On reporting CPU flags that provide mitiation (to CVE flaws) as Nova 'traits'
On May 15, 2019, at 4:50 PM, Eric Fried <openstack at fried.cc> wrote:
>>>> There's no consensus here. Some think that we should _not_ allow those
>>>> CPU flags as traits which can 'allow' you to target vulnerable hosts.
>>> for what its worth im in this camp and have said so in other places
>>> where we have been disucssing it.
>> Yep, noted.
> My position is that it's not harmful to add them to os-traits; it's
> whether/how they're used in nova that needs some thought.
They may not be "harmful", but they set a very bad precedent. I don't want to see os-traits become "Oh, just dump the trait in there, and maybe someday someone will use it".
-- Ed Leafe