ECSj
>> > >     -----END PGP SIGNATURE-----
>> > >
>> > >
>> > >
>> > > --
>> > > Hervé Beraud
>> > > Senior Software Engineer
>> > > Red Hat - Openstack Oslo
>> > > irc: hberaud
>> > > -----BEGIN PGP SIGNATURE-----
>> > >
>> > > wsFcBAABCAAQBQJb4AwCCRAHwXRBNkGNegAALSkQAHrotwCiL3VMwDR0vcja10Q+
>> > > Kf31yCutl5bAlS7tOKpPQ9XN4oC0ZSThyNNFVrg8ail0SczHXsC4rOrsPblgGRN+
>> > > RQLoCm2eO1AkB0ubCYLaq0XqSaO+Uk81QxAPkyPCEGT6SRxXr2lhADK0T86kBnMP
>> > > F8RvGolu3EFjlqCVgeOZaR51PqwUlEhZXZuuNKrWZXg/oRiY4811GmnvzmUhgK5G
>> > > 5+f8mUg74hfjDbR2VhjTeaLKp0PhskjOIKY3vqHXofLuaqFDD+WrAy/NgDGvN22g
>> > > glGfj472T3xyHnUzM8ILgAGSghfzZF5Skj2qEeci9cB6K3Hm3osj+PbvfsXE/7Kw
>> > > m/xtm+FjnaywZEv54uCmVIzQsRIm1qJscu20Qw6Q0UiPpDFqD7O6tWSRKdX11UTZ
>> > > hwVQTMh9AKQDBEh2W9nnFi9kzSSNu4OQ1dRMcYHWfd9BEkccezxHwUM4Xyov5Fe0
>> > > qnbfzTB1tYkjU78loMWFaLa00ftSxP/DtQ//iYVyfVNfcCwfDszXLOqlkvGmY1/Y
>> > > F1ON0ONekDZkGJsDoS6QdiUSn8RZ2mHArGEWMV00EV5DCIbCXRvywXV43ckx8Z+3
>> > > B8qUJhBqJ8RS2F+vTs3DTaXqcktgJ4UkhYC2c1gImcPRyGrK9VY0sCT+1iA+wp/O
>> > > v6rDpkeNksZ9fFSyoY2o
>> > > =ECSj
>> > > -----END PGP SIGNATURE-----
>> > >
>> >
>>
>>
>
> --
> Hervé Beraud
> Senior Software Engineer
> Red Hat - Openstack Oslo
> irc: hberaud
> -----BEGIN PGP SIGNATURE-----
>
> wsFcBAABCAAQBQJb4AwCCRAHwXRBNkGNegAALSkQAHrotwCiL3VMwDR0vcja10Q+
> Kf31yCutl5bAlS7tOKpPQ9XN4oC0ZSThyNNFVrg8ail0SczHXsC4rOrsPblgGRN+
> RQLoCm2eO1AkB0ubCYLaq0XqSaO+Uk81QxAPkyPCEGT6SRxXr2lhADK0T86kBnMP
> F8RvGolu3EFjlqCVgeOZaR51PqwUlEhZXZuuNKrWZXg/oRiY4811GmnvzmUhgK5G
> 5+f8mUg74hfjDbR2VhjTeaLKp0PhskjOIKY3vqHXofLuaqFDD+WrAy/NgDGvN22g
> glGfj472T3xyHnUzM8ILgAGSghfzZF5Skj2qEeci9cB6K3Hm3osj+PbvfsXE/7Kw
> m/xtm+FjnaywZEv54uCmVIzQsRIm1qJscu20Qw6Q0UiPpDFqD7O6tWSRKdX11UTZ
> hwVQTMh9AKQDBEh2W9nnFi9kzSSNu4OQ1dRMcYHWfd9BEkccezxHwUM4Xyov5Fe0
> qnbfzTB1tYkjU78loMWFaLa00ftSxP/DtQ//iYVyfVNfcCwfDszXLOqlkvGmY1/Y
> F1ON0ONekDZkGJsDoS6QdiUSn8RZ2mHArGEWMV00EV5DCIbCXRvywXV43ckx8Z+3
> B8qUJhBqJ8RS2F+vTs3DTaXqcktgJ4UkhYC2c1gImcPRyGrK9VY0sCT+1iA+wp/O
> v6rDpkeNksZ9fFSyoY2o
> =ECSj
> -----END PGP SIGNATURE-----
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20201022/a7f60659/attachment.html>

More information about the openstack-discuss mailing list