These are my thoughts after reading these two blog posts:

• Dougal Campbell: WordPress 1.5.2 Security FUD
• PHP Security Blog: Irresponsible silent tarball update

Stefan’s language is a bit inflammatory, but I think that he has a valid point. It’s not good development practice to silently rev something that is public without changing the version number. That’s what the version number is for – to communicate changes so that people don’t have to peek inside archives and do MD5’s and such.

In the company where I work, we have tools for uploading packages to a central repository and those tools now disallow uploading a package and overwriting an already-existing version. This is because there were too many complaints from people about the chaos that this practice caused.

Occam’s Razor would suggest to me that this was probably more likely the result of laziness than some kind of marketing conspiracy.

I would humbly suggest that the WordPress developers refrain from this practice for future issues. There is no shortage of version numbers and although it’s a little bit of hassle to bump a version number for a minor change, I think that it’s the necessary thing to do when so many people depend on this software.

By the way, I say this as someone who got his blog hacked because he was slow to apply one of the 1.5 dot release security upgrades.