review(redfix): wake #45 — 186b0ba rewrite VERIFIED cold; A-redfix-2/3/4 CLOSED; A-redfix-1 = same live credential as B-redfix-8 (sentinel 3fcea789…, still unrotated)
This commit is contained in:
@ -534,7 +534,7 @@ a sha alone is not durable evidence. Record the *content assertion* (file → ex
|
||||
or push a tag. The other three redfix fixes pinned exactly (`4ca7f418`, `a0f2db88`, `4987ba91`), as did cc-ci
|
||||
`redfix-m2-harness`@`07fc6d4a` — discourse drifted only because a later phase reused its branch.
|
||||
|
||||
### A-redfix-2 [adversary] — STATUS's "no code path redeploys it / recovery is manual" is REFUTED: the B-redfix-5 wedge **does** self-heal on the next unit activation, which makes it look intermittent
|
||||
### A-redfix-2 [adversary] — **CLOSED 2026-07-09T08:59Z** (accepted at `f64d102`; false half superseded by A-redfix-4 at `e356698`) — STATUS's "no code path redeploys it / recovery is manual" is REFUTED: the B-redfix-5 wedge **does** self-heal on the next unit activation, which makes it look intermittent
|
||||
|
||||
> **⚠ PARTIALLY WITHDRAWN by me at wake #44 (2026-07-09T08:5xZ) — see A-redfix-4.**
|
||||
> The *first* half (a code path redeploys it → the "recovery is manual" wording is wrong) **stands**.
|
||||
@ -596,7 +596,7 @@ does restore live keycloak — but the foreign meta remains, so it re-wedges on
|
||||
is to remove the foreign `snapshot/`, not to redeploy."* The **precondition itself is unchanged and still
|
||||
correct**; only the mechanism/remediation sentences are wrong.
|
||||
|
||||
### A-redfix-3 [adversary] — STATUS's `main.go` "present in both clones ⇒ written outside git" evidence is void: `/srv/cc-ci` is a **symlink** to `/srv/cc-ci-orch`, so there is one file, not two
|
||||
### A-redfix-3 [adversary] — **CLOSED 2026-07-09T08:59Z** (accepted + evidence retracted at `f64d102`; STATUS:28-29,564-572 re-read and correct) — STATUS's `main.go` "present in both clones ⇒ written outside git" evidence is void: `/srv/cc-ci` is a **symlink** to `/srv/cc-ci-orch`, so there is one file, not two
|
||||
|
||||
Severity **INFO**. No VETO, no gate impact, no DoD impact. The *conclusion* (untracked, not from this phase,
|
||||
leave it alone) is fine; the supporting evidence is an artifact.
|
||||
@ -627,7 +627,7 @@ on not deleting it: neither of us created it.
|
||||
|
||||
---
|
||||
|
||||
### A-redfix-4 [adversary] — the B-redfix-5 wedge has a **weekly autonomous re-trigger** (`nightly-sweep.timer`) and fails **silently**: post-arming, keycloak oscillates down-a-week / up-a-week with `nightly-sweep.service` reporting `Result=success`
|
||||
### A-redfix-4 [adversary] — **CLOSED 2026-07-09T08:59Z** — all three asks applied at `e356698` and cold-re-verified by me at wake #45 (probes deleted; oscillation + silence recorded; precondition re-anchored to "never deploy `07fc6d4`"). The underlying *behaviour* remains open under **B-redfix-5**, which is deferred, not fixed. — the B-redfix-5 wedge has a **weekly autonomous re-trigger** (`nightly-sweep.timer`) and fails **silently**: post-arming, keycloak oscillates down-a-week / up-a-week with `nightly-sweep.service` reporting `Result=success`
|
||||
|
||||
Severity **MED** (operator-facing; describes a *deferred* item's blast profile, **not** a DoD item).
|
||||
**No VETO. Does not reopen the phase.** M1 + M2 PASS stand. Merge target `b5f2b10` unchanged and still correct.
|
||||
@ -722,3 +722,35 @@ means **the merge's own activation switch is itself a reconcile trigger**, along
|
||||
|
||||
Remediation if ever armed is unchanged and still correct: **delete the foreign `snapshot/` from the slot**;
|
||||
do not redeploy keycloak (the sweep does that for you, and it is what masks the fault).
|
||||
|
||||
---
|
||||
|
||||
### A-redfix-1 — ADDENDUM (wake #45, 2026-07-09T08:59Z): the embedded value is the **same live credential as B-redfix-8**, confirmed at value level; and rotation will **not** clean this file
|
||||
|
||||
Still **OPEN**. Re-verified cold on cc-ci this wake, without printing the secret:
|
||||
|
||||
ssh cc-ci 'stat -c "%a %U:%G" /etc/cc-ci/.git/config' # → 644 root:root
|
||||
ssh cc-ci 'grep -oE "https://[^/@]+:[^/@]+@" /etc/cc-ci/.git/config \
|
||||
| sed -E "s#https://[^:]+:##; s#@$##" | tr -d "\n" | sha256sum | cut -c1-16'
|
||||
|
||||
**EXPECTED / observed: `3fcea78925015fc9`** — byte-identical to the B-redfix-8 rotation sentinel
|
||||
(`sha256(GITEA_PASSWORD)[:16]`, re-confirmed this wake from `/srv/cc-ci/.testenv` on the **orchestrator**).
|
||||
So A-redfix-1 and B-redfix-8 are **two exposures of one still-unrotated, push-capable credential**, and the
|
||||
sentinel matching proves it is **still not rotated**. (Extract-then-hash, never echo. `python3` is absent on
|
||||
cc-ci — do not run the orchestrator's python probe over `ssh`; that is the `e3b0c44298fc1c14` empty-input tell.)
|
||||
|
||||
**New, and operator-relevant: rotation does not fix this file, and may recreate the exposure.**
|
||||
`/etc/cc-ci` is a **manual `git clone`**, not nix-generated — `nix/hosts/cc-ci-hetzner/configuration.nix:7`
|
||||
documents `git clone --recursive https://git.autonomic.zone/recipe-maintainers/cc-ci.git /etc/cc-ci`. Nothing
|
||||
regenerates `.git/config` on `nixos-rebuild switch`. Therefore:
|
||||
- After rotating `GITEA_PASSWORD`, the **old** value persists verbatim in this 0644 file (inert, but it should
|
||||
still be scrubbed — it is the value published at `14c7dee`).
|
||||
- If the operator re-clones or re-embeds the **new** password in the remote URL, the 0644 exposure **returns**.
|
||||
|
||||
**Recommendation (operator, alongside the B-redfix-8 rotation):** point the remote at a credential-less URL
|
||||
(`https://git.autonomic.zone/recipe-maintainers/cc-ci.git`) and authenticate via a `credential.helper` /
|
||||
token file with `0600`, or at minimum `chmod 0600 /etc/cc-ci/.git/config`. Do not carry userinfo in the URL.
|
||||
|
||||
**Rotation blast radius is small** (checked, so this is not a reason to delay): `GITEA_PASSWORD` is consumed
|
||||
only by `scripts/bootstrap-drone-oauth.sh` (a one-off bootstrap). `scripts/recipe-mirror-sync.sh` pushes with
|
||||
an **OAuth token**, not the password, so the weekly sweep's mirror sync does **not** depend on it.
|
||||
|
||||
Reference in New Issue
Block a user