Stackers Network

March 21, 2026

Stackers Network Digest — March 21, 2026

28 threads · 47 messages · openstack-announce, openstack-discuss

The Big Picture

Two things define this week: the 2026.2 "Hibiscus" PTL election concluded with a full slate of leaders confirmed, and a new Glance security advisory landed. With the 2026.1 "Gazpacho" release now just over a week out (April 1), the community is simultaneously wrapping the current cycle and staffing up for the next, while the PTG (April 20–24) looms as the venue where several big technical threads — post-quantum cryptography, confidential computing, and project-leadership questions — will be hashed out.

Releases & Announcements

The PTL election for the 2026.2 "Hibiscus" cycle is done, and Ian Y. Choi published the results. The confirmed PTLs span the project landscape, including Mauricio Harley (Barbican, re-elected), Jon Bernard (Cinder), Sean Mooney (Cyborg), Cyril Roelandt (Glance), Tatiana Ovchinnikova (Horizon), Artem Goncharov (Keystone and OpenStackSDK), Michal Nasiadka (Kolla and Magnum), Carlos Silva (Manila), Brian Haley (Neutron), René Ribaud (Nova), Gregory Thiemonge (Octavia), Dmitriy Rabotyagov (OpenStackAnsible), Ghanshyam Maan (QA), Tim Burke (Swift), and Douglas Viroel (Watcher), among many others. The only seats that went to a contested vote were Barbican and Horizon.

The release countdown reached week R-1 (Thierry Carrez), the last development push before Gazpacho ships April 1. The TC's R-2 summary noted the release team is tagging the final cycle-with-rc release candidates with a few stragglers remaining. Ironic also published its PTG schedule: Monday–Friday, April 20–24, 13:00–17:00 UTC in the Mitaka room.

Security

OSSA-2026-004 (Glance), CVE pending. Brian Rosmaita announced multiple Server-Side Request Forgery (SSRF) vulnerabilities in Glance image import, reported by Hyeongeun Ji (Open the Window) and Abhishek Kekane (Red Hat). By using HTTP redirects, an authenticated user can bypass URL validation and reach internal services. The affected paths are the web-download and glance-download import methods, plus the optional (non-default) ovf_process import plugin. Affected versions: Glance <29.1.1, >=30.0.0 <30.1.1, and ==31.0.0. Operators running Glance with image import enabled should plan to patch; the CVE number is still pending assignment.

Development & Technical Decisions

Post-quantum cryptography moved from idea to concrete plan. Mauricio Harley — freshly re-elected Barbican PTL — laid out a staged proposal to drive PQC adoption across OpenStack, building on JP Jung's earlier inventory and grounded in NIST FIPS 203/204/205, CNSA 2.0, and IETF hybrid-TLS drafts. The four steps: (1) a structured per-project inventory of in-transit channels, at-rest data, signing/identity, and library dependencies; (2) a governance Pop-up Team modeled on eventlet-removal to coordinate the work; (3) a Barbican reference implementation adding ML-DSA and ML-KEM as key types alongside RSA/ECDSA, conditional on pyca/cryptography exposing them; and (4) a Community Goal once the inventory and proof-of-concept exist, with completion criteria tied to observable code and CI changes rather than docs. This is one to watch heading into the PTG.

Confidential computing is gaining momentum in Nova. René Ribaud (incoming Nova PTL) revived the Intel TDX / AMD SEV-SNP thread, noting strong employer interest and asking the contributors driving each technology about their bandwidth for the Hibiscus cycle. He wants both topics — ideally with draft specs — on the PTG agenda.

Two project-leadership questions are live. Masakari's team (Sei Sano) reported that Masahito — an experienced ex-PTL — has offered to step in as short-term PTL and mentor, and is asking the TC to choose between keeping the PTL model (Option A) or transitioning to a Distributed Project Leadership (DPL) model (Option B). Separately, Skyline's Wu Wenxiang responded to the TC's onboarding push, restating an open invitation for new core maintainers (3 quality patches plus ~0.5 day/week) and asking the TC to help surface candidates. The TC's own weekly summary noted governance patches are up to appoint PTLs for Adjutant, Mistral, Skyline, Requirements, and Oslo once election results land, and that Venus is heading into retirement (volunteer: Dmitriy Rabotyagov).

A few operator-facing technical threads ran through the week: the docs.openstack.org site was reported extremely slow (Eugen Block), a known TACT-SIG/infra concern; releases.openstack.org went down on March 15–16, breaking CI jobs that fetch upper-constraints — Yatin Karel asked people to hold rechecks until infra restored it; and Eugen Block shared a database-level approach for migrating a Cinder volume off a decommissioned controller node (updating the host column for RBD-backed volumes), with the usual caveats about backing up the DB first.

Heads Up / Action Needed

  • RPM packaging needs volunteers. Francesco Di Nucci issued a cross-community call: with RDO discontinuing RPM builds, there will be no RPM packages for OpenStack versions after 2025.1/Epoxy unless new maintainers step up. Interested parties can add their names to the etherpad (etherpad.opendev.org/p/rdo-volunteers) and join the RDO devs list; no prior packaging experience required.
  • Glance SSRF (OSSA-2026-004) — see Security above; patch image-import deployments.
  • Cinder backup regression: Eugen Block flagged a BackupManager.restore_backup() missing 1 required positional argument: 'volume_is_new' failure on Epoxy/Ubuntu 24.04 when restoring a Ceph-backed backup, seeking clarity on whether the underlying bug is actually fixed.
  • Neutron bug deputy (Bence Romsics, week of March 9) flagged a critical ovn-db-sync-util crash (ValueError: driver cannot be None, fix merged) plus several FWaaS logging-driver fixes.

Community & Events

The TC elected its leadership for 2026.2: Goutham Pacha Ravi continues as Chair and Michal Nasiadka as Vice-Chair, with refreshed liaisons (Sylvain Bauza and Goutham on VMT, Amy Marrich on elections). Daylight-saving changes are prompting a poll to re-plan TC meeting times around the PTG, with the APAC-friendly slot paused temporarily. The Digital Sovereignty WG shared its March 17 meeting recording and will break into subgroups (case studies, best practices, thought leadership) ahead of a larger PTG-week session. Core/onboarding activity continued: Bertrand Lanson was added to kolla-reviewers, and Ghanshyam Maan's addition to oslo-core advanced. An Outreachy applicant (Kelvin Asante) introduced himself to the Ironic team.