[service-announce] October 20 Gerrit Outage Update

Jeremy Stanley fungi at yuggoth.org
Wed Oct 21 15:20:04 UTC 2020

On 2020-10-21 10:06:07 -0500 (-0500), Ghanshyam Mann wrote:
> Enabling the email notification to all the existing members of any
> core groups if there is any change in that group can help this.

Yes, like I said, that doesn't seem to be a feature of Gerrit 2.13.
It may have been added in a later version, but someone will need to
check. We could also add our own auditing tools which anyone can
run, for example group membership information can be queried from
the REST API even by non-administrators. Something like this:

<URL: https://opendev.org/opendev/system-config/src/commit/b5ee5e6eb8c30ff6e8a9ef931bdfb00710a519c1/tools/who-approves.py >

I wrote that some years back as an example for the folks who were
regularly organizing "core reviewer parties" at summits, but it
could be turned to more useful endeavors. Note that it probably
needs some updating, I haven't tried running it in ages. Let's call
that an exercise for the reader. ;)

Just remember, as I've said already, while notification of
suspicious group membership changes would be handy, this particular
incident started with a compromised admin identity and the group
escalation was really an unnecessary/secondary event weeks later.
While it might help us catch future breaches, it wouldn't on its own
have caught the initial intrusion for this one.
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.opendev.org/pipermail/service-discuss/attachments/20201021/5b37efa7/attachment.sig>

More information about the service-discuss mailing list