diff options
| author |   Alec Warner <antarus@gentoo.org> | 2018-07-03 12:32:00 -0400 |
|---|---|---|
| committer | Alec Warner <antarus@gentoo.org> | 2018-07-03 12:32:00 -0400 |
| commit | 222425b0573e36dc58fbbb0bf51dbb124d7f9d0e (patch) | |
| tree | 6425f24cfcf2f8c01190f280afbe3c1f284f5fd5 /20180629-github.txt | |
| parent | 20180629-github: improve formatting since we point here from the main www pag... (diff) | |
| download | notices-222425b0573e36dc58fbbb0bf51dbb124d7f9d0e.tar.gz notices-222425b0573e36dc58fbbb0bf51dbb124d7f9d0e.tar.bz2 notices-222425b0573e36dc58fbbb0bf51dbb124d7f9d0e.zip | |
Update notice.
Diffstat (limited to '20180629-github.txt')
| -rw-r--r-- | 20180629-github.txt | 23 |
1 files changed, 17 insertions, 6 deletions
diff --git a/20180629-github.txt b/20180629-github.txt index 83e6249..99b5855 100644 --- a/20180629-github.txt +++ b/20180629-github.txt @@ -12,7 +12,7 @@ affects: [github] - Non-GitHub services remain unaffected. - The GitHub `gentoo` organization repositories have been restored to known good states. - The GitHub `gentoo-mirror` organization is unaffected. -- The GitHub `gentoo` organization remains offline for cleanup of malicious PR changes. +- The GitHub `gentoo` organization is now online; but repairs to PRs are ongoing. For ongoing status, please see the [Gentoo infra-status incident page](https://infra-status.gentoo.org/notice/20180629-github). @@ -22,11 +22,10 @@ post-mortem will follow on the wiki. # Detailed Status ## Pending actions -1. Gentoo is waiting for GitHub to: - 1. Complete audit log aggregate on their systems. - 2. Provide detailed audit logs for manually resetting PR state. - 3. Unlock the organization after PRs are reset. -2. Gentoo Infrastructure team will re-add members to the GitHub organization at this point. +1. Gentoo Infrastructure team will re-add members to the GitHub organization at this point. +2. Re-enable CI services. +3. Complete postmortem document and publish it with action items. +4. Decide what to do with PRs that no longer apply due to the incident (and the forced git pushes required to repair it.) ## Completed actions - Malicious content was replaced by 2018/06/29 06:59 UTC. @@ -34,6 +33,10 @@ post-mortem will follow on the wiki. - Trace & lock-out compromised account. - Reviewed all public & private commits for the compromised account for the last 90+ days. +- Github produced the requested audit logs related to the incident. +- Github unlocked the `gentoo` organization at our request. +- Gentoo re-enabled mirroring from master repositories to Github. +- Gentoo enabled 2 factor authentication as a requirement on the `gentoo` github organization. ## Further mitigating factors 1. No ebuilds are known to have used the systemd repo fork. @@ -41,6 +44,13 @@ post-mortem will follow on the wiki. 3. The malicious content has been force-pushed over the original commits, which should have resulted in `git pull` refusing to merge unrelated histories. # Updates +## 2018-07-02 16:00 UTC + +The `gentoo` GitHub organization is now public again and mirroring of content from +the main (self-hosted) repositories has resumed. Developers have not been re-added to the `gentoo` +github organization at this time (pending a final audit of processes.) We expect this to happen +soon. + ## 2018-06-29 23:06 UTC GitHub says detailed audit logs of PR actions will take 3-4 days to prepare, and that a direct rewind of PR state will NOT be possible. Manual restoration @@ -53,6 +63,7 @@ GitHub says they are still working on it. ## 2018-06-29 14:10 UTC No further information from GitHub since the last update. +>>>>>>> 434336645195bdc1193cc3f416a60b6bf01b3f4b ## 2018-06-29 06:45 UTC |