Dev Chat Summary: February 7th (4.9.5 week 1)

This post summarizes the dev chat meeting from February 7th (agenda, Slack archive).

4.9.3 + 4.9.4 update

  • 4.9.3 went out on Monday, 4.9.4 went out on Tuesday; note technical details behind 4.9.4
  • Note final paragraph from the 4.9.4 technical details post:
    • What we’re doing to prevent this happening again We’ll be making a follow up post after we’ve been able to determine how to ensure that this never happens again. We don’t like bugs in WordPress any more than you do, and we’ll be taking steps to both increase automated coverage of our updates and improve tools to aid in the detection of similar bugs before they become an issue in the future.
  • If you have ideas, solutions, or are able to support increasing “automated coverage of our updates” and improving “tools to aid in the detection of similar bugs” then please gather those and add them to the pending post on this topic.
  • @jbpaul17 to see if any process-related changes might help
  • @sergey also asked for ideas on how we can improve the quality and consistency of our code reviews
  • @helen spoke with @dd32 and will look into a way to test auto-updates
  • @desrosj noted that automating some parts of the release process might help

Updates from focus leads and component maintainers

General announcements

  • Comment thread from today’s agenda post on topic of security not able to be addressed as no one from the Security team was present, but @aaroncampbell provided a response ahead of time:
    • Okay, so this is the DoS issue with load-scripts.php and load-styles.php: Basically, the best mitigation for this is at the network level. Hosts and WAFs can rate limit this in a way that makes a lot more sense than anything WordPress can do. Caching would also be extremely useful in this case. Something that we _could_ do is limit the number of scripts that could be loaded at once with those, but the problem with that is all it does is reduce the load by some relatively marginal amount.
  • @leemon asks for review on #43226; @drewapicture to take a look
  • @binarymoon asks for review on #38545; looking for someone to give feedback and get to an agreement so this ticket can move forward
  • @joyously asked whether New Contributor meeting was still occurring; @desrosj to speak with other facilitators and get the meetings re-started
  • @williampatton shared insights into his experience being a deputy release lead on 4.9.3; encourages others to contribute as leads, noting core commit access is not required, recommends pairing with experienced lead; highlighted permissions issues that should be resolved; thankful for support from others during the release process; will help elaborate on minor release handbook page
  • @chanthaboune highlighted the need to “lessen that cognitive load for new/learning release leads”, need to call out contingencies and what’s time-specific; in general how can we make the contribution process easier

Next meeting

The next meeting will take place on February 14, 2018 at 21:00 UTC / February 14, 2018 at 21:00 UTC in the #core Slack channel. Please feel free to drop in with any updates or questions. If you have items to discuss but cannot make the meeting, please leave a comment on this post so that we can take them into account.

#4-9-3, #4-9-4, #4-9-5, #core, #core-editor, #core-media, #dev-chat, #security, #summary

WordPress 4.9.4 Release – The technical details

Today we’ve released WordPress 4.9.4, the day following WordPress 4.9.3.

WordPress 4.9.4 is the first minor release of WordPress in over four years since WordPress 3.7 was released where not all users will be receiving an automatic update.

This isn’t by choice – a bug went undetected during the 4.9.3 development cycle, and was only discovered hours after 4.9.3’s release. The bug causes a PHP Fatal error to be triggered when WordPress attempts to update itself.

Unfortunately this means that WordPress Administrators will need to proceed with a WordPress update themselves, through the WordPress Administration panel (Just hit Update Now under Updates), using WP-CLI, or via FTP. Hosts who apply updates automatically on their customers behalf will also be able to continue to update sites as normal.

What Happened? #43103-core aimed to reduce the number of API calls which get made when the autoupdate cron task is run. Unfortunately due to human error, the final commit didn’t have the intended effect, and instead triggers a fatal error as not all of the dependancies of find_core_auto_update() are met. For whatever reason, the fatal error wasn’t discovered before 4.9.3’s release – it was a few hours after release when discovered.

Ways to update:

  • Through the WordPress Administration area: Simply visit your WordPress Dashboard → Updates and click “Update Now.”
  • With WP-CLI: If you have command line access to WordPress, and WP-CLI installed, wp core update will update your site just as quickly as before.
  • Manually by FTP: If you prefer, you can update by Downloading the latest ZIP, and using FTP to upload it to your site. The only changed files expected are wp-includes/update.php & wp-includes/version.php.
  • With PHP: If you have command line access, you can also update WordPress simply by running wp_maybe_auto_update() inside of WordPress, for example: php -r 'include "wp-load.php"; wp_maybe_auto_update();'. This is also how we suggest hosts who don’t have WP-CLI installed proceed with automated updates for their customers.

As noted above, only two files changed in this release – wp-includes/update.php & wp-includes/version.php.

Are there any security implications? WordPress 4.9.3 and 4.9.4 do not include any security fixes, however, in order for WordPress to receive future security updates automatically sites will first need to be updated to 4.9.4.

What we’re doing to prevent this happening again We’ll be making a follow up post after we’ve been able to determine how to ensure that this never happens again. We don’t like bugs in WordPress any more than you do, and we’ll be taking steps to both increase automated coverage of our updates and improve tools to aid in the detection of similar bugs before they become an issue in the future.

#4-9-4, #43103-core