I think the problem is broader than this. As self-hosted -ee paid users, we manage the login security separately, than what is being designed in the omnibus -ee upgrade packages. So in addition to this issue, we were hit by another one this morning.
Specifically, with the latest omnibus update, it required a confirmation email to be sent. The problem is, the link in the email was not a simple code, it was a url with a long unique string.
In our situation, our email channel is separate from our gitlab login instance. For example, imagine that email is on VPN a, while gitlab access is on VPN b.
When Gitlab pushes out updates to self hosted Omnibus EE users, we need the ability to preview these types of security features, to verify they will not break access in our environment.