Some people seem to misunderstand what I said about the latest WordPress update.
I, myself, am perfectly able to figure out what was broken and how it was fixed. That’s not the point. I was commenting on the handling of security announcements by the WordPress developers.
I expect to get information about security issues from a central, easy-findable place from any project or product that has public exposure and more than a handful of users. (Yes, I expect that from open source projects too. Look around the net to see how good others handle it.)
Expecting your users to gather information about a problem from forums, blogs, foreign sites, or the source code is simply unprofessional.
The often used argument that more specific information only helps hackers is just plain naïve: WordPress is open source, its code and even nicely formatted svn changesets are freely available on the web. Hackers are not stupid, they’ll find the issues.
Note, I’m not saying you should post sample exploits publicly. Just give enough information that administrators can determine whether their systems are vulnerable and how severe the problem is. Again, go around the net and look how other projects handle security announcements.
Agreed, utterly. A good start would be to use the announce list, so you didn’t have to rely on randomly stumbling across the page to learn you’re vulnerable to 10s of security holes.
But once that hurdle is passed, I hope that one-day we’ll get point releases with *just* the security problem solved. That’d make distributing WP with things like Debian GNU/Linux feasible.
[…] Juergen looks at it as mine: I expect to get information about security issues from a central, easy-findable place from any project or product that has public exposure and more than a handful of users. (Yes, I expect that from open source projects too. Look around the net to see how good others handle it.) Expecting your users to gather information about a problem from forums, blogs, foreign sites, or the source code is simply unprofessional. […]