Okay, so to clarify, the current suggestion is to write a patch which disables the problem API method(s) with backports to all supported stable branches and attach them to this bug, decide on a disclosure date, privately notify downstream stakeholders with a copy of the patches and our timeline, then on the determined day switch this and perhaps related report(s) to public, push the changes to Gerrit and publish an advisory linking to them.
Thereafter, work will happen in public to recreate the intended functionality in a safer way.
Okay, so to clarify, the current suggestion is to write a patch which disables the problem API method(s) with backports to all supported stable branches and attach them to this bug, decide on a disclosure date, privately notify downstream stakeholders with a copy of the patches and our timeline, then on the determined day switch this and perhaps related report(s) to public, push the changes to Gerrit and publish an advisory linking to them.
Thereafter, work will happen in public to recreate the intended functionality in a safer way.
Does that sum it up?