WordPress 1.5.2

There has been much talk on the latest version of WordPress, because someone reported that the WP developers modified the package to reflect a last minute fix on a security vulnerability.

The current defense the developers are presenting is that the package was revised before any announcement of its availability was made. That’s a straight lie. I have nothing against WP and I’ve been part of this wonderful community for a long time now, but let’s keep the facts straight. I saw the announcement on the WP dev blog very late at night here in Manila, and I downloaded my copy the following morning, around 10AM. The gzipped file that I have does not contain the current fixes to wp-settings.php, and I compared it with another copy I just downloaded. I patched all my sites with the first, incorrect package.

I appreciate the efforts of the developers to keep WP secure, but we need not hide minor issues like this. Issue — I meant the mistake in the package initially provided, not the severity of the vulnerability. The current release should’ve been 1.5.2.1. I was given a false impression that my weblogs are secure, for a few days until I read about this. Next time, let’s be responsible about package and release management, and versioning. And move on. Now back to blogging. 😉

4 Responses

  1. Seems like Dougal updated his post:

    As pointed out in the comments, I was incorrect about the timeline of events. There was a period of time after the announcement of the new version when the faulty archive was still up. So, if you downloaded before approximately 05:00 UTC (09:00 EDT) on August 15, then you should re-download. Also, though I don’t necessarily like the way that Stefan has handled his end of things, I do appreciate that he provided the appropriate fixes to us.

    Oh well.

  2. I do my upgrade after a day or two. I’d like to see first how people react to the upgrades first.

    I just upgraded my site just now. 😀

  3. Mathias, indeed he updated his entry. I just wish they tried to clarify everything before making claims that no announcement was made before the package was made available to the public. Somehow, issues like this reduces the credibility of the dev team, and we all do not want that. But I’m also sure that Dougal was just misinformed as well, and considering Stefan’s tone in reporting the vulnerabilities, anyone from the dev team would be more enraged rather than apologetic.

    AJ, I used to upgrade after a day, but since the reported vulnerability was quite serious, I took the pill immediately. 😉 Surprise, surprise. Hehehe.

Leave a Reply