The Big Picture

This was the first full week after the 2026.1 "Gazpacho" PTG, and the lists reflected it: a flood of team PTG summaries, a fresh Keystone security advisory, and the opening salvo of what may be the cycle's most contentious architectural debate — a Rust-based Keystone v4. Layered on top were two themes that will shape Gazpacho: a steady push to thin out copy-pasted plumbing (a proposed oslo.wsgi), and several deprecation/freeze notices operators need to plan around. The release clock is ticking toward 2026.1 (R-20/R-21 this week).

Security

Keystone EC2/S3 token endpoints can grant unauthorized access (OSSA-2025-002). Jeremy Stanley published the advisory (initially CVE-pending; MITRE later assigned CVE-2025-65073). By sending a valid AWS Signature — for example, from a presigned S3 URL — to /v3/ec2tokens or /v3/s3tokens, an unauthenticated attacker can obtain Keystone authorization for the associated user: ec2tokens can yield a fully scoped token, and s3tokens can reveal accepted scope, enabling privilege escalation. Affected: Keystone <26.0.1, ==27.0.0, ==28.0.0. Patches landed across Caracal through Gazpacho, with companion Swift patches that keep its optional S3-like API working. If either endpoint is reachable by unauthenticated clients on a public API, patch now. This advisory also kicked off Takashi Kajinami's question (continuing into later weeks) about whether anyone still uses the EC2Token/S3Token middlewares in keystonemiddleware, which may be deprecated since the fix now requires authenticated access.

Releases & Announcements

A wave of PTG summaries hit the list: Nova, Glance, Ironic, Cinder-adjacent, i18n, the TC, and the Eventlet-removal goal. Eventlet removal crossed a milestone — Hervé Beraud reported 19 deliverables fully migrated and 32 in progress, with Nova's API/metadata/conductor/scheduler now able to run threading-mode and Neutron "one step away." Gazpacho call-to-actions include defaulting oslo.service to the spawn start method (to fix Manila/Cinder fork-lock deadlocks) and merging the opt-in H905 hacking rule. Projects flagged as needing urgent attention: Blazar, Venus, Tacker, Masakari, Zun. Thierry Carrez reminded cycle-trailing Kolla and OpenStack-Ansible teams that final 2025.2 "Flamingo" releases are due, with stable/2025.2 branches cut roughly a month before the December 4 trailing deadline.

Development & Technical Decisions

Keystone's Rust-based v4 is the talk of the cycle. Artem Goncharov's Keystone PTG summary explained that an optional, parallel-deployable extension — written in Rust — is being introduced as a v4 API to deliver features the current v3 architecture can't support cleanly: full self-service federation, passkeys, and hardened security. The Rust choice is justified by memory safety and escaping years of Python ecosystem churn (setuptools, eventlet, passlib). Goncharov was candid that the news has caused "excitement and anxiety," and a long, thoughtful thread followed about maintainer burnout and whether the community's own process walls are driving contributors away. This is a strategic direction worth watching closely; expect continued debate.

Proposing oslo.wsgi. Stephen Finucane proposed a new oslo.wsgi library to consolidate WSGI routing and OpenAPI-validation code that's been copy-pasted across Nova, Manila, Cinder and others — and to provide a clean home for non-eventlet WSGI code currently awkwardly living in oslo.service. Early feedback was positive; Arnaud Morin (as an operator) stressed the value of cross-project consistency.

Ironic restructures its review tiers. Jay Faulkner proposed promoting Afonne-CID and Doug Goldstein (cardoe) from ironic-reviewer to ironic-approver, adding Jakub Jelinek (CERN) as a reviewer, and moving longtime contributor Mark Goddard to emeritus. A companion thread (started the prior week by Sean Mooney and Jay) debated making core teams more "data-driven" and accessible — a recurring community theme. Separately, Thomas Goirand and Iury Gregory revived the idea of folding sushy (the Redfish library) into Ironic to avoid release-cycle friction for fixes.

GPU/PCI scheduling gaps. Pavlo Shchelokovskyy resurfaced a years-old problem: Nova can't schedule NVLink/NVSwitch GPU pairs intelligently. His team is prototyping a placement:same_subtree flavor extra-spec plus predictable PCI resource-group naming and a reshaped provider tree — useful prior art for anyone doing multi-GPU passthrough.

Heads Up / Action Needed

• Tempest gate blocked. Ghanshyam Maan reported the requirements repo dropped Python 3.9 constraints, breaking Tempest's py3.9 unit-test job (and stable-branch plugin jobs). Hold rechecks until the drop-py3.9 and unblock patches merge.
• pip 25.3 breaks legacy editable installs. Stephen Finucane warned that pip 25.3 removed setup.py develop support; older stable branches missing the wsgi_scripts→$service.wsgi migration now fail to deploy (Keystone stable/2024.2 cited). Fixes constrain pip on stable/2025.1 and 2024.2.
• requirements-check no longer normalizes underscores to hyphens — projects must use correct PyPI names (e.g. microversion-parse, not microversion_parse). Small fix, but it'll fail your gate.
• python-glanceclient freezes in the "I" cycle. Cyril Roelandt announced glanceclient enters maintenance mode; ~20 consuming projects should migrate to the OpenStack SDK/OSC (topic remove-glanceclient).
• Contributor/maintainer surveys were open through November 16.

Community & Events

PTG attendance numbers were still being chased by Kendall Nelson. The i18n SIG detailed its Zanata-to-Weblate migration and AI-translation guardrails (human review required before merge). The TC's PTG summary flagged the FIPS goal slipping (no stable FIPS-testable OS in CI) and a need for clearer guidance on AI/LLM-assisted contributions. As usual, several teams (Neutron, Tacker, Horizon, Manila) cancelled post-PTG meetings, and operators kept wrestling with Kolla-Ansible deployment quirks — broken Horizon static files, RabbitMQ queue setup, external-Ceph nova config, and LXB-to-OVN migration planning.