The Big Picture

This was the feature-freeze aftermath week for the 2025.2 "Flamingo" cycle. The release team marked week R-3 (Thierry Carrez's countdown), the TC's R-4 summary confirmed feature freeze had passed and teams were preparing release candidates, and most of the consequential traffic was about getting deliverables into shape: finalizing cycle highlights, refreshing stale intermediary releases, and a steady drumbeat of eventlet-removal progress. Two structural concerns loomed underneath: a community-wide MariaDB 11.8 compatibility problem that touches nearly every service, and a long-running election that risks a shrunken electorate.

Security

One advisory surfaced via the eventlet-removal update: CVE-2025-58068 (CVSS 6.3), an HTTP request-smuggling flaw in eventlet's WSGI parser that can enable control bypass, cache poisoning, and user targeting. Herve Beraud reported it has been fixed in a recent eventlet release (0.40.x line). Anyone still running services on the eventlet WSGI stack should pick up the patched version.

Releases & Announcements

The eventlet-removal effort posted strong milestone-3 numbers (Herve Beraud). Highlights: Ironic, Barbican, and Heat have fully completed their migrations and are now threading-based; Ironic published a write-up (thanks Julia). Roughly 17% of impacted runtime code (and ~14% across the full code/test/doc footprint) is migrated, 13 projects are fully done, 40%+ of impacted repos have made progress, and 332+ patches have landed. The Ironic team and Dmitry added a DynamicPoolExecutor to Futurist to replace dynamic GreenPools, oslo.service's backend system is now documented, and eventlet 0.40.2 added Python 3.14 support. The governance-level migration timeline was adjusted to match Nova's dual-mode support. Work continues on Neutron, Nova, Manila, Magnum, Mistral, Watcher, Designate, and Trove.

On release hygiene, Elõd Illés reminded PTLs that Flamingo cycle highlights should be finalized this week so they can feed release marketing. Thierry Carrez flagged cycle-with-intermediary deliverables that need a refresh before the final release — specifically horizon (last released 25.4.0 on 2025-05-27), ironic-python-agent-builder, and networking-baremetal — and asked teams to cut new releases soon so the final Flamingo doesn't ship outdated versions.

Development & Technical Decisions

The most far-reaching technical thread was Seunghun Lee's "OpenStack wide MariaDB 11.8 problem." While bumping Kolla/Kolla-Ansible from MariaDB 10.11 to 11.8, he found that MariaDB changed the default collation for utf8mb3 (from utf8mb3_general_ci to utf8mb3_uca1400_ai_ci) starting in 11.5. Because some services specify charset/collation when creating tables (Nova, Keystone, Cinder, Designate) and others don't (Glance, Neutron, Octavia, Placement) — with Magnum doing both inconsistently — fresh deployments end up with collation mismatches across databases, and 10.11→11.8 upgrades carry their own risk. This is a cross-project compatibility issue, not yet a settled fix, and operators planning MariaDB upgrades should follow it closely.

Nathan Harper raised a meaty Nova/Neutron scheduling problem: routed provider networks with per-rack physnets and SR-IOV don't actually work as documented. Placement correctly narrows allocation candidates per segment, but during build the PCI device request always carries the same segment's physnet, tracing to a known TODO(vladikr) in nova/network/neutron.py noting that multiple VLAN segments on different physical networks aren't handled. He's asking whether anyone has ever gotten this configuration working.

Adrian Jarvis (upgrading Keystone from Rocky toward Epoxy) proposed a patch to rehash deprecated password hashes after authentication and gauged interest in upstreaming it — directly relevant to the sha512_crypt removal pain operators have been hitting. Chang Xue reported Nova API call duration increasing after upgrading to Caracal (filed as bug 2121607) and a separate http-vs-https pagination href issue that turned out to be HAProxy config. James Denton continued exploring how to gather per-port statistics in ML2/OVN, with Rodolfo Alonso suggesting an RFE to extend OVN network logging to single ports. Nimesh Desai asked how to reactivate an abandoned-owner WIP Cinder patch in Gerrit when the original author has left.

Community & Events

Election anxiety dominated governance. The TC's R-4 summary reported that four project teams had no PTL nominees — Monasca, OpenStack Charms, Venus, and Vitrage — and that the recent OpenInfra Foundation membership-renewal change (tied to the move under the Linux Foundation) is shrinking the electorate, raising disenfranchisement concerns. Polls close September 17 at 23:45 UTC; ensure your Gerrit preferred email is opted into CIVS or you may not receive a ballot. Doug Goldstein's TC campaign post laid out priorities: lowering the contribution barrier, fixing tooling/docs decay, and growing core-reviewer ranks with better ways to distinguish drive-by +1s from genuine reviewers.

Ghanshyam Maan (gmaan) announced he'll be on PTO through the 2025.2 release and is the only active Tempest core — a QA coverage risk during a critical window — and opened the QA topic etherpad for the 2026.1 vPTG (add topics by Sept 12). Jake Yip seconded Scott Davidson as a magnum-capi-helm core reviewer. Clark Boylan flagged the OpenInfra Summit 2025 Open Source Pavilion, where projects and SIGs can book booth time to showcase work.

Heads Up / Action Needed

• Patch eventlet for CVE-2025-58068 (WSGI request smuggling) if you run eventlet-based services.
• PTLs: finalize Flamingo cycle highlights now for release marketing.
• Release refreshes: horizon, ironic-python-agent-builder, and networking-baremetal need new intermediary releases before final Flamingo.
• MariaDB upgraders: review the 11.8 collation-default change before moving Kolla/Kolla-Ansible or any deployment past 11.5.
• Vote by Sept 17, 23:45 UTC and confirm your CIVS opt-in; four teams (Monasca, Charms, Venus, Vitrage) still lack PTLs.
• QA: Tempest has reduced core coverage through the release; add 2026.1 vPTG QA topics by Sept 12.