Thanks to those who have already taken action! Fifty extra maintainers have already been removed, with around three hundred to go.

Please reach out to me if you're having trouble finding current email addresses for anyone, or having trouble with the process at all.

Thanks,

Jay Faulkner

TC Vice-Chair

On Thu, Mar 16, 2023 at 3:22 PM Jay Faulkner <jay@gr-oss.io> wrote:

Hi PTLs,

The TC recently voted[1] to require humans be removed from PyPI access for OpenStack-managed projects. This helps ensure all releases are created via releases team tooling and makes it less likely for a user account compromise to impact OpenStack packages.

Many projects have already updated https://etherpad.opendev.org/p/openstack-pypi-maintainers-cleanup#L33 with a list of packages that contain extra maintainers. We'd like to request that PTLs, or their designate, reach out to any extra maintainers listed for projects you are responsible for and request they remove their access in accordance with policy. An example email, and detailed steps to follow have been provided at https://etherpad.opendev.org/p/openstack-pypi-maintainers-cleanup-email-template.

Thank you for your cooperation as we work to improve our security posture and harden against supply chain attacks.

Thank you,
Jay Faulkner
TC Vice-Chair

1: https://opendev.org/openstack/governance/commit/979e339f899ef62d2a6871a99c99537744c5808d