On Mon, Aug 2, 2010 at 4:14 AM, Aryeh Gregor <[email protected]> wrote: > If I'm interpreting this right, you're saying that upgrades can break > stuff, so people should stick to versions with known security flaws. > This is a defensible position in practice, but it doesn't justify > making upgrades unnecessarily hard. It would be a good thing if > typical admins could easily upgrade, without needing FTP access and so > forth. If they choose not to, that's their choice, but if they want > to upgrade, they should be able to do so easily. No I'm saying not to use a automated update version within a extension which for example has been shown to break things in other web based packages (Wordpress has apparently fixed it since the horrible times when i last attempted). What about the maintenance scripts people have to run? such as the updater, alot of people on shared hosting can't do those as it is without re-running the installer since they aren't allowed ssh access and ours aren't designed to be run from within the browser window.
> Any kind of auto-update mechanism should be hardcoded to retrieve only > from a specific Wikimedia URL and only over HTTPS, and the contents of > that URL should only be changeable by sysadmins. Or at least the > checksum should be retrieved that way. So every-time someone that creates/modifies a extension wants to update its version number? which is why it was recommended to go wiki base, but that as well has it flaws. _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
