Package: wordpress Version: 6.8.1+dfsg1-1 Severity: important X-Debbugs-Cc: [email protected]
Dear Maintainer, Dear Debian WordPress Maintainers, I am reporting a usability and compatibility issue with the Debian-packaged WordPress (version 6.8.1+dfsg1-1) that makes automatic updates impossible without manual intervention, due to conflicting permission checks and core file modifications. This issue persists in testing/unstable (6.8.3+dfsg1-1, verified at https://salsa.debian.org/php-packages/team/wordpress/-/blob/debian/6.8.3%2Bdfsg1-1/debian/patches/series), as the problematic patches remain unchanged. ### Summary The Debian package modifies core WordPress files (e.g., wp-admin/includes/class-wp-site-health-auto-updates.php) with patches that: - Rename and invert the logic of `test_all_files_writable` to `test_all_files_unwritable`, using `is_writable()` (without `!`) to flag writable core files (e.g., wp-cron.php, wp-blog-header.php) as a security failure in Site Health ("Some files are writable by WordPress"). - Add `test_debian_note` to note "Updates are managed by the Debian package system". This creates a contradiction: - Site Health marks writable core files as a **failure** (security risk). - But WordPress auto-updates **require** writable core files (e.g., wp-admin/includes/update-core.php) and fail with "Permission denied in class-wp-filesystem-direct.php:309" due to Debian's strict permissions (644, owner root). The official WordPress 6.8.3[]( https://github.com/WordPress/WordPress/blob/6.8.3/wp-admin/includes/class-wp-site-health-auto-updates.php) uses `test_all_files_writable` with `! is_writable()` to ensure directories like wp-content are writable for updates, without flagging core files as risky. Debian's approach prioritizes security (non-writable core files = good) but breaks auto-updates, a core WordPress feature. Users expecting standard behavior (e.g., WP_AUTO_UPDATE_CORE = true) must: - Temporarily set `chown www-data:www-data` and `chmod 664` on core files (contradicting Site Health). - Or use `apt install --only-upgrade wordpress`, which lags behind official releases (e.g., Debian 12 Bookworm has 6.8.1 vs official 6.8.3). These patches disrupt the user experience by altering core WordPress behavior without clear documentation or an opt-in for auto-updates. ### Steps to Reproduce 1. Install WordPress via `apt install wordpress` on Debian 13.1. 2. Site Health reports "Some files are writable by WordPress" (e.g., wp-cron.php) as a failure. 3. Enable auto-updates in wp-config.php: `define('WP_AUTO_UPDATE_CORE', true); define('FS_METHOD', 'direct');`. 4. Attempt update to 6.8.3 via Dashboard > Updates: Fails with "The update cannot be installed because we will be unable to copy some files. This is usually due to inconsistent file permissions.: wp-admin/includes/update-core.php" and "Permission denied" error. ### Expected Behavior - Debian package should align with upstream WordPress auto-update standards: Focus Site Health checks on writable directories (wp-content, plugins) rather than flagging core files as risky. - Or, explicitly disable auto-updates in the admin interface with a clear notice linking to `apt` instructions, and avoid modifying core files to invert upstream logic. - Provide documentation in README.Debian on enabling auto-updates safely (e.g., a script to toggle permissions). ### Workaround (Temporary) - Temporarily: `sudo chown -R www-data:www-data /usr/share/wordpress && sudo chmod -R 664 /usr/share/wordpress/wp-admin /usr/share/wordpress/wp-includes && sudo chmod 664 /usr/share/wordpress/*.php`. - Update via admin interface. - Revert: `sudo find /usr/share/wordpress -type f -exec chmod 644 {} \; && sudo find /usr/share/wordpress -type d -exec chmod 755 {} \; && sudo chown -R root:root /usr/share/wordpress && sudo chmod -R 775 /usr/share/wordpress/wp-content && sudo chown -R www-data:www-data /usr/share/wordpress/wp-content`. This workaround is cumbersome and contradicts Site Health recommendations, making the package frustrating for users. ### Proposed Fix - Update the package to upstream 6.8.3 and revise patches: Replace `test_all_files_unwritable` with `test_all_files_writable` (align with upstream), or make it optional via a config flag. - Add upstream coordination: Submit patches back to WordPress for better Debian support (e.g., a "packaged mode" flag). - Improve documentation: Include a section in README.Debian on enabling auto-updates safely. This issue persists in testing/unstable (6.8.3+dfsg1-1) and affects usability, forcing manual workarounds. Auto-updates worked fine before Debian's stricter patches. Please prioritize this for the next upload. References: - Official WordPress 6.8.3 source: https://github.com/WordPress/WordPress/blob/6.8.3/wp-admin/includes/class-wp-site-health-auto-updates.php - Debian patches: https://salsa.debian.org/php-packages/team/wordpress/-/blob/debian/6.8.3%2Bdfsg1-1/debian/patches/series - Similar upstream issues: https://wordpress.stackexchange.com/questions/385330/wordpress-update-this-is-usually-due-to-inconsistent-file-permissions-wp-adm Thank you for maintaining the package. I appreciate your work on security but hope for better compatibility with upstream features. Best regards, Thomas LLOANCY [email protected] -- System Information: Debian Release: 13.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.14.3-x86_64-linode168 (SMP w/1 CPU thread; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages wordpress depends on: ii apache2 [httpd] 2.4.65-2 ii ca-certificates 20250419 ii default-mysql-client 1.1.1 ii libapache2-mod-php 2:8.4+96 ii libapache2-mod-php8.4 [libapache2-mod- 8.4.11-1 php] ii libjs-cropper 1.2.2-2 ii libjs-lodash 4.17.21+dfsg+~cs8.31.198.20210220-9 ii libjs-underscore 1.13.4~dfsg+~1.11.4-3 ii mariadb-client [virtual-mysql-client] 1:11.8.3-0+deb13u1 ii nginx [httpd] 1.26.3-3+deb13u1 ii php-gd 2:8.4+96 ii php-getid3 1.9.23+dfsg-1 ii php-mysql 2:8.4+96 ii php8.4-gd [php-gd] 8.4.11-1 ii php8.4-mysql [php-mysqlnd] 8.4.11-1 Versions of packages wordpress recommends: ii wordpress-l10n 6.8.1+dfsg1-1 ii wordpress-theme-twentytwentyfive 6.8.1+dfsg1-1 Versions of packages wordpress suggests: ii mariadb-server [virtual-mysql-server] 1:11.8.3-0+deb13u1 ii php-curl 2:8.4+96 ii php-imagick 3.8.0-2 ii php-mbstring 2:8.4+96 pn php-ssh2 <none> pn php-xml <none> ii php-zip 2:8.4+96 ii php8.4-curl [php-curl] 8.4.11-1 ii php8.4-imagick [php-imagick] 3.8.0-2 ii php8.4-mbstring [php-mbstring] 8.4.11-1 ii php8.4-zip [php-zip] 8.4.11-1 -- Configuration Files: /etc/wordpress/htaccess changed [not included] -- no debconf information -- *Determinets.com <http://determinets.com>*
