[oslo][core] gerrit breach and auditing all oslo deliverables [1] since Oct 01
Herve Beraud
hberaud at redhat.com
Thu Oct 22 10:01:21 UTC 2020
To summarize the result of our audit, ALL the changes merged during this
period (code, doc, everything...) on ALL the repos that we own have been
checked and everything seems OK.
Thanks everybody for joining this audit!
Le jeu. 22 oct. 2020 à 08:44, Sebastien Boyron <sboyron at redhat.com> a
écrit :
> Hi,
>
> I've done a pass on the remaining diff, nothing suspicious.
>
> I think we can go ahead with the next step.
>
> *SEBASTIEN BOYRON*
> TECHNICAL ACCOUNT MANAGER
> Partnering with you to help achieve your business goals.
> Red Hat
> Global Customer Success
>
> +33645408878
> sboyron at redhat.com
>
>
>
>
> On Thu, Oct 22, 2020 at 8:20 AM Herve Beraud <hberaud at redhat.com> wrote:
>
>> Thanks everybody for your help :)
>>
>> Le mer. 21 oct. 2020 à 19:22, Michael Johnson <johnsomor at gmail.com> a
>> écrit :
>>
>>> I looked at a few starting and the bottom and repos I am familiar
>>> with. Everything looked fine in those.
>>>
>>> Michael
>>>
>>> On Wed, Oct 21, 2020 at 9:40 AM Ben Nemec <openstack at nemebean.com>
>>> wrote:
>>> >
>>> >
>>> >
>>> > On 10/21/20 10:47 AM, Herve Beraud wrote:
>>> > > Here is an etherpad to coordinate us and to help us to track our
>>> audit.
>>> > >
>>> > > This etherpad identifies all gerrit-diff owned by oslo.
>>> > >
>>> > > Please put your name on the line that you decide to assign to you and
>>> > > strike her when the corresponding project is audited.
>>> > >
>>> > > https://etherpad.opendev.org/p/oslo-gerrit-breach-audit
>>> >
>>> > Thanks for doing that! I took a look at a few projects and they all
>>> > looked good. It shouldn't take too long to knock this out if everyone
>>> > checks a handful of projects.
>>> >
>>> > >
>>> > > It can help to measure our advancement.
>>> > >
>>> > > Thank you in advance for your help,
>>> > >
>>> > > Le mer. 21 oct. 2020 à 12:00, Herve Beraud <hberaud at redhat.com
>>> > > <mailto:hberaud at redhat.com>> a écrit :
>>> > >
>>> > > Hello,
>>> > >
>>> > > As every team we are also concerned by the gerrit breach and we
>>> must
>>> > > take a look at our changes during this time frame on all our
>>> > > deliverables [1].
>>> > >
>>> > > The list of deliverables owned by Oslo is very huge, we need a
>>> > > methodical approach and also external help to check all these
>>> > > repositories.
>>> > >
>>> > > Fortunately oslo was in feature freeze during the majority of
>>> this
>>> > > period so I think it will reduce the scope of our investigation
>>> to
>>> > > our master branches.
>>> > >
>>> > > Due to the criticality of the problem I propose the following
>>> action
>>> > > plan:
>>> > > - first, split our deliverables in group and assign volunteer on
>>> them
>>> > > - second, focus us on changes against our scripts, executable
>>> files
>>> > > and CI config;
>>> > > - third, inspect documentation;
>>> > > - fourth, inspect other kinds of changes that I missed in
>>> previous
>>> > > points.
>>> > >
>>> > > I wrote a script [2][3] to help the release team to extract
>>> relevant
>>> > > changes (*.py, *.sh), all the rest (*.yaml, *.rst) have been
>>> ignored
>>> > > for now, we could adapt this script to lead our investigation.
>>> > >
>>> > > Example of script usage against our openstack/oslo.messaging
>>> repos:
>>> > > ```
>>> > > $ cd oslo.messaging
>>> > > $ curl
>>> > >
>>> https://gist.githubusercontent.com/4383/511359cc2080e06295944c5f40bd1033/raw/c0e21b41570abed076c72d11dcc102dd9d43a067/check.sh
>>> > > | sh
>>> > > ```
>>> > >
>>> > > Are you interested to follow this action plan?
>>> > >
>>> > > Ben as you are the security liaison are you interested in
>>> > > coordinating these groups/actions?
>>> > >
>>> > > Else any volunteer?
>>> > >
>>> > > Feel free to propose another approach or to propose changes on
>>> this one.
>>> > >
>>> > > Please ensure to double check your account activity [4] and make
>>> > > sure nothing is off.
>>> > >
>>> > > Special congrats to Julia Kreger and for her excellent job [5].
>>> > >
>>> > > Thank you in advance for your help,
>>> > >
>>> > > [1]
>>> > >
>>> https://governance.openstack.org/tc/reference/projects/oslo.html#deliverables
>>> > > <
>>> https://governance.openstack.org/tc/reference/projects/release-management.html
>>> >
>>> > > [2]
>>> https://gist.github.com/4383/511359cc2080e06295944c5f40bd1033
>>> > > [3]
>>> > >
>>> https://gist.githubusercontent.com/4383/511359cc2080e06295944c5f40bd1033/raw/c0e21b41570abed076c72d11dcc102dd9d43a067/check.sh
>>> > > [4]
>>> > >
>>> http://lists.opendev.org/pipermail/service-announce/2020-October/000011.html
>>> > > [5]
>>> > >
>>> http://lists.openstack.org/pipermail/openstack-discuss/2020-October/018148.html
>>> > >
>>> > > --
>>> > > Hervé Beraud
>>> > > Senior Software Engineer
>>> > > Red Hat - Openstack Oslo
>>> > > irc: hberaud
>>> > > -----BEGIN PGP SIGNATURE-----
>>> > >
>>> > > wsFcBAABCAAQBQJb4AwCCRAHwXRBNkGNegAALSkQAHrotwCiL3VMwDR0vcja10Q+
>>> > > Kf31yCutl5bAlS7tOKpPQ9XN4oC0ZSThyNNFVrg8ail0SczHXsC4rOrsPblgGRN+
>>> > > RQLoCm2eO1AkB0ubCYLaq0XqSaO+Uk81QxAPkyPCEGT6SRxXr2lhADK0T86kBnMP
>>> > > F8RvGolu3EFjlqCVgeOZaR51PqwUlEhZXZuuNKrWZXg/oRiY4811GmnvzmUhgK5G
>>> > > 5+f8mUg74hfjDbR2VhjTeaLKp0PhskjOIKY3vqHXofLuaqFDD+WrAy/NgDGvN22g
>>> > > glGfj472T3xyHnUzM8ILgAGSghfzZF5Skj2qEeci9cB6K3Hm3osj+PbvfsXE/7Kw
>>> > > m/xtm+FjnaywZEv54uCmVIzQsRIm1qJscu20Qw6Q0UiPpDFqD7O6tWSRKdX11UTZ
>>> > > hwVQTMh9AKQDBEh2W9nnFi9kzSSNu4OQ1dRMcYHWfd9BEkccezxHwUM4Xyov5Fe0
>>> > > qnbfzTB1tYkjU78loMWFaLa00ftSxP/DtQ//iYVyfVNfcCwfDszXLOqlkvGmY1/Y
>>> > > F1ON0ONekDZkGJsDoS6QdiUSn8RZ2mHArGEWMV00EV5DCIbCXRvywXV43ckx8Z+3
>>> > > B8qUJhBqJ8RS2F+vTs3DTaXqcktgJ4UkhYC2c1gImcPRyGrK9VY0sCT+1iA+wp/O
>>> > > v6rDpkeNksZ9fFSyoY2o
>>> > > =ECSj
>>> > > -----END PGP SIGNATURE-----
>>> > >
>>> > >
>>> > >
>>> > > --
>>> > > Hervé Beraud
>>> > > Senior Software Engineer
>>> > > Red Hat - Openstack Oslo
>>> > > irc: hberaud
>>> > > -----BEGIN PGP SIGNATURE-----
>>> > >
>>> > > wsFcBAABCAAQBQJb4AwCCRAHwXRBNkGNegAALSkQAHrotwCiL3VMwDR0vcja10Q+
>>> > > Kf31yCutl5bAlS7tOKpPQ9XN4oC0ZSThyNNFVrg8ail0SczHXsC4rOrsPblgGRN+
>>> > > RQLoCm2eO1AkB0ubCYLaq0XqSaO+Uk81QxAPkyPCEGT6SRxXr2lhADK0T86kBnMP
>>> > > F8RvGolu3EFjlqCVgeOZaR51PqwUlEhZXZuuNKrWZXg/oRiY4811GmnvzmUhgK5G
>>> > > 5+f8mUg74hfjDbR2VhjTeaLKp0PhskjOIKY3vqHXofLuaqFDD+WrAy/NgDGvN22g
>>> > > glGfj472T3xyHnUzM8ILgAGSghfzZF5Skj2qEeci9cB6K3Hm3osj+PbvfsXE/7Kw
>>> > > m/xtm+FjnaywZEv54uCmVIzQsRIm1qJscu20Qw6Q0UiPpDFqD7O6tWSRKdX11UTZ
>>> > > hwVQTMh9AKQDBEh2W9nnFi9kzSSNu4OQ1dRMcYHWfd9BEkccezxHwUM4Xyov5Fe0
>>> > > qnbfzTB1tYkjU78loMWFaLa00ftSxP/DtQ//iYVyfVNfcCwfDszXLOqlkvGmY1/Y
>>> > > F1ON0ONekDZkGJsDoS6QdiUSn8RZ2mHArGEWMV00EV5DCIbCXRvywXV43ckx8Z+3
>>> > > B8qUJhBqJ8RS2F+vTs3DTaXqcktgJ4UkhYC2c1gImcPRyGrK9VY0sCT+1iA+wp/O
>>> > > v6rDpkeNksZ9fFSyoY2o
>>> > > =ECSj
>>> > > -----END PGP SIGNATURE-----
>>> > >
>>> >
>>>
>>>
>>
>> --
>> Hervé Beraud
>> Senior Software Engineer
>> Red Hat - Openstack Oslo
>> irc: hberaud
>> -----BEGIN PGP SIGNATURE-----
>>
>> wsFcBAABCAAQBQJb4AwCCRAHwXRBNkGNegAALSkQAHrotwCiL3VMwDR0vcja10Q+
>> Kf31yCutl5bAlS7tOKpPQ9XN4oC0ZSThyNNFVrg8ail0SczHXsC4rOrsPblgGRN+
>> RQLoCm2eO1AkB0ubCYLaq0XqSaO+Uk81QxAPkyPCEGT6SRxXr2lhADK0T86kBnMP
>> F8RvGolu3EFjlqCVgeOZaR51PqwUlEhZXZuuNKrWZXg/oRiY4811GmnvzmUhgK5G
>> 5+f8mUg74hfjDbR2VhjTeaLKp0PhskjOIKY3vqHXofLuaqFDD+WrAy/NgDGvN22g
>> glGfj472T3xyHnUzM8ILgAGSghfzZF5Skj2qEeci9cB6K3Hm3osj+PbvfsXE/7Kw
>> m/xtm+FjnaywZEv54uCmVIzQsRIm1qJscu20Qw6Q0UiPpDFqD7O6tWSRKdX11UTZ
>> hwVQTMh9AKQDBEh2W9nnFi9kzSSNu4OQ1dRMcYHWfd9BEkccezxHwUM4Xyov5Fe0
>> qnbfzTB1tYkjU78loMWFaLa00ftSxP/DtQ//iYVyfVNfcCwfDszXLOqlkvGmY1/Y
>> F1ON0ONekDZkGJsDoS6QdiUSn8RZ2mHArGEWMV00EV5DCIbCXRvywXV43ckx8Z+3
>> B8qUJhBqJ8RS2F+vTs3DTaXqcktgJ4UkhYC2c1gImcPRyGrK9VY0sCT+1iA+wp/O
>> v6rDpkeNksZ9fFSyoY2o
>> =ECSj
>> -----END PGP SIGNATURE-----
>>
>>
--
Hervé Beraud
Senior Software Engineer
Red Hat - Openstack Oslo
irc: hberaud
-----BEGIN PGP SIGNATURE-----
wsFcBAABCAAQBQJb4AwCCRAHwXRBNkGNegAALSkQAHrotwCiL3VMwDR0vcja10Q+
Kf31yCutl5bAlS7tOKpPQ9XN4oC0ZSThyNNFVrg8ail0SczHXsC4rOrsPblgGRN+
RQLoCm2eO1AkB0ubCYLaq0XqSaO+Uk81QxAPkyPCEGT6SRxXr2lhADK0T86kBnMP
F8RvGolu3EFjlqCVgeOZaR51PqwUlEhZXZuuNKrWZXg/oRiY4811GmnvzmUhgK5G
5+f8mUg74hfjDbR2VhjTeaLKp0PhskjOIKY3vqHXofLuaqFDD+WrAy/NgDGvN22g
glGfj472T3xyHnUzM8ILgAGSghfzZF5Skj2qEeci9cB6K3Hm3osj+PbvfsXE/7Kw
m/xtm+FjnaywZEv54uCmVIzQsRIm1qJscu20Qw6Q0UiPpDFqD7O6tWSRKdX11UTZ
hwVQTMh9AKQDBEh2W9nnFi9kzSSNu4OQ1dRMcYHWfd9BEkccezxHwUM4Xyov5Fe0
qnbfzTB1tYkjU78loMWFaLa00ftSxP/DtQ//iYVyfVNfcCwfDszXLOqlkvGmY1/Y
F1ON0ONekDZkGJsDoS6QdiUSn8RZ2mHArGEWMV00EV5DCIbCXRvywXV43ckx8Z+3
B8qUJhBqJ8RS2F+vTs3DTaXqcktgJ4UkhYC2c1gImcPRyGrK9VY0sCT+1iA+wp/O
v6rDpkeNksZ9fFSyoY2o
=ECSj
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20201022/27a5447b/attachment-0001.html>
More information about the openstack-discuss
mailing list