Version Numbers are Cheap

WordPress recently released 1.5.2. The problem is that they modified the release tarballs, after putting the announcement on their site.

Don’t do that. Once you make a version public NEVER change the release tarballs. It doesn’t help that they didn’t sign their releases or even provide basic hashes, but the fact that now some users who installed 1.5 2 are still vulnerable, while some others are not is the problem. This defeats the one major purpose of versioning — to help the users and admins who install your product. So they can know if they are vulnerable to an issue.

I am glad that I don’t use WordPress, this kind of behavior is not excusable for an Open Source Project. Its about providing trust to your users. I can’t trust that a WordPress 1.5.2 install is secure, since this one version has two different contents.