Re: [SECURITY] [DSA 2670-1] wordpress security update
On Wed, Nov 07, 2012 at 10:39:15AM +0100, Raphael Hertzog wrote:
> On Wed, 07 Nov 2012, Thijs Kinkhorst wrote:
> > I think we should do this only when it has been shown that applying the
> > fixes to the current version in stable(-security) is infeasible. Suppose
> > now a simple XSS is discovered, I would be very much in favour to just
> > apply that fix.
>
> I would as well. The trouble is that contrary to Django (for example),
> upstream is not pointing out which commits are security relevant and
> which versions are affected or not.
>
> And there's zero support for older versions. So we're on our own (and I'm
> not going to do all those investigations by myself).
Mmm. I see a similar problem developing with Movable Type (which I
am the sole maintainer for at the moment). I don't know what the answer
is.
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
Reply to: