Bug#312413: ITP: serendipity -- PHP Weblog/Blog software
-----BEGIN PGP SIGNED MESSAGE-----
on 8/6/05 11:07 PM Moritz Muehlenhoff said the following:
| Plus a disturbing constant flow of security vulnerabilities; eight
| 2005. Do they have a clear policy of documenting issues or do they only
| provide new releases without documenting the vulnerabilities? (This would
| make support for a stable release close to impossible).
Fair question, from a discussion on their dev mailing list [1,2]:
Security issues are documented in both our NEWS file (aka ChangeLog) and
announced publically after the fix has been committed. Any other way
would really be bad for any end-users as we do not want them to be
unaware of outstanding bugs in old releases.
Of course, this is already much, and we"re very sorry about this. But if
you look at the security trackers you will see that many, many
web-applications have had similar bugs in 2005. This seems to be the
year of many people testing XSS.
Look at WordPress, they have had similar problems. But we take our
security problems serious, and for errors that come to our attention we
have provided fixes in less than 12 hours in the past.
They also have a security section on their blog  with an RSS feed I
can subscribe to.
In addition, they maintain a stable branch in their svn tree , which
just gets bug & security fixes. So identifying relevant security
patches should be quite trivial as I can pick them from this branch
rather than trying to find them from within the trunk.
I hope this is somewhat reassuring.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----