Re: Secrets committed as part of Ozone Commits

2021-03-25 Thread anu engineer
Completely agree with Marton's proposal, force pushing really does not work with Git. Invalidation of the secrets is the best defence and it would be nice to get back to a consistent tree. Thanks Anu On Thu, Mar 25, 2021 at 1:47 AM Attila Doroszlai wrote: > On Thu, Mar 25, 2021 at 7:32 AM El

Re: Secrets committed as part of Ozone Commits

2021-03-25 Thread Mukul Kumar Singh
Thanks for the replies everyone. Sorry that I force-pushed in haste. I did not see all the problems with the force-push earlier, I have now pushed the original master before this force push was done. Sorry for all the confusion because of this. Thanks, Mukul On 25/03/21 2:16 pm, Attila D

Re: Secrets committed as part of Ozone Commits

2021-03-25 Thread Attila Doroszlai
On Thu, Mar 25, 2021 at 7:32 AM Elek, Marton wrote: > My proposal is: > > 1. Restore the master to the previous state. > 2. Invalidate/revoke the leaked secret ASAP > 3. Revert the problematic commit and recommit it without the problems > 4. (IN the future) do discussions which includes al

Re: Secrets committed as part of Ozone Commits

2021-03-25 Thread Stephen O'Donnell
I agree with Marton. Force pushing to a public git repo is likely to be very disruptive going forward, and the only safe approach to deal with the committed secret is to revoke it and add a new commit to remove it. If it's revoked, having it in the git history will do no harm. +1 to what Maron sug

Re: Secrets committed as part of Ozone Commits

2021-03-25 Thread Elek, Marton
 4. Force-pushing invalidates all of our commit ids which are part of our development history: the pull requests. All the merge links on the reworked PRs now points to invalid commits which are not part of the master. As far as I see all of our open PRs are also broken and/or conflicted:

Re: Secrets committed as part of Ozone Commits

2021-03-24 Thread Vivek Ratnavel
I agree with Marton. +1 for Marton's proposal. - Vivek Subramanian On Wed, Mar 24, 2021 at 11:32 PM Elek, Marton wrote: > > > > -1 > > > 1. If you are interested about the opinion of all the other > contributors, please start a discussion which is inclusive for all the > timezones and wait at

Re: Secrets committed as part of Ozone Commits

2021-03-24 Thread Elek, Marton
-1 1. If you are interested about the opinion of all the other contributors, please start a discussion which is inclusive for all the timezones and wait at least one day. 2. Force push is a very intrusive way, it causes new problems and it doesn't solve the original problem itself. If

Re: Secrets committed as part of Ozone Commits

2021-03-24 Thread Bharat Viswanadham
+1 Thanks for raising this issue and taking care of this. Thanks, Bharat On Thu, Mar 25, 2021 at 8:03 AM Mukul Kumar Singh wrote: > Hi, > > > Recently, through one of the jiras(HDDS-4864), aws_secret_access_key was > committed into Ozone's source code. Secrets, gpg passphrases, passwords, > s

Re: Secrets committed as part of Ozone Commits

2021-03-24 Thread Siyao Meng
Thanks Mukul. Note that all open PRs based on master branch after Tue Mar 2 11:11:58 2021 PST (commit time of HDDS-4864) may need to be rebased due to the divergence. -Siyao On Mar 24, 2021 at 10:27:24 PM, Mukul Kumar Singh wrote: > Thanks everyone. > > I have pushed the changes to the master

Re: Secrets committed as part of Ozone Commits

2021-03-24 Thread Mukul Kumar Singh
Thanks everyone. I have pushed the changes to the master branch. Please resume any merges to Apache master. Thanks, Mukul On 25/03/21 10:30 am, Mukul Kumar Singh wrote: Thanks Arpit and Sammi for the responses. Note: Please block any merges to Apache master while this commit is being remov

Re: Secrets committed as part of Ozone Commits

2021-03-24 Thread Lokesh Jain
Hey Mukul Thanks for reporting the issue! I also see the commit in 1.1.0-RC0 branch. Regards Lokesh > On 25-Mar-2021, at 10:30 AM, Mukul Kumar Singh > wrote: > > Thanks Arpit and Sammi for the responses. > > Note: Please block any merges to Apache master while this commit is being > removed

Re: Secrets committed as part of Ozone Commits

2021-03-24 Thread Mukul Kumar Singh
Thanks Arpit and Sammi for the responses. Note: Please block any merges to Apache master while this commit is being removed. I will send out another email once the process is done. Thanks, Mukul On 25/03/21 9:19 am, Sammi Chen wrote: +1 Thanks Mukul for raising the issue. On Thu, Mar 25,

Re: Secrets committed as part of Ozone Commits

2021-03-24 Thread Sammi Chen
+1 Thanks Mukul for raising the issue. On Thu, Mar 25, 2021 at 10:33 AM Mukul Kumar Singh wrote: > Hi, > > > Recently, through one of the jiras(HDDS-4864), aws_secret_access_key was > committed into Ozone's source code. Secrets, gpg passphrases, passwords, > ssh private files should not be comm

Re: Secrets committed as part of Ozone Commits

2021-03-24 Thread Arpit Agarwal
+1 It is surprising this was not caught by GitHub. https://docs.github.com/en/code-security/secret-security/about-secret-scanning Thanks for raising this. > On Mar 24, 2021, at 7:32 PM, Mukul Kumar Singh > wro

Secrets committed as part of Ozone Commits

2021-03-24 Thread Mukul Kumar Singh
Hi, Recently, through one of the jiras(HDDS-4864), aws_secret_access_key was committed into Ozone's source code. Secrets, gpg passphrases, passwords, ssh private files should not be committed into Ozone source code as they leak credentials into the source code. This issue will be solved via