Re: [SECURITY] [DSA 2670-1] wordpress security update

[Dominic Hargreaves <dom@earth.li>]

On Wed, Nov 07, 2012 at 10:39:15AM +0100, Raphael Hertzog wrote:
> On Wed, 07 Nov 2012, Thijs Kinkhorst wrote:
> > I think we should do this only when it has been shown that applying the
> > fixes to the current version in stable(-security) is infeasible. Suppose
> > now a simple XSS is discovered, I would be very much in favour to just
> > apply that fix.
> 
> I would as well. The trouble is that contrary to Django (for example),
> upstream is not pointing out which commits are security relevant and
> which versions are affected or not.
> 
> And there's zero support for older versions. So we're on our own (and I'm
> not going to do all those investigations by myself).

Mmm. I see a similar problem developing with Movable Type (which I
am the sole maintainer for at the moment). I don't know what the answer
is.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)