Narrowly Escaping WordPress 3.0.6

WordPress 3.0.5 was released the other day to address a couple of issues dealing with security and untrusted user accounts. While those issues were addressed, it was soon discovered that one of the security fixes for 3.0.5 created another problem of stripping HTML on display from people with the unfiltered_html capability. Instead of fixing that minor problem and releasing 3.0.6 which would have been embarrassing to say the least, a hot fix was applied to the latest version of Akismet which was also due for an upgrade. This solved the problem for at least a few users but not everyone.

Mark Jaquith then created a plug in which contains the hot-fix but also mentioned that the plug in could be used in the future to fix selected bugs as well. If a number of WordPress powered sites would have this plug in installed, it would be a handy way of pushing out fixes.

I’m not quite sure I understand the reasoning behind this. 3.1 is right around the corner and that branch already has the fix applied while those who know how can simply update their sites via SVN through the nightly builds. In the comments, Ozh also raises a good point in that how do you explain the difference between a hot fix versus an update for WordPress? It’s an unnecessary process that I don’t want to go through. There was also the suggestion of perhaps bundling the Hotfix plug in with WordPress like Hello Dolly or Akismet which is a bad idea. There is a strong contingent of people (I’m one of them) working hard to try and de-couple Hello Dolly and Akismet from the core package of WordPress and the last thing we need is yet another bundled plug in with core.

The best recommendation came from Andrew Nacin in the comments of strengthening the update procedures of WordPress. By the way, one tidbit of information to keep in mind throughout all of this is that somewhere around WordPress 3.2, the goal is to stop updating over the wp-content directory which I know will make some people happy.

There are 15 comments

Comments are closed.