On 30/10/2025 19:43, Goutham Pacha Ravi wrote:
Hello Stackers,
I am writing to seek clarity regarding recent activity on the PyPI project for os-net-config [1]. As you can tell, "OpenStack" is still listed as the author/maintainer of this package. "os-net-config" was retired early last year along with the rest of the TripleO project within OpenStack's governance [2].
It appears that development has continued outside of OpenStack with the project being forked [3]. There have been releases that were uploaded to PyPi since. A human maintainer was added to PyPi this week.
There may be some rationale to continue to maintain this code. Since the project was officially retired from OpenStack, we need to ensure that any renewed activity is properly communicated;
this is concerning to me for a number of reasons. for one redhats new isntaller contineus to use os-net-config https://github.com/openstack-k8s-operators/edpm-ansible/tree/main/roles/edpm... https://github.com/openstack-k8s-operators/edpm-ansible/blob/main/roles/edpm... https://github.com/openstack-k8s-operators/edpm-ansible/blob/main/roles/edpm... so if this was taken over by a disconnected party i think this would qulify as a supply chain attack. looing at https://github.com/os-net-config and https://github.com/os-net-config/os-net-config/commits/master/ all the contibutions seam to have come form redhatter that work on the new oko (openstack-k8s-operators) installer so it seam like instead of contibuting the change require to the upstream repo a fork was create but not in the oko org which is not following the patern of the other componets that were extracted form tripleo. i was under the impression, obviously mistakenly that we didnt fork it to https://github.com/openstack-k8s-operators because it was not inteded to be retired form upstream and development woudl continue in the opendev repo. there were dicussion about it moving under the puppet project or neutron at one point but perhaps that was decided against and it was retired as a result? i agree with the concern that you raised that if its not developed on opendev as an official opentack devlieable it shoudl not claim "OpenStack" is the Author/Maintainer of the project again i was not involed in the tripelo retirement so maybe there was a discussion about forking vs continuing to maintian in opendev but its very strange to me that it was not adopted into https://github.com/openstack-k8s-operators organization. That is what we did for the other part of tripleo like tcib that were extracted form the tripleo maintained repos, in this case from tripleo-common. James perhaps you recall the discussion and decisions that were made here? dan, karthik https://github.com/orgs/os-net-config/people ye are the the only member of the new os-net-config <https://github.com/os-net-config> org can you shed any light on the retriment and why this was not moved to https://github.com/openstack-k8s-operators if it was going to be externally maintained? fixing the autorship shoudl be relitivly simple but updat the author and author_email here https://github.com/os-net-config/os-net-config/blob/master/setup.cfg#L6-L7 then doing a new release but there proably also need ot be a discussion about what to do with any release that were made after 2024-01-09 deleting releas on pypi breaks peopel and generally shoudl be avoided but i dont know if there is a way to fix the autorship fo release made after the retirement up to now from a pypi perspective https://pypi.org/project/os-net-config/#history that is only 18.0.1.dev which is marked as pre-release so i think we need to idally make sure that is not actually released until the author info is updated and the other issues that goutham mentions below regarding the badges/websites links ectra. im also not sure what to do about https://github.com/os-net-config/os-net-config/releases but that is i guess less problematic. its more clear that that is a fork or resurection fo the project given its hosted in a diffent location.
and the author/maintainers are properly attributed. For one, "OpenStack" can't be the Author/Maintainer of a project that's not officially under OpenStack Governance. There are references to the OpenStack Documentation Website, TC Badges and IRC/bug tracker links that may now be obsolete and must be removed. This could be confusing to past, current and future users of the project, not to mention the security implications and responsibility attribution on code that's used in systems worldwide.
Can the current maintainers please engage with us to make the necessary changes? You can do so here, or chat on #openstack-tc on OFTC.
Thanks, Goutham Pacha Ravi
[1] https://pypi.org/project/os-net-config [2] https://review.opendev.org/c/openstack/governance/+/905145 [3] https://github.com/os-net-config/os-net-config