[wp-hackers] Upgrade to 2.1.2

Peter Westwood peter.westwood at ftwr.co.uk
Thu Mar 8 14:32:46 GMT 2007


On Thu, March 8, 2007 12:53 pm, Elias Torres wrote:
> Peter Westwood wrote:
>> On Thu, March 8, 2007 8:24 am, Martin Sturm wrote:
>>> 2007/3/2, Matt Mullenweg <m at mullenweg.com>:
>>>> Joefish wrote:
>>>>
>>>> Hey the blog post is out:
>>>>
>>>> http://wordpress.org/development/2007/03/upgrade-212/
>>>>
>>>> Maybe it'll make a little more sense now.
>>> Why isn't there a md5 sum posted for every build? That way, the
>>> compromising of the download package could have detected earlier by
>>> simply checking the md5's. Obviously, the md5 sums shouldn't be
>>> located on the downloadlocation only, but also on the mailinglist.
>>>
>>
>> There are md5sums for all downloads here:
>> http://wordpress.org/download/release-archive/
>>
>> To be fair I think we need to go a step further now and have the
>> releases
>> signed by a special pgp key to provide something that a hacker should
>> not
>> be able to modify even with access to the server.
>>
>> Afterall, if he has enough access to change the files then he can surely
>> change the md5sum too.
>>
>> westi
>
> But 99.999% of the people downloading won't be verifying neither of
> those security options: md5 or pgp, right?
>

Indeed.

You can lead the horse to water but you can't make it drink.

However, some people do care about this, and it will improve WordPress's
reputation with them - http://bugs.gentoo.org/show_bug.cgi?id=168529#c4

westi
-- 
Peter Westwood <peter.westwood at ftwr.co.uk>
http://blog.ftwr.co.uk


More information about the wp-hackers mailing list