[wp-hackers] Upgrade to 2.1.2

Marcos Sader | marcosmedia m at marcosmedia.com
Fri Mar 9 02:40:47 GMT 2007 

It's just another security measure, it may help those who know how to take
advantage of it, the rest may not be interested in using it but when the
rain comes you can always say... we had a bullet-proof NASA-signed security
framework to avoid that :P

Actually if you care enough, you won't download the file, you would just
update from svn. If svn gets compromised as well, there we have a problem.



 that may help you, most of the time this could be used to blame the user
for beeing hacek cost nothing to implement.

On 3/8/07, Peter Westwood <peter.westwood at ftwr.co.uk> wrote:
>
>
> On Thu, March 8, 2007 12:53 pm, Elias Torres wrote:
> > Peter Westwood wrote:
> >> On Thu, March 8, 2007 8:24 am, Martin Sturm wrote:
> >>> 2007/3/2, Matt Mullenweg <m at mullenweg.com>:
> >>>> Joefish wrote:
> >>>>
> >>>> Hey the blog post is out:
> >>>>
> >>>> http://wordpress.org/development/2007/03/upgrade-212/
> >>>>
> >>>> Maybe it'll make a little more sense now.
> >>> Why isn't there a md5 sum posted for every build? That way, the
> >>> compromising of the download package could have detected earlier by
> >>> simply checking the md5's. Obviously, the md5 sums shouldn't be
> >>> located on the downloadlocation only, but also on the mailinglist.
> >>>
> >>
> >> There are md5sums for all downloads here:
> >> http://wordpress.org/download/release-archive/
> >>
> >> To be fair I think we need to go a step further now and have the
> >> releases
> >> signed by a special pgp key to provide something that a hacker should
> >> not
> >> be able to modify even with access to the server.
> >>
> >> Afterall, if he has enough access to change the files then he can
> surely
> >> change the md5sum too.
> >>
> >> westi
> >
> > But 99.999% of the people downloading won't be verifying neither of
> > those security options: md5 or pgp, right?
> >
>
> Indeed.
>
> You can lead the horse to water but you can't make it drink.
>
> However, some people do care about this, and it will improve WordPress's
> reputation with them - http://bugs.gentoo.org/show_bug.cgi?id=168529#c4
>
> westi
> --
> Peter Westwood <peter.westwood at ftwr.co.uk>
> http://blog.ftwr.co.uk
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>



-- 
Marcos Sader
m at marcosmedia.com

More information about the wp-hackers mailing list