[wp-hackers] Upgrade to 2.1.2

Peter Westwood peter.westwood at ftwr.co.uk
Thu Mar 8 14:32:46 GMT 2007

On Thu, March 8, 2007 12:53 pm, Elias Torres wrote:
> Peter Westwood wrote:
>> On Thu, March 8, 2007 8:24 am, Martin Sturm wrote:
>>> 2007/3/2, Matt Mullenweg <m at mullenweg.com>:
>>>> Joefish wrote:
>>>> Hey the blog post is out:
>>>> http://wordpress.org/development/2007/03/upgrade-212/
>>>> Maybe it'll make a little more sense now.
>>> Why isn't there a md5 sum posted for every build? That way, the
>>> compromising of the download package could have detected earlier by
>>> simply checking the md5's. Obviously, the md5 sums shouldn't be
>>> located on the downloadlocation only, but also on the mailinglist.
>> There are md5sums for all downloads here:
>> http://wordpress.org/download/release-archive/
>> To be fair I think we need to go a step further now and have the
>> releases
>> signed by a special pgp key to provide something that a hacker should
>> not
>> be able to modify even with access to the server.
>> Afterall, if he has enough access to change the files then he can surely
>> change the md5sum too.
>> westi
> But 99.999% of the people downloading won't be verifying neither of
> those security options: md5 or pgp, right?


You can lead the horse to water but you can't make it drink.

However, some people do care about this, and it will improve WordPress's
reputation with them - http://bugs.gentoo.org/show_bug.cgi?id=168529#c4

Peter Westwood <peter.westwood at ftwr.co.uk>

More information about the wp-hackers mailing list