Comment 30 for bug 1823200

Summer: To be handled as an advisory, the patches provided would need to completely fix the flaw, not merely allow an operator to configure the environment so that the flaw was no longer present. Basically we'd need agreement of the driver and Cinder/Brick maintainers as well as the OpenStack stable branch reviewers that such a default behavior change is appropriate to backport to all supported stable branches. In this case, I think it basically means a violation of OpenStack's typical stable branch policies because there would be new configuration settings required for the deployment, effectively breaking the storage backend until they were set. If the vulnerability is so severe that stable deployments are better off taken down until they can be reconfigured, then we should discuss this option further (I just wish people were interested enough in securing this nearly a year ago when the vulnerability was reported rather than waiting until the VMT was ready to make it public so that concerned users could at least stop using this long-vulnerable driver).