While the report from Talos may be missing significant historical context, it does reflect misconceptions users may broadly hold about OpenStack's security model and what degree of privilege separation is actually implemented for the back-end services/control plane. I don't think we can justify keeping a report secret simply because we fear what users might think if they found out that the design is different from what they may have imagined, but also it's our policy to prefer transparency and disclose these reports as quickly as possible in cases where we know they're not going to be resolved with backports to existing releases of the software.
While the report from Talos may be missing significant historical context, it does reflect misconceptions users may broadly hold about OpenStack's security model and what degree of privilege separation is actually implemented for the back-end services/control plane. I don't think we can justify keeping a report secret simply because we fear what users might think if they found out that the design is different from what they may have imagined, but also it's our policy to prefer transparency and disclose these reports as quickly as possible in cases where we know they're not going to be resolved with backports to existing releases of the software.