Comment 3 for bug 1990432

I took the assumption as a given, that the assumed trust boundary for kolla is, that it is expected to be secure to install untrusted tarballs.

if the security boundary for kolla is: don't trust tarballs, always check them or build them yourself, then this whole patch is moot or at best a simple hardening.

at the very least it would be good to document what the expected trust boundary is for the end user.

if we expect users to check tarballs or only use tarballs from trusted source we need to tell them that.