I haven't read all the documents, but have these
researchers taken
into account backported fixes?
My gut feeling is that the "preference" for 1.12 is simply due to its
inclusion in Debian stable [1]. The maintainer seems to be actively
backporting security fixes [2], so while I agree that these versions
may enjoy less community support, they should not be considered broken
on the basis of the version number alone.
This, of course, unless it is certain that some vulnerabilities are
still present in the Debian version. If you are aware of the existence
of such a problem, I would recommend you contact
<security(a)debian.org>rg>. Otherwise, the situation might not be as
dangerous as it seems.
On the topic of facilitating upgrades: perhaps we should emphasize the
option to install and upgrade using SVN, which is probably very
convenient for users that are comfortable with the command line.
Moodle has this in the official documentation and I find it very
useful [3]. SVN could also be handy as the backend for a user-friendly
upgrade procedure, as it already deals with local modifications and
such.
As someone who has had their code patched by the debian team, I'd like to
take the time to bitch about this.
Firstly, their patches are often incorrect. Secondly, though they've patched
my LDAP extension a number of times, I have *never* received a bug report or
a patch from them for something they've fixed. It is extremely annoying to
see a fix has been around that I could have used months before someone
reports a problem to me. Beyond anything else this bothers me the most. They
really need to be better community members in regards to this. Lastly,
packaging and maintaining such an old version of MediaWiki does a disservice
to us, and their users. We don't support versions of MediaWiki that old. I
understand that Debian backports security fixes for MediaWiki, but they
don't backport new features, and don't backport all bug fixes. Additionally,
Debian doesn't backport security fixes for all extensions. Not all extension
developers bother maintaining backwards compatibility, and the only possible
way to get security fixes is to upgrade MediaWiki and the extension.
Please Debian, keep your version of MediaWiki up to date at least to the
oldest stable release, and please send your fixes upstream when you find
unfixed bugs.
Respectfully,
Ryan Lane