[wp-hackers] fixes for old versions

Steve Taylor steve at sltaylor.co.uk
Thu Jan 7 14:49:45 UTC 2010

> We will not maintain 2.8.x for any reason. If we do, we get back to
> having to slow down development of any future releases.


- Now 2.9 is out, all 2.8.x installations are insecure?
- Once we do upgrade to 2.9, that branch *will* get security patches
even when 3.0 is released?
- Is this an ongoing plan, so that the version previous to the current
one will get security patches? Or is it just for the 3.0 transition?

I have to admit I've never looked into this before, but now I have
it's a bit confusing and a bit worrying. I've just developed a pretty
complex WP site for a client, and they really want to avoid feature
upgrades as long as possible, as testing is time-consuming. They just
want to stay secure, obviously.

I was ready to just say to them, "Sorry, you just need to bite the
bullet and upgrade to each release to stay secure", but I thought I'd
check. I can see their perspective. They don't expect upgrades to be
mandatory. Obviously the issue with WP is to do with compatibility
with plugins and theme code rather than shelling out for the next
version. But either way, they expect "upgrade" and "security fix" to
be separate things.

It'd be nice to have some leeway, like at least the next-to-current
version being maintained as standard. It seems this is the case (from
2.9 on?), but on such a crucial issue as security, it'd be nice for
this to be detailed clearly, up-front on the download page. It doesn't
seem like an issue you'd need to dig and dig on the hackers list for
clarity on.

More information about the wp-hackers mailing list