Hey,

I took a stab for the first actions, which I added to the wiki page [1] by dropping the dependencies which are clearly not used or not necessary today. For that I proposed removing passlib [2], scrypt [3], and python-gnupg [4] from requirements completely. I do not know whether we have a proper mechanism of forbidding certain libs from being used to protect us from somebody accidentally re-starting using them (denylist is in the requirements, but I am not sure it was created for such purpose).

## Passlib

it is abandoned. It was used in Keystone, but we got rid of it a few releases ago. Now there are few projects that install passlib (Kolla, OpenStack-Ansible, etc) but not themselves needing it. Those show drop it as well, but maintainers should be aware by now already

## scrypt

Keystone was the only project using it. In the context of passlib replacement corresponding functionality was used from the cryptography library. Standalone use of scrypt should not be necessary

## python-gnupg

Codesearch does not show any project using that.

Regards,

Artem

[1] https://wiki.openstack.org/wiki/Post_quantum_openstack#Action_points

[2] https://review.opendev.org/c/openstack/requirements/+/968443

[3] https://review.opendev.org/c/openstack/requirements/+/968444

[4] https://review.opendev.org/c/openstack/requirements/+/968445