Hotfix
We done goofed. One of the security fixes for WordPress 3.0.5 was overzealous. It fixed the issue, but it also stripped advanced HTML (on display, not save, thankfully) from comments by people with the unfiltered_html capability. It’s sort of a rare bug — doesn’t apply to multisite installs, and not many people know that Editors and Administrators on single WP installs can use images etc in comments, so we don’t think it warrants another release. People have WordPress 3.0 fatigue already. And 3.1 is so close I can taste it (takes like pork BBQ, natch). But it is still annoying.
As Nacin mentioned, a hotfix for this issue went into Akismet 2.5.3. Akismet is very popular, and just happened to be planning an update today. We figured that would be an easy way to fix the issue for some WordPress users today. The Akismet team at Automattic was kind enough to oblige.
But this wasn’t the first non-critical-but-sort-of-annoying bug in WordPress, and it won’t be the last. So I created a plugin: Hotfix. It fixes the 3.0.5 bug, but I intend for it to fix selected future bugs as well. If we can get this installed on a bunch of sites, it could be a very handy way to push fixes out to people faster than we can with WordPress core releases.
Jon Brown, and 11 others are discussing. 
Alex M. 9:06 pm on February 8, 2011 Permalink
Bundle it and pre-activate it?
Ozh 10:27 pm on February 8, 2011 Permalink
I think that would confuse the hell out of average joes. Hotfix vs update?? zomg!!1
Travis 9:09 pm on February 8, 2011 Permalink
Bundling it seems reasonable, as long as it won’t be continually reinstalled (i.e. follows the behavior that Hello Dolly and Akismet will exhibit in the somewhat near future).
Brian Layman 9:12 pm on February 8, 2011 Permalink
The Akismet avenue is very practical and is a nifty fix, but also it feels rather inappropriate. I’d rather have just seen the plugin made public for those few who need unfiltered html comments before 3.0.6 is released (if ever).
Well really, me personally, I’d rather see Akismet 3.5.3 bundled with WordPress 3.0.6 because people are still trying to figure out how to update Akismet after these upgrades anyway. But I understand rapid fire updates are unpopular with people.
jb510 12:49 am on February 9, 2011 Permalink
I’ve got to agree that it feels inappropriate and I just really hope that bundling fix’s with Akismet or Hello Dolly or whatever… never becomes normal practice. Don’t get me wrong, I love Akismet but like Hello Dolly it, IMHO, it shouldn’t be bundled with core updates.
I am intrigued by Mark’s hotfix plug-in. It would seem, at least at first look, to make a lot of sense to build into core.
Brian Layman 4:49 am on February 9, 2011 Permalink
And there’s a good tradition of these hot fix plugins even predating the repository.
Edward Caissie 9:13 pm on February 8, 2011 Permalink
Bundling it may be a solution to getting a “bunch of sites” to make use of the plugin as the average end-user may not be aware of its existence. I would think develoeprs, plugin authors and theme designers may follow the various social media outlets where this is being advertised but the average user tends to be of a “set-it-and-forget-it” mind-set … they are not going to know it’s broke so they are not going to think to fix it.
Matthew McGarity 9:19 pm on February 8, 2011 Permalink
This is hot stuff for code n00bs like me — as I learn PHP and WordPress, I can now review future hotfixes as isolated in this plugin, rather than having to dig through core code/patch notes to see what was changed. Thanks for publishing1
Andrew Nacin 9:23 pm on February 8, 2011 Permalink
As cool as the plugin is, I’d rather work to strengthen our own update procedures. That’s going to be a huge focus for 3.2.
Brian, I’m not sure I know what you’re referring to. We decided early this morning that we were not going to go forth with a 3.0.6 release. But Akismet 2.5.3 was being released today anyway, and since it is installed on so many blogs, it is a convenient additional avenue through which a fix can be served. Also, this particular fix isn’t far from the realm of Akismet, seeing it had to do with comments. The Hotfix plugin means we now have a place we can point affected people.
The Akismet update dance is annoying. We get that, but it’s not something we were going to fix for the 3.0 branch. 3.1 will ship with 2.5.3, and we’ll bump to additional 2.5.x releases as appropriate for 3.1.x. Come 3.2, this won’t be an issue, as one 3.2 goal is to stop updating over the wp-content directory.
Brian Layman 5:16 am on February 9, 2011 Permalink
All’s good Nacin. I was just saying I wouldn’t have minded a 3.0.6 the next day if this was deemed an important issue. This obviously wasn’t. Lots of people get bent out of shape with quick releases. Yeah I don’t like bugs creeping in, but relatively painless upgrades are a better alternative than security holes. And this bug was minor and hard to catch. I’d bet through this bug more people will learn what they can do in comments than previously used the features.. But that’s also why I’m not sure it was important enough to fix through Akismet. That’s all I’m saying.
One thing I would love to see is a consistent way to grab the latest release of any plugin via SVN or the repository. Then I could just request any plugin’s latest.zip or /tag/latest and I wouldn’t have to modify version numbers in scripts.
Michael Clark 10:45 pm on February 8, 2011 Permalink
So now we have the equivalent of several versions of WP 3.0.5 out there: WP 3.0.5; WP 3.0.5 Akismet 2.4.0, WP 3.0.5 Akismet 2.5.3; WP 3.0.5, Akismet 2.4.0 HotFix 0.2; Wp 3.0.5 Akismet 2.5.3 HotFix 0.3, and I’m sure a few other combinations. I’m all for a rapid development cycle. But I think the safer (and saner) release strategy would be to push a 3.0.6 out with the new bug fixed. Or can you have Hotfix change the WordPress version number to 3.0.5.1?
Mark Jaquith 8:28 pm on February 9, 2011 Permalink
We have an infinite number of versions of 3.0.5 out there, when you factor in all the plugins and the unbounded potential for custom functionality.
Michael Clark 3:40 pm on February 10, 2011 Permalink
Granted. But how many plugins exist only to fix a bug, and then will be obsolete at the next WP revision? I feel that having three different official-ish versions of WP 3.0.5 out there is a problem. Is there a goal of having Hotfix version numbers reflect which version of WP they will work on?
Also, aren’t you WP maintainers going to run into a situation where you have to maintain bugfixes is two places, WP and Hotfix? The Hotfix fix feels klunky.
Peter Westwood 3:42 pm on February 10, 2011 Permalink
In general they are going to be the same fixes.
This bug isn’t serious enough to demand a release straight away but for the people that is does affect the easiest solution is the hotfix.
Simple to Install, No worry about it conflicting when they upgrade WordPress next etc.
James Collins 12:35 am on February 9, 2011 Permalink
Just in case anyone missed it, the fix has also been applied to the 3.0 branch: http://core.trac.wordpress.org/changeset/17421/branches/3.0
So if you’re using SVN to run your 3.0.5 site, svn switching from tags/3.0.5 to branches/3.0 fill also fix the problem.
Alex M. 12:40 am on February 9, 2011 Permalink
+1. Branches totally pwn tags, even for stable installs.
Ryan Hellyer 4:39 am on February 9, 2011 Permalink
The hotfix plugin a weird solution. I like it anyway since it could potentially reduce the number of WordPress updates required. I’m not seeing much point in bundling it into core though, as it isn’t any harder to update the whole of WordPress than it is a plugin. It seems to me that the plugin should be used as a way to point those who are having problems to a simple solution. Then WordPress double point updates could be used solely for security stuff.
Mark Jaquith 7:51 pm on February 10, 2011 Permalink
This changes nothing about WordPress point-point releases. It’s purely a bonus offering.
Jon Brown 7:45 pm on February 10, 2011 Permalink
The more I think about this the more it bugs me. I get just how minor this bug was but I still think it should have been made 3.0.5.1 or 3.0.6.
#1 most user probably hadn’t updated to 3.0.5 yet. As easy as upgrades have become why make them upgrade, and install a plugin (akismet or hotfix). Why not let them just upgrade and skip a version?
#2 This in theory is the last release of 3.0.x, and many user won’t be jumping on 3.1 immediately… meaning they’ll be using 3.0.5 for some time again meaning that the final release of 3.0.x should be as rock solid as possible.
Maybe someone can explain why releasing 3.0.6 the day after 3.0.5 would have been so difficult, but this seems a case of serving the desires of the development community above the broader user community.
Mark Jaquith 7:48 pm on February 10, 2011 Permalink
The bug isn not nearly severe enough or common enough to warrant a separate release. That was decided first. The plugin is just a bonus offering for people who are affected by the bug but aren’t comfortable pulling from SVN.
Matthew McGarity 8:02 pm on February 10, 2011 Permalink
I suspect that the impact of the issue to the WordPress user base affect going this route — what Hotfix is meant to address are inconveniences to a small pool of users vs. an issue affecting *all* WordPress users (ex: security vulnerability). Based on that, a hotfix feels appropriate, especially considering that performing WordPress upgrades can be a time-consuming effort for end users, especially those with multiple sites to administer.