Just a heads up that I approved all of these posts through moderation in the interest of transparency (the authors were not subscribers to the list and so their posts were automatically held).
I personally inspected each every report before approving, and have confirmed that every recorded instance is either of test vectors or examples in code comments, and in the case of the cinder and manila repos some drivers have fallback or placeholder credential values for communicating with certain devices/protocols.
None of these appears to represent any exploitable risk, but if contributors want to take this as an opportunity to add further code comments stating this, I suppose it might help avoid similar confusion in the future.
If this sort of reporting continues, list moderators may begin to reject further posts on the grounds that it's noise and not contributing useful information to our community.