[ptls] PyPI maintainer cleanup - Action needed: Contact extra maintainers
Hi PTLs, The TC recently voted[1] to require humans be removed from PyPI access for OpenStack-managed projects. This helps ensure all releases are created via releases team tooling and makes it less likely for a user account compromise to impact OpenStack packages. Many projects have already updated https://etherpad.opendev.org/p/openstack-pypi-maintainers-cleanup#L33 with a list of packages that contain extra maintainers. We'd like to request that PTLs, or their designate, reach out to any extra maintainers listed for projects you are responsible for and request they remove their access in accordance with policy. An example email, and detailed steps to follow have been provided at https://etherpad.opendev.org/p/openstack-pypi-maintainers-cleanup-email-temp... . Thank you for your cooperation as we work to improve our security posture and harden against supply chain attacks. Thank you, Jay Faulkner TC Vice-Chair 1: https://opendev.org/openstack/governance/commit/979e339f899ef62d2a6871a99c99...
Thanks to those who have already taken action! Fifty extra maintainers have already been removed, with around three hundred to go. Please reach out to me if you're having trouble finding current email addresses for anyone, or having trouble with the process at all. Thanks, Jay Faulkner TC Vice-Chair On Thu, Mar 16, 2023 at 3:22 PM Jay Faulkner <jay@gr-oss.io> wrote:
Hi PTLs,
The TC recently voted[1] to require humans be removed from PyPI access for OpenStack-managed projects. This helps ensure all releases are created via releases team tooling and makes it less likely for a user account compromise to impact OpenStack packages.
Many projects have already updated https://etherpad.opendev.org/p/openstack-pypi-maintainers-cleanup#L33 with a list of packages that contain extra maintainers. We'd like to request that PTLs, or their designate, reach out to any extra maintainers listed for projects you are responsible for and request they remove their access in accordance with policy. An example email, and detailed steps to follow have been provided at https://etherpad.opendev.org/p/openstack-pypi-maintainers-cleanup-email-temp... .
Thank you for your cooperation as we work to improve our security posture and harden against supply chain attacks.
Thank you, Jay Faulkner TC Vice-Chair
1: https://opendev.org/openstack/governance/commit/979e339f899ef62d2a6871a99c99...
Hey all, Wanted to remind you all: vPTG is a great time to address this issue! Even if the PyPI maintainers you would need to contact are emeritus contributors; you may have someone still on the project team who has contact with them. I strongly recommend you utilize this time to help clean your projects up. Thanks, Jay Faulkner TC Vice-Chair On Tue, Mar 21, 2023 at 9:03 AM Jay Faulkner <jay@gr-oss.io> wrote:
Thanks to those who have already taken action! Fifty extra maintainers have already been removed, with around three hundred to go.
Please reach out to me if you're having trouble finding current email addresses for anyone, or having trouble with the process at all.
Thanks, Jay Faulkner TC Vice-Chair
On Thu, Mar 16, 2023 at 3:22 PM Jay Faulkner <jay@gr-oss.io> wrote:
Hi PTLs,
The TC recently voted[1] to require humans be removed from PyPI access for OpenStack-managed projects. This helps ensure all releases are created via releases team tooling and makes it less likely for a user account compromise to impact OpenStack packages.
Many projects have already updated https://etherpad.opendev.org/p/openstack-pypi-maintainers-cleanup#L33 with a list of packages that contain extra maintainers. We'd like to request that PTLs, or their designate, reach out to any extra maintainers listed for projects you are responsible for and request they remove their access in accordance with policy. An example email, and detailed steps to follow have been provided at https://etherpad.opendev.org/p/openstack-pypi-maintainers-cleanup-email-temp... .
Thank you for your cooperation as we work to improve our security posture and harden against supply chain attacks.
Thank you, Jay Faulkner TC Vice-Chair
1: https://opendev.org/openstack/governance/commit/979e339f899ef62d2a6871a99c99...
Hi Jay, We have some maintainers that are not active in the Cinder project for quite some time. I'm sure they will agree to the idea we have but it's not easy to reach them for the changes to be made (Tried to reach out but received no response). I wanted to know if this problem is being faced by other projects also? and Do we have a solution for such scenarios? Thanks Rajat Dhasmana On Wed, Mar 22, 2023 at 9:55 PM Jay Faulkner <jay@gr-oss.io> wrote:
Hey all,
Wanted to remind you all: vPTG is a great time to address this issue! Even if the PyPI maintainers you would need to contact are emeritus contributors; you may have someone still on the project team who has contact with them. I strongly recommend you utilize this time to help clean your projects up.
Thanks, Jay Faulkner TC Vice-Chair
On Tue, Mar 21, 2023 at 9:03 AM Jay Faulkner <jay@gr-oss.io> wrote:
Thanks to those who have already taken action! Fifty extra maintainers have already been removed, with around three hundred to go.
Please reach out to me if you're having trouble finding current email addresses for anyone, or having trouble with the process at all.
Thanks, Jay Faulkner TC Vice-Chair
On Thu, Mar 16, 2023 at 3:22 PM Jay Faulkner <jay@gr-oss.io> wrote:
Hi PTLs,
The TC recently voted[1] to require humans be removed from PyPI access for OpenStack-managed projects. This helps ensure all releases are created via releases team tooling and makes it less likely for a user account compromise to impact OpenStack packages.
Many projects have already updated https://etherpad.opendev.org/p/openstack-pypi-maintainers-cleanup#L33 with a list of packages that contain extra maintainers. We'd like to request that PTLs, or their designate, reach out to any extra maintainers listed for projects you are responsible for and request they remove their access in accordance with policy. An example email, and detailed steps to follow have been provided at https://etherpad.opendev.org/p/openstack-pypi-maintainers-cleanup-email-temp... .
Thank you for your cooperation as we work to improve our security posture and harden against supply chain attacks.
Thank you, Jay Faulkner TC Vice-Chair
1: https://opendev.org/openstack/governance/commit/979e339f899ef62d2a6871a99c99...
Hey Rajat, Thanks for talking to your contributors, and trying to find contacts for older contributors. I do think we'll have a few projects in this state, and the TC will likely take action to advance those. We wanted to clean up as much as possible through cooperative action first. Thanks, Jay Faulkner TC Vice-Chair On Mon, Apr 3, 2023 at 7:44 AM Rajat Dhasmana <rdhasman@redhat.com> wrote:
Hi Jay,
We have some maintainers that are not active in the Cinder project for quite some time. I'm sure they will agree to the idea we have but it's not easy to reach them for the changes to be made (Tried to reach out but received no response). I wanted to know if this problem is being faced by other projects also? and Do we have a solution for such scenarios?
Thanks Rajat Dhasmana
On Wed, Mar 22, 2023 at 9:55 PM Jay Faulkner <jay@gr-oss.io> wrote:
Hey all,
Wanted to remind you all: vPTG is a great time to address this issue! Even if the PyPI maintainers you would need to contact are emeritus contributors; you may have someone still on the project team who has contact with them. I strongly recommend you utilize this time to help clean your projects up.
Thanks, Jay Faulkner TC Vice-Chair
On Tue, Mar 21, 2023 at 9:03 AM Jay Faulkner <jay@gr-oss.io> wrote:
Thanks to those who have already taken action! Fifty extra maintainers have already been removed, with around three hundred to go.
Please reach out to me if you're having trouble finding current email addresses for anyone, or having trouble with the process at all.
Thanks, Jay Faulkner TC Vice-Chair
On Thu, Mar 16, 2023 at 3:22 PM Jay Faulkner <jay@gr-oss.io> wrote:
Hi PTLs,
The TC recently voted[1] to require humans be removed from PyPI access for OpenStack-managed projects. This helps ensure all releases are created via releases team tooling and makes it less likely for a user account compromise to impact OpenStack packages.
Many projects have already updated https://etherpad.opendev.org/p/openstack-pypi-maintainers-cleanup#L33 with a list of packages that contain extra maintainers. We'd like to request that PTLs, or their designate, reach out to any extra maintainers listed for projects you are responsible for and request they remove their access in accordance with policy. An example email, and detailed steps to follow have been provided at https://etherpad.opendev.org/p/openstack-pypi-maintainers-cleanup-email-temp... .
Thank you for your cooperation as we work to improve our security posture and harden against supply chain attacks.
Thank you, Jay Faulkner TC Vice-Chair
1: https://opendev.org/openstack/governance/commit/979e339f899ef62d2a6871a99c99...
Thanks Rajat, Yes, we have many such cases, please add those repo/additional maintainers in etherpad and TC will take the next action. Also, do not forget to update the status of the already cleaned-up repo. -gmann ---- On Mon, 03 Apr 2023 08:14:49 -0700 Jay Faulkner wrote ---
Hey Rajat, Thanks for talking to your contributors, and trying to find contacts for older contributors. I do think we'll have a few projects in this state, and the TC will likely take action to advance those. We wanted to clean up as much as possible through cooperative action first. Thanks,Jay FaulknerTC Vice-Chair
On Mon, Apr 3, 2023 at 7:44 AM Rajat Dhasmana rdhasman@redhat.com> wrote: Hi Jay, We have some maintainers that are not active in the Cinder project for quite some time.I'm sure they will agree to the idea we have but it's not easy to reach them for the changesto be made (Tried to reach out but received no response).I wanted to know if this problem is being faced by other projects also? and Do we have a solution for such scenarios? ThanksRajat Dhasmana On Wed, Mar 22, 2023 at 9:55 PM Jay Faulkner jay@gr-oss.io> wrote: Hey all, Wanted to remind you all: vPTG is a great time to address this issue! Even if the PyPI maintainers you would need to contact are emeritus contributors; you may have someone still on the project team who has contact with them. I strongly recommend you utilize this time to help clean your projects up. Thanks,Jay FaulknerTC Vice-Chair
On Tue, Mar 21, 2023 at 9:03 AM Jay Faulkner jay@gr-oss.io> wrote: Thanks to those who have already taken action! Fifty extra maintainers have already been removed, with around three hundred to go.
Please reach out to me if you're having trouble finding current email addresses for anyone, or having trouble with the process at all. Thanks,Jay FaulknerTC Vice-Chair
On Thu, Mar 16, 2023 at 3:22 PM Jay Faulkner jay@gr-oss.io> wrote: Hi PTLs, The TC recently voted[1] to require humans be removed from PyPI access for OpenStack-managed projects. This helps ensure all releases are created via releases team tooling and makes it less likely for a user account compromise to impact OpenStack packages. Many projects have already updated https://etherpad.opendev.org/p/openstack-ppi-maintainers-cleanup#L33 with a list of packages that contain extra maintainers. We'd like to request that PTLs, or their designate, reach out to any extra maintainers listed for projects you are responsible for and request they remove their access in accordance with policy. An example email, and detailed steps to follow havebeen provided at https://etherpad.opendev.org/p/openstack-pypi-maintainers-cleanup-email-temp.... Thank you for your cooperation as we work to improve our security posture and harden against supply chain attacks. Thank you,Jay FaulknerTC Vice-Chair 1: https://opendev.org/openstack/governance/commit/979e339f899ef62d2a6871a99c99...
Hi, Thank you for your replies. The status of cinder repos is updated on the etherpad L#71 [1]. Out of 7 repos, 2 have maintainers that aren't much active recently and other repos either don't require changes or the needed changes are done. 1) os-brick: Mike Perez (thingee) 2) python-brick-cinderclient-ext: Ivan Kolodyazhny (e0ne) [1] https://etherpad.opendev.org/p/openstack-pypi-maintainers-cleanup#L71 Thanks Rajat Dhasmana On Mon, Apr 3, 2023 at 10:44 PM Ghanshyam Mann <gmann@ghanshyammann.com> wrote:
Thanks Rajat,
Yes, we have many such cases, please add those repo/additional maintainers in etherpad and TC will take the next action. Also, do not forget to update the status of the already cleaned-up repo.
-gmann
Hey Rajat, Thanks for talking to your contributors, and trying to find contacts for older contributors. I do think we'll have a few projects in this state, and the TC will likely take action to advance those. We wanted to clean up as much as possible through cooperative action first. Thanks,Jay FaulknerTC Vice-Chair
On Mon, Apr 3, 2023 at 7:44 AM Rajat Dhasmana rdhasman@redhat.com> wrote: Hi Jay, We have some maintainers that are not active in the Cinder project for quite some time.I'm sure they will agree to the idea we have but it's not easy to reach them for the changesto be made (Tried to reach out but received no response).I wanted to know if this problem is being faced by other projects also? and Do we have a solution for such scenarios? ThanksRajat Dhasmana On Wed, Mar 22, 2023 at 9:55 PM Jay Faulkner jay@gr-oss.io> wrote: Hey all, Wanted to remind you all: vPTG is a great time to address this issue! Even if the PyPI maintainers you would need to contact are emeritus contributors; you may have someone still on the project team who has contact with them. I strongly recommend you utilize this time to help clean your projects up. Thanks,Jay FaulknerTC Vice-Chair
On Tue, Mar 21, 2023 at 9:03 AM Jay Faulkner jay@gr-oss.io> wrote: Thanks to those who have already taken action! Fifty extra maintainers have already been removed, with around three hundred to go.
Please reach out to me if you're having trouble finding current email addresses for anyone, or having trouble with the process at all. Thanks,Jay FaulknerTC Vice-Chair
On Thu, Mar 16, 2023 at 3:22 PM Jay Faulkner jay@gr-oss.io> wrote: Hi PTLs, The TC recently voted[1] to require humans be removed from PyPI access for OpenStack-managed projects. This helps ensure all releases are created via releases team tooling and makes it less likely for a user account compromise to impact OpenStack packages. Many projects have already updated https://etherpad.opendev.org/p/openstack-ppi-maintainers-cleanup#L33 with a list of packages that contain extra maintainers. We'd like to request
Thank you for your cooperation as we work to improve our security
---- On Mon, 03 Apr 2023 08:14:49 -0700 Jay Faulkner wrote --- that PTLs, or their designate, reach out to any extra maintainers listed for projects you are responsible for and request they remove their access in accordance with policy. An example email, and detailed steps to follow havebeen provided at https://etherpad.opendev.org/p/openstack-pypi-maintainers-cleanup-email-temp... . posture and harden against supply chain attacks.
Thank you,Jay FaulknerTC Vice-Chair 1: https://opendev.org/openstack/governance/commit/979e339f899ef62d2a6871a99c99...
participants (3)
-
Ghanshyam Mann
-
Jay Faulkner
-
Rajat Dhasmana