> are you saying it would have been better to make the hole well known to the general public before the fix was released?
No, of course not!
All I am saying is that a patch fixing only the security defect should be made available to the end users. End users shouldn't be forced to install a full upgrade with 170 fixes, just so he can have the security vulnerability patched. That is not right. 1.5 works for me just as I want it.
I do not need an upgrade which several people are having trouble with. However I just need a patch to fix a security hole. And I am not alone.
I emailed to Matt couple of days ago, requesting a patch. He hasn't replied yet.
Nobody is asking to reveal the gory details of the vulnerability. However simple categorizing terms (yet vague enough to deter would be hackers) like "cross-site scripting vulnerability" would be helpful and appreciated, rather than a cryptic email just stating there was a vulnerability and it has been fixed.