Geof's Relentless Kvetching About WordPress

Thoughts and Complaints About WordPress

Archive for the ‘Security’ Category

On WP 2.2.3 and WP 2.3

with 2 comments

Well, my request for an agreeable openness went nowhere. :shrug: We have our WP 2.2.3, and it fixes the issues that Alexander and others raised. That is very good. Thanks, guys. And for the record, it was 16 days between notice and release. Very good.

Also, the news about the betas has been great. Beta 3 of WP 2.3 is the last one that’s going up, and the new version should drop on Mon 24 Sep [presuming it’s ready; if they miss the date, it’s not a big issue, eh?]. These are the questions I have about it, though:

  1. Will 2.2.x get any support if security holes are found? 2.1 didn’t, if you’ll remember from the 2.2 release notes, but the jump from 2.2 to 2.3 is going to cause some breakage, I think, and that always slows adoption. I’d hope that a reasonable amount of security support would be provided. I’m not expecting that it’ll be kept up forever, but for say, maybe, a month?
  2. Are we going to see a roadmap again? That was always fun. 🙂

Written by Geof F. Morris

Tue 11-Sep-2007 at 20:03

Posted in On WordPress, Security

An Agreeable Openness

with one comment

Well, again we’ve got folks claiming to have found a remote SQL injection in WordPress, one that affects all versions. At least the discoverer, Alexander Concha, did the right thing: notifying the WP folks. He’s chosen not to disclose information about the hole, which means one of two things:

  1. It’s bogus.
  2. It’s heinous.

Because I’m weird and like to know about these things, maybe I should just ask Mark Jaquith about it, considering that he was great in discussing the WordPress “worm”. Matt’s probably still busy defending himself against straw men, anyway.

So, how about it, boys? Can you address the question? Or will it just be four weeks between notice and release without much comment otherwise? Yes, yes, yes, I imagine that I could look this up in Trac, but I’m an aerospace engineer, not a computer one; your PHP is as fuzzy to me as my Navier-Stokes equations likely are to you.

Lest you think that I am anti-Matt here, I’m not, because I think Duncan Riley was being an ass. Implicit in that comment is agreement with Mark Jaquith’s comments on the saga, especially:

Matt made a huge mistake by allowing [all the SEO-optimized crap on]. I was disappointed in him at the time, both personally and professionally. But he’s learned from that mistake. More than that, he’s lead efforts to warn others about that kind of behavior. That’s what the whole “sponsored themes” thing was about. That’s what the Vanilla comment was about.

See, exactly. While I have butted heads with Matt, I always find him willing to listen. That’s why I’d buy him several, several beers if we ever ended up in Houston at the same time. [Note to self: next time you’re headed to JSC for work, ring Matt up.]

Written by Geof F. Morris

Fri 24-Aug-2007 at 20:20

Posted in Security