[wp-hackers] [wp-testers] WordPress 3.0.2

Andrew Nacin wp at andrewnacin.com
Thu Dec 2 23:12:26 UTC 2010 

On Thu, Dec 2, 2010 at 3:23 PM, Trent Martin <trentmar at gmail.com> wrote:

> I totally agree on the urgency of a security update, except for this:
>
> 1. It isn't just a security update, it contains a number of other bug
> fixes;
> 11 core files were modified.
>

Of those 11 changes, 9 of them were merged to the branch previously and were
in trunk for some time.

While only one was enough to trigger 3.0.3, seven changes were security
fixes or enhancements in some way.

It fixed four other really annoying and moderately severe bugs that were
already backported to the branch.

It was a security update. But since we maintain the 3.0 branch for
regressions, major bugs, and security enhancements (which we will until 3.2
beta), then a few other things got shipped with it. We were very pleased
with the quality of every change in the release, which were all thoroughly
re-inspected and re-tested. We carefully evaluated every other ticket under
3.0.x consideration for potential inclusion as well.

List of changes:
http://core.trac.wordpress.org/changeset?old_path=/tags/3.0.1&new_path=/tags/3.0.2

2. They thanked the guy who reported it for responsible disclosure which
> usually means he would give them time to fix it before making it public,
> which he did.
>

Correct. We decided to release.

3. It certainly must have taken at least a day or two to fix, test, prepare,
> and package an official release so there certainly was enough time to at
> least give us a courtesy heads up that an update was imminent.
>

As Pete Mall said, it took four hours from the initial report to final
release. Mark, Ryan and I worked nonstop over that time. We do good work :-)

4. This isn't the first time they have done a surprise release.
>

Indeed, even some members of the core team were busy all day and didn't hear
about it either. :-)

 I realize this update probably won't break anything, but we still have to
> go
> through a full test run anyway. I certainly do appreciate the work the
> WordPress team is doing but I wanted to express my voice as plugin
> developer.
>

I believe your opinion as a plugin developer should be weighed against tens
of millions of WordPress blogs and users.

So what I would like to know is what I should monitor to get the earliest
> and most consistent notification of updates?
>

I should have sent this email to wp-hackers the day of launch, but I forgot.
But by no means count on that. Follow the WordPress Blog, Trac, your
dashboard, etc.

Regards,
Nacin

More information about the wp-hackers mailing list