Google Git
Sign in
gerrit / homepage / 1ecf75f3f55554b00148e6dbd2093ccc7e1a718b^! / .
commit1ecf75f3f55554b00148e6dbd2093ccc7e1a718b[log] [tgz]
authorEdwin Kempin <ekempin@google.com>Wed Mar 20 11:34:43 2019 +0100
committerEdwin Kempin <ekempin@google.com>Thu Mar 21 10:24:02 2019 +0000
tree98d1d8aab4b21347fd350eca1c58500f0bf21731
parent8fb99dc4d1d5167bc058ba5e76adaa6375fe697f [diff]
Add kudos for handling security vulnerabilities

Change-Id: I023666cc732aaa79e8785d39c28eee3a98df5749
Signed-off-by: Edwin Kempin <ekempin@google.com>

diff --git a/pages/site/kudos.md b/pages/site/kudos.md
index b8f3db2..3dad23b 100644
--- a/pages/site/kudos.md
+++ b/pages/site/kudos.md

@@ -37,6 +37,50 @@
 
 ---
 
+**[2019-03-20] To: David Pursehouse (CollabNet); David Ostrovsky; Jonathan
+Nieder (Google), Jonathan Tan (Google), Luca Milanesio (GerritForge);
+Masaya Suzuki (Google), Matthias Sohn (SAP)**
+
+```
+  The Gerrit open source project had to deal with 2 severe security
+  vulnerabilities ([issue 10201](https://bugs.chromium.org/p/gerrit/issues/detail?id=10201),
+  [issue 10262](https://bugs.chromium.org/p/gerrit/issues/detail?id=10262) that
+  required patching 6 JGit releases and 8 Gerrit releases (2.9 to 2.16). David
+  Pursehouse, David Ostrovsky, Jonathan Nieder, Jonathan Tan, Luca Milanesio,
+  Masaya Suzuki and Matthias Sohn were extremely supportive to deal with the
+  situation. In particular they took care of:
+
+  * Reverting the problematic code in Gerrit (David Pursehouse)
+  * Implementing JGit fixes (Masaya Suzuki, Jonathan Nieder)
+  * Reviewing JGit fixes (Masaya Suzuki, Jonathan Nieder, Jonathan Tan, Matthias
+    Sohn)
+  * Preparing fixed JGit versions (Matthias Sohn)
+  * Making the fixed JGit versions available to Gerrit without breaking the
+    embargo (Matthias Sohn)
+  * Upgrading JGit for all affected Gerrit versions (David Ostrovsky)
+  * Fixing the CI build for Gerrit 2.9 (David Ostrovsky, Luca Milanesio)
+  * Writing release notes (David Pursehouse)
+  * Code reviews (David Pursehouse, David Ostrovsky, Luca Milanesio)
+  * Releasing fixed Gerrit 2.16 versions (David Pursehouse, Luca Milanesio)
+  * Releasing fixed Gerrit 2.15 version (David Pursehouse)
+  * Releasing fixed Gerrit 2.9 to 2.14 versions (Luca Milanesio)
+  * Announcing and documenting the vulnerabilities for the community
+    (David Pursehouse, Luca Milanesio)
+  * Collaboration on a post mortem (David Pursehouse, David Ostrovsky, Luca
+    Milanesio, Matthias Sohn)
+
+  This was an extraordinary collaboration across teams, projects, companies and
+  timezones and showed to the Gerrit community that the Gerrit project is taking
+  security seriously.
+
+  This engagement was especially remarkable since a lot of these actions
+  happened during Christmas/New Year.
+```
+
+From: Edwin Kempin (Google)
+
+---
+
 **[2019-03-20] To: Luca Milanesio (GerritForge)**
 
 ```