[wp-testers] Keeping Up-to-date
Roy Schestowitz
wp-lowtraffic at schestowitz.com
Sun Jan 22 12:23:35 GMT 2006
__/ On Sun 22 Jan 2006 11:22:06 GMT, [Sean Hayford O'Leary] wrote : \___
> On 1/22/06, Podz <podz at tamba2.org.uk> wrote:
>> Sean Hayford O'Leary wrote:
>> > Could you list the pros and cons?
>> >
>>
>> +
>> One off install.
>> Prominent message
>>
>> -
>> Prominent message if you choose not to upgrade
>> If wherever the information is grabbed from updates before the dev blog
>> post it could lead to confusion (I don't know the who / how)
>> No explanation of the version (which there should be. For instance 1.5.2
>> is still a stable product so upgrading for the new code is advised if
>> you want that, but it's safe to stay where you are.)
>> If they then switch the plugin off, they could miss something important
>> (if the system were a little more flexible).
>>
>> Some sort of messaging would be good, but then that's what the dash was
>> for - and the contents of that have been removed or altered by many.
>>
>> My feelings are that a new release (or update) generates a lot of buzz
>> which most should hear about. Maybe also some people choose not to
>> upgrade and for others with older code, there is no way of telling them
>> automatically.
>
> Choice -- yeah, but I can't imagine it would be do difficult to insert
> an option to turn the function off.
>
> Here's what I picture: a person had a more tech-central friend install
> a copy of WordPress on his hosting. The user continues to use it for a
> while, knowing that as long as he pays the hosting bill, it stays up.
> Then comes a security flaw with the code that he's using. His friend
> isn't keeping track of his blog, and how should he know that it needs
> to be upgraded?
>
> This is a real situation to me. When I design websites for clients, I
> freqently use WordPress as a CMS. In two years, when there's a
> vulnerability with some code used in 1.5 or 2.0, how should that user
> know?
Sean makes a valid point. This has been a serious issue with packages like
phpBB and PHP-Nuke (among other lesser-known software). They have (had) a
chain of critical flaws that could lead to XSS and bring down servers.
Syndicating the front page of the projects was often a good solution, but
there is 'noise' in such pages too (Nuke in particular, a slight bit in
wp.org).
If your clients are not IT-savvy and do not make use of feeds, you could set
up a cron job one-liner. Such a job would send them an E-mail as soon as an
upgrade is made available. Another option is to use a script to patch up
the installation every night. Stability then becomes the issue, not
security.
With kind regards,
Roy
More information about the wp-testers
mailing list