On 2025-11-06 16:26:42 +0100 (+0100), Artem Goncharov wrote: [...]
A nice coincidence is a freshly sent announcement from Debian that introduces a strong rust dependency in the packaging tooling, stating something similar to: either you work to comply with this requirement in the next 6 months or sunset the port [5]. [...] [5] https://lists.debian.org/debian-devel/2025/10/msg00285.html [...]
I commend your bravery in linking to a discussion where developers are en masse condemning a unilateral decision by a single unchecked software maintainer to impose a Rust toolchain dependency on the entire community's collective work. I've been following it closely as a member of the Debian community since that thread started, and am not myself sure where it's going to end up. I'm personally wary of the choice to rewrite a key (no pun intended) component of OpenStack in a different programming language. We saw what happened with Swift Hummingbird in recent years. It's also true that Keystone was already rewritten once: the original implementation was in Java, but it was redone in Python in order to maintain consistency with other OpenStack services. Horizon and Skyline struggle to get contributors, to some extent because the bulk of OpenStack is in Python and to help in those projects you need a deep familiarity with other programming languages. Granted, Keystone is struggling to find maintainers as it is even though it's in the same language as the majority of OpenStack, but I worry this new decision will make the situation worse rather than better. You mention security as a selling point, but how many of the past vulnerabilities affecting Keystone have been because of the choice to write it in Python? (BTW, Python *is* a memory-safe language, it's not a type-safe language but that's a different matter altogether.) Keep in mind that our vulnerability management processes have been built over the past 15 years based on projects that produce source-only deliverables. What is your plan for the keystone-ng deliverables? Will they be pure Rust source, or compiled binary releases? Will you vendor/embed dependencies or incorporate them dynamically? What additional security responsibility is the OpenStack community assuming if it agrees to take on this project? -- Jeremy Stanley