As it stands now, this report is still scheduled to switch from Private Security to Public Security tomorrow with the expiration of its embargo. Do we have a reason to extend the embargo and keep it private for longer? This seems to be the current status:
1. There is a solution proposed where, once two patches are applied (comment #6 and comment #15), the operator can configure a safe operating mode for use with virtual server instances.
2. There is no identified solution for using this driver with bare metal instances, nor does one seem to be possible due to the design of the storage platform itself, so the guidance to operators is to not combine them (comment #20).
3. Tests of the proposed patch have been performed in a suitable lab environment, but sufficient evidence has not been provided for reviewers to confirm it's working to their satisfaction (comment #21).
4. Backports of the proposed patch to stable branches have not been provided yet, but it's expected to be trivial to cherry-pick and the implementation is presumed to meet OpenStack's stable branch policy (comment #13).
5. There was a suggestion that users of the driver should be provided an advance copy of the patches and configuration guidance so they will have time to secure their environments before the bug becomes public (comment #9).
If we were to extend the embargo on this report by a week, say to June 3, would that be enough time to address these points? Or will switching to public tomorrow (so patches can be pushed to Gerrit for broader review, more readable third-party test results can be generated and linked, et cetera) be preferable?
As it stands now, this report is still scheduled to switch from Private Security to Public Security tomorrow with the expiration of its embargo. Do we have a reason to extend the embargo and keep it private for longer? This seems to be the current status:
1. There is a solution proposed where, once two patches are applied (comment #6 and comment #15), the operator can configure a safe operating mode for use with virtual server instances.
2. There is no identified solution for using this driver with bare metal instances, nor does one seem to be possible due to the design of the storage platform itself, so the guidance to operators is to not combine them (comment #20).
3. Tests of the proposed patch have been performed in a suitable lab environment, but sufficient evidence has not been provided for reviewers to confirm it's working to their satisfaction (comment #21).
4. Backports of the proposed patch to stable branches have not been provided yet, but it's expected to be trivial to cherry-pick and the implementation is presumed to meet OpenStack's stable branch policy (comment #13).
5. There was a suggestion that users of the driver should be provided an advance copy of the patches and configuration guidance so they will have time to secure their environments before the bug becomes public (comment #9).
If we were to extend the embargo on this report by a week, say to June 3, would that be enough time to address these points? Or will switching to public tomorrow (so patches can be pushed to Gerrit for broader review, more readable third-party test results can be generated and linked, et cetera) be preferable?