Comment 12 for bug 1372635

Well, we've already said it, quite some time ago. The options are to stop shipping OpenStack or to convince developers to help fix it. Whether or not we issue security advisories is orthogonal, but it boils down to being a fairly obvious issue which needs addressing in many, many, many places. If we were to decide to issue advisories for all of them, 1. I seriously doubt it would improve the current situation at all, and 2. we'd be up to our eyeballs in repetitive advisories. Declaring this a vulnerability doesn't magically make developers decide to fix it. In fact, keeping it under a secret embargo instead of making it a public bug means there are far fewer opportunities for developers to see and fix this.