El 14/05/12 12:03, Martin Bagge / brother escribió:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 2012-05-13 14:54, Yves-Alexis Perez wrote:
Wordpress upstream doesn't seem to be able to support a stable branch
long enough for us (and I don't blame them for that, we do know how
painful it is).
This pretty much sounds like the web browser situation where we don't
support the current version for the entire life cycle of the stable release.
Document and be done with it.
http://www.debian.org/releases/stable/i386/release-notes/ch-information.en.html#browser-security
IMHO: while it is true that WordPress can't be properly supported during
all of a stable release's lifetime as it is (the volatile /
squeeze-updates sounds like a very good solution to me), there exist two
different scenarios AFAICS:
* Single-user WordPress, a.k.a "apt-get install lamp-server wordpress"
(assuming the lamp-server meta-package were available in Debian stable)
IMO, It is much better to just tell the user to COPY the codebase
to /{srv,var}/www or the like (or maybe even do it from postinst after
asking) and let WordPress update itself --- no burden for the security
team this way :)
- or -
* Multi-user WordPress, where the admin uses a single codebase from the
package for all the different installs ( by telling Apache to use
/usr/share/wordpress as its docroot + the wonderful
/etc/wordpress/config-<siteurl>.php magic -- this is what we do here )
This requires some competence on the part of the admin anyway, so
*at worst* updating via wget wordpress-latest.tar.gz + tar xvfz + rsync
is a possibility.
For this case, a wordpress package from "updates" would be best.
Since upstream does not support a version long enough anyway, this would
provide all the benefits from a packaged WP, plus timely enough updates.
I don't know whether there is any other option which complies with
Debian's current security policies (that is, backport security fixes to
the stable branch/no version upgrades) and which allows us to keep the
install reasonably secure. The second one looks feasible to me.
My .02€
Giuseppe and Raphaël (WP maintainers): my most sincere appreciation for
your work. The wp-config.php patches are truly a godsend for
multi-instance installs.
Regards,
J.L.
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4fb1a520.70...@adv-solutions.net
