Comment 3 for bug 1700501

At a minimum, I think we can continue this in public because it's a known issue. The rootwrap base implementation was an okay idea in theory, but in practice many projects shipped terrible default configurations which bypassed any actual security afforded by the framework. As a result, rootwrap is itself on the path to deprecation with https://docs.openstack.org/developer/oslo.privsep/ as its eventual successor.

I agree this is probably a B2 class report (or maybe B1 if rootwrap replacement with oslo.privsep happens quickly).