The Big Picture

A quieter, more operator-flavored week, bracketed by the re-publication of the Keystone EC2/S3 advisory (now with a MITRE-assigned CVE) and a steady drumbeat of deprecation and cleanup work as teams settle into the Gazpacho cycle. The most interesting development threads were about thinning the codebase: dropping abandoned crypto dependencies as a first step toward post-quantum readiness, removing eventlet from neutron-dynamic-routing, and questioning whether little-used Keystone middlewares should survive. Operators, meanwhile, kept hammering on GPU/PCI passthrough, RabbitMQ packaging changes, and machine-identity gaps. We're at R-18/R-19 toward the 2026.1 "Gazpacho" release.

Security

Keystone EC2/S3 advisory gets its CVE (OSSA-2025-002 / CVE-2025-65073). Jeremy Stanley re-issued the advisory on both openstack-discuss and openstack-announce now that MITRE assigned CVE-2025-65073 (originally CVE-pending). The flaw is unchanged: a valid AWS Signature sent to /v3/ec2tokens or /v3/s3tokens lets an unauthenticated attacker obtain Keystone authorization for the signing user, enabling privilege escalation where those endpoints are publicly reachable. Affected: Keystone <26.0.1, ==27.0.0, ==28.0.0; patches span Caracal through Gazpacho, with companion Swift changes. The errata also added backported fixes for the unmaintained/2024.1 branches. If you haven't patched, do so. Relatedly, Takashi Kajinami and Arnaud Morin continued sorting out whether the EC2Token/S3Token middlewares in keystonemiddleware are still used anywhere — leaning toward deprecating them since the fix now requires authenticated Keystone access.

Post-quantum prep begins with dependency hygiene. Artem Goncharov took the first concrete steps on the post-quantum-cryptography effort by proposing to drop clearly-unused or abandoned crypto libraries — passlib (abandoned, already removed from Keystone), standalone scrypt, and python-gnupg (no codesearch hits) — from global requirements. He also raised the open question of how to prevent re-introduction of forbidden libraries. Kolla and OpenStack-Ansible still pull in passlib transitively and should drop it.

Development & Technical Decisions

Eventlet removal hits a stuck spot: neutron-dynamic-routing. Rodolfo Alonso Hernandez explained that Neutron has removed all eventlet dependencies — including helper methods that neutron-dynamic-routing relied on — and the DR agent now fails, possibly due to an os-ken implementation issue. With limited team bandwidth, this is an explicit request for users/developers of that project to step up and finish the migration.

Nova feature appetite. Karol Klimaszewski (CloudFerro) asked about upstreaming two ephemeral-storage features: an SPDK-based ephemeral backend (images_type = spdk_lvol, exposing local NVMe as vhost-blk for much better I/O, with create/delete/cold-migrate/shelve/snapshot working and live migration planned) and multiple ephemeral backend handling via a new supported_image_types option — proposing to upstream them as separate blueprints/specs. Separately, Nathan Harper revived the perennial question of why Nova forbids arbitrary qemu args, asking for at least an unsupported "YMMV" escape hatch instead of carrying a local patch; and the machine-identities thread (Nova/Keystone equivalents to AWS IAM roles or Azure managed identities) continued, with Sean Mooney noting there's no upstream-supported pattern today.

QA core changes. Ghanshyam Maan proposed adding gibi to devstack-core and stephenfin and sean-k-mooney to hacking-core (with himself and frickler made explicit members) — feedback by November 21.

Heads Up / Action Needed

• RabbitMQ repo migration is biting people. Rob Jefferson hit "402 Payment Required" pulling RabbitMQ packages for Kolla 2023.1, and George (lmihaiescu) reported the OpenStack-Ansible signed_by override being superseded by role defaults. The fix is the move from ppa1.rabbitmq.com to deb1.rabbitmq.com with updated GPG keys — but as the threads show, the override paths are fiddly. Plan for it before your next build.
• Final 2025.2 trailing releases due. The TC summary reminded packaging/deployment/lifecycle projects that the trailing deadline (Nov 27 cutoff for shipping) was imminent; add any project-specific deadlines to the release calendar as Nova and Manila have.
• Magnum docs to be rewritten, Heat driver going away. Dale Smith's PTG summary confirmed the Heat-based Magnum driver is deprecated/slated for removal, CAPI is the path forward (rebuild clusters once CAPI is running), and the team will remove and rewrite the outdated docs.

Community & Events

The TC pressed on with bringing SIGs under the governance repo and concluding the Monasca retirement; a "Making updates to SIGs" thread spun off from the weekly summary. Several teams cancelled meetings into the holiday stretch — Neutron drivers (Nov 28), Manila (Nov 27), Kolla (Nov 26), Tacker — and Ironic pre-announced cancelling Dec 22 and 29, making Dec 15 its last 2025 meeting. The Ops Radio Hour recap from Ildikó Vancsa surfaced a recurring operator sentiment: OpenStack may be overextending RabbitMQ, with interest in pluggable oslo.messaging backends, though no clear alternative emerged; live-migration experiences and a survey of oldest running releases (Mitaka, Stein, Train) also came up. The next Ops Radio Hour is December 19 at 1300 UTC. Cinder ran its (now larger-scope) Festival of Reviews, and Barbican newcomer kaoru watanabe made a first-patch review request for a SoftHSMv2 key-rewrap fix.