[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 2670-1] wordpress security update

On Wed, November 7, 2012 09:33, Raphael Hertzog wrote:
>> Are there any plans to further upgrade squeeze in this manner?
> I leave this to Yves-Alexis... It would be nice to formalize this
> approach with the security team.

I think we should do this only when it has been shown that applying the
fixes to the current version in stable(-security) is infeasible. Suppose
now a simple XSS is discovered, I would be very much in favour to just
apply that fix.

Speaking as users of the wordpress packages, we've had quite some trouble
with migrating our blog platform to 3.3.x after we've installed 'just a
security update' on our Squeeze system. In general, it should be expected
that Debian security updates can be installed as quickly and
non-invasively as possible.

In that sense I hope we can formalize it to "we'll upgrade to a new major
upstream branch only when there are no other options" rather than "for
wordpress we'll always track upstream releases".


Reply to: