Joomla project has private repository for security fixes and it looks like they've not yet updated public one with the changes.

I was looking into security fixes to apply them to an older version and ended up diffing the files myself...

Not sure if they delay the github update by purpose, but it doesn't really prevent hackers from attacking the sites as the release is already out there. Maybe nobody has just had the time to commit the changes yet?

We automate our Joomla builds and rely on the releases on GitHub this is the first time in 2 years it isn't available there immediately. I guess someone forgot to release it on here as well.

https://github.com/joomla/joomla-cms/releases/tag/3.6.5

@zero-24 thanks!

Thanks @zero-24

In the future please use the https://downloads.joomla.org site as a means for pulling the packages.

We started using GitHub as the download provider in 2014 when JoomlaCode would no longer hold up to the traffic demands of a release cycle (this was with the later 3.3 releases; if you go back before that the tags didn't include the packages).

Also, it was standing practice before using GitHub to delay publishing the release tag for security releases by a day or two. As pointed out, doing that really doesn't stop anyone looking to do anything with the security patches, but in general there is a reason most projects wait until the absolute last minute to merge and publicize their actual security patches. Since GitHub requires releases to upload packages the release tags had to actually be published before update notifications started going out so someone with a wise eye could use that as a possible means to get a head start on devising a way to hack Joomla sites.

@mbabker is there a way to get a list of releases from https://downloads.joomla.org? Right now we query GitHub for the latest 3.* or 3.6.* release and install it. We could generate a list based on the titles on this page https://downloads.joomla.org/cms/joomla3 but if there is a more elegant way that would be great!

We're working on a basic API to expose some data from the downloads site, right now mostly geared toward exposing data (the latest version numbers per branch and download counts per branch/release). Once we get the initial frameworking complete we can work toward including additional endpoints.

https://downloads.joomla.org/latest will get you the latest release always. Maybe that helps.

It's a good temporary starting point. Luckily enough the package names and routing aliases are predictable enough that if you need something other than the full download that page lists it's easy to do a string replacement.

Thanks guys. And great to hear an API is coming.