Hi Kai, > Wordpress does publish md5sums: > http://wordpress.org/download/release-archive/ > > Btw 2.1.x is an unstable branch. The Wordpress stable branch 2.0.x is > for etch, hopefully. So I like to think 2.0.x of being on topic, not so > much 2.1.x. Thanks for the clarification. I've been doing quite some security updates for packages like wordpress that have many security issues and where upstream was not quite cooperative. I'm therefore interested in getting the right decision made on wordpress support, not per se any particular one, but one based on as many facts as possible. When these facts turn out to have a good explanation, all the better of course. | This is the unstable branch You have uploaded 2.1.x to Debian, so you expect this unstable branch to become stable before lenny is released? | MD5 sums are published Good. Those weren't referenced though from the security announcement. It would have taken some searching to find them. Also I still can't find an example of the exploit code that was inserted. Appearently more information is available but needs to be researched. I'd advise upstream to just say clearly in their announcement how to diagnose the problem. I'm not entirely convinced about the handling of this by upstream, but given the combination of a development version and that the information is at least somewhere to be found, I think this is acceptable after some explanation. I'm not too happy though with your reference to "FUD" which in my view implies malicious intent on my side. I hope that was not intended that way. thanks, Thijs
Attachment:
signature.asc
Description: This is a digitally signed message part