The Big Picture

This was a pivotal week on the release calendar: Gazpacho reached R-5, and on Thursday the project observed feature freeze across all cycle-with-rc deliverables, putting teams into release-candidate mode. The combined 2026.2 elections also turned a corner — nominations closed, TC election results landed, and PTL voting opened. Threading through both was the now-familiar story of CI fragility: a cascade of dependency conflicts (urllib vs. Selenium, packaging 26.0, tox 4.46.0) kept gates wobbling at exactly the moment teams could least afford it.

Releases & Announcements

2026.2 "Hibiscus" TC election results. Ian Y. Choi announced the five newly elected Technical Committee members: Amy Marrich (spotz), Dan Smith (dansmith), Goutham Pacha Ravi (gouthamr), Michal Nasiadka (mnasiadka), and Dmitriy Rabotyagov (noonedeadpunk). With exactly five candidates for five seats, the TC seats were effectively decided.

PTL voting opened for the contested teams — Barbican and Horizon — running until March 18, 23:45 UTC. Eligible voters (a commit in a team's deliverables over the 2025.2–2026.1 window) must have opted in to CIVS email to receive a ballot. All other PTLs were decided by acclaim or remain in the leadership-reset process.

Release reminders are sharpening. Előd Illés flagged cycle-with-intermediary deliverables that hadn't yet cut any 2026.1 release — horizon, and Ironic's bifrost, ironic-ui, networking-baremetal, and networking-generic-switch — and asked for releases ASAP, in all cases before March 12 so they can be folded into the final Gazpacho release.

Security

OSSA-2026-002 (CVE-2026-24708) — Nova, errata 1 was re-posted to both openstack-discuss and openstack-announce. The substance is unchanged from prior weeks: a malicious QCOW header plus a resize can drive Nova's Flat image backend to call qemu-img without a format restriction, risking host data destruction. Only Flat-backend computes (use_cow_images=False) are affected (Nova <30.2.2, >=31.0.0 <31.2.1, >=32.0.0 <32.1.1). The errata reaffirms CVE-2026-24708 as the correct identifier. Patches cover dalmatian, epoxy, flamingo, and gazpacho.

Development & Technical Decisions

Dependency conflicts vs. a frozen gate. The week's CI pain came in three flavors, all landing during a sensitive pre-RC window. Radomir Dopieralski reported that an urllib upgrade in global requirements broke Selenium, failing all of Horizon's integration tests; the team's stopgap was a local constraints file with urllib downgraded for the Selenium jobs while they hunt a durable fix. Brian Haley chased a No module named 'packaging.pylock' failure in neutron-functional, baffled that packaging 26.0 was being pulled in despite upper-constraints pinning 25.0. And Takashi Kajinami flagged that tox 4.46.0 (requiring virtualenv 20.39.0) conflicts with the 20.38.0 pin in upper-constraints, breaking client functional jobs (cinderclient, heatclient) with 'PythonSpec' object has no attribute 'machine' — advising the list to avoid rechecks while the virtualenv bump is debated.

Neutron debates pinning OVN in the functional gate. Jakub Libosvar reopened a policy question: the functional job tracks a moving OVN LTS branch (currently 24.03, nearly two years old), which both risks breakage from bad backports and blocks features needing newer OVN — his BGP work, for instance, required skipping many tests for lack of OVN BGP support. He proposed pinning a specific OVN hash for the master-branch functional job, updated when a new OVN releases or when bleeding-edge OVN is needed. A request to do this was previously denied to preserve the LTS-based policy; he's making the case to change it. Still an open debate.

Operational and behavioral questions. Thamanna Farhath asked how to stop guest I/O errors when Ceph OSD nodes go down on a 2023.1 + Ceph deployment — VMs keep writing while Ceph is unavailable, risking filesystem corruption. Bence Romsics raised a multicast/allowed-address-pairs inconsistency between ml2/ovs (which passes multicast by default) and the deprecated OpenDaylight backend, proposing Neutron reject allowed address pairs with multicast IPs/MACs to avoid the surprising breakage. Vincent Godin reported a Keystone app-credential reactivation delay after TTL expiry for non-local users. And Mathieu Gagné proposed removing TungstenFabric support from openstack-helm given the upstream project's closure and years-old container images (no objections sought a response).

Heads Up / Action Needed

• Feature freeze (cycle-with-rc) hit Thursday — first release candidates follow in a couple of weeks. Feature-freeze-exception requests began arriving, including Manila's NetApp Aggregate Encryption (NAE) driver feature.
• Release cycle-with-intermediary deliverables (horizon, several Ironic repos) must release before March 12.
• PTL voting (Barbican, Horizon) is open until March 18, 23:45 UTC — confirm your CIVS opt-in.
• PTG team sign-up closes March 1, 7:00 UTC.

Community & Events

The Digital Sovereignty WG posted its Feb 19 recording and next steps: stance text for the landing page (targeted around March 20), case studies, a comparison sheet, and a best-practices doc — all needing volunteers and feedback. The Ops Radio Hour survey results were shared ahead of the Feb 27 session (HA architectures, backups, automation), with strong support for alternating time slots and a bi-weekly/monthly cadence. The Public Cloud SIG met, Cinder ran its Festival of Reviews, and Manila scheduled a Gazpacho bug squash for March 2–5.