wordpress: 5.4.2 -> 5.5.1

[ajs124]

Motivation for this change

Things done

• Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
• Built on platform(s)
  • NixOS
  • macOS
  • other Linux distributions
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Determined the impact on package closure size (by running nix path-info -S before and after)
• Ensured that relevant documentation is up to date
• Fits CONTRIBUTING.md.

[aanderse]

This package badly needs a maintainer. @basvandijk does not maintain anymore, so it is effectively orphaned.

If someone doesn't step up during the 20.09 release cycle we might be best to remove before 21.09...

Any volunteers? 😆

[ajs124]

@dasJ how about it?

[mohe2015]

@aanderse I started working on Wordpress in #96910 but I'm still pretty new to NixOS. So I would probably be fine to be a maintainer but I can't guarantee that this will improve the current situation. I will probably update my PR tomorrow btw. Also what are your issues with the wordpress package currently?

[aanderse]

@mohe2015 the issue is just having someone stay on top of security updates/releases from upstream, making sure to backport when appropriate. Without an active maintainer it feels irresponsible to ship web based software with known CVEs. It isn't a huge job or anything... we just need one or more people to step up and be willing to create/review/test the PRs. If you're interested that is great.

[aanderse]

Thanks @ajs124 🎉 Does this need a backport to 20.09 and 20.03? Any security vulnerabilities patched here?

[ajs124]

I can add myself as a maintainer, we run probably a dozen or so WordPress instances on NixOS. We don't use the module etc from nixpkgs though, as far as I remember.

[mohe2015]

@ajs124 "The only current officially supported version is WordPress 5.5.1. Previous major releases before this may or may not get security updates as serious exploits are discovered." https://codex.wordpress.org/Supported_Versions
This needs a backport.

[aanderse]

Thanks for mentioning @mohe2015. If someone could open backport PRs it would be much appreciated.

[ajs124]

I opened a backport to 20.09 in #99388, 20.03 is on 5.4.3, which was never on master. We could still backport, but there aren't any CVEs (I think), just a general policy of "we probably closed some security issues".

[mohe2015]

I agree but for safety I would personally prefer a backport also for 20.03. (I can do it if you don't want to @ajs124 )