El 14/05/12 12:03, Martin Bagge / brother escribió:
IMHO: while it is true that WordPress can't be properly supported during all of a stable release's lifetime as it is (the volatile / squeeze-updates sounds like a very good solution to me), there exist two different scenarios AFAICS:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2012-05-13 14:54, Yves-Alexis Perez wrote:Wordpress upstream doesn't seem to be able to support a stable branch long enough for us (and I don't blame them for that, we do know how painful it is).This pretty much sounds like the web browser situation where we don't support the current version for the entire life cycle of the stable release. Document and be done with it. http://www.debian.org/releases/stable/i386/release-notes/ch-information.en.html#browser-security
* Single-user WordPress, a.k.a "apt-get install lamp-server wordpress" (assuming the lamp-server meta-package were available in Debian stable) IMO, It is much better to just tell the user to COPY the codebase to /{srv,var}/www or the like (or maybe even do it from postinst after asking) and let WordPress update itself --- no burden for the security team this way :)
- or -* Multi-user WordPress, where the admin uses a single codebase from the package for all the different installs ( by telling Apache to use /usr/share/wordpress as its docroot + the wonderful /etc/wordpress/config-<siteurl>.php magic -- this is what we do here ) This requires some competence on the part of the admin anyway, so *at worst* updating via wget wordpress-latest.tar.gz + tar xvfz + rsync is a possibility.
For this case, a wordpress package from "updates" would be best. Since upstream does not support a version long enough anyway, this would provide all the benefits from a packaged WP, plus timely enough updates.
I don't know whether there is any other option which complies with Debian's current security policies (that is, backport security fixes to the stable branch/no version upgrades) and which allows us to keep the install reasonably secure. The second one looks feasible to me.
My .02€Giuseppe and Raphaël (WP maintainers): my most sincere appreciation for your work. The wp-config.php patches are truly a godsend for multi-instance installs.
Regards,
J.L.