On 16/3/2024 3:52 pm, Ghanshyam Mann wrote:
Hello Everyone,
It has been a long time since I followed up on this. You might remember the effort to cleanup the additional external maintainers from OpenStack PyPi packages.
Thanks for doing this work. Often times security is thankless nagging, but it is still important. :)
Below is the latest project list where one or more repos need maintainers' cleanup. I will appreciate if you can give another try to cleanup these. <snip> - magnum <snip>
From etherpad
https://pypi.org/project/magnum/ State on 2024-03-18: Only openstackci https://pypi.org/project/magnum-ui/ State on 2024-03-18: bradjones and openstackci -> Please remove bradjones https://pypi.org/project/python-magnumclient/ State on 2024-03-18: aotto and openstackci -> Please remove aotto https://pypi.org/project/openstack-magnum/ State on 2024-03-18: aotto and openstackci -> Please remove aotto
We've previously managed to contact aotto who is fine with us removing. bradjones hasn't been active for a while, so they can be removed too. If TC can help to remove them that would be great.
(in addition to that there's openstack-magnum pypi package with openstackci as maintainer not updated since 2016, maybe we shoud clean up?)
Yes this is an old unmaintained clone which should be removed too, given the types of attacks via PyPi nowadays. Once again, thanks! Regards, Jake (Magnum PTL)