There are of course other easy ways to get the Joomla version externally without the needed of this manifest file, but this would be an attackers first attempt of getting the version externally.

That's why its a pointless change. See https://github.com/blackhatethicalhacking/CMSeeK/blob/master/VersionDetect/joom.py

Should've never written the core update process to try and update Joomla as an extension of Joomla in the first place (and that probably has implications that I'll not go into publicly).

The XML manifest for extensions is invalid if it doesn't have a <version> tag, so without making it optional for everything at the XSD level, then you can't write a bypass rule for one scenario.

@mbabker Just for me understanding: What do you mean with "core update process to try and update Joomla as an extension of Joomla in the first place"? The method to use extension installer to update the core CMS like it worked until before 3.5? Or the "Upload & Update" method which was included into the Joomla Update Component" with 3.6? I am not sure what you mean, maybe because I am not native English speaker.

Please keep on topic

I won't derail this but basically Joomla core updates itself in the same way that an extension of Joomla would and everything that integrates with the Joomla\CMS\Updater and Joomla\CMS\Installer libraries has the same requirements as an extension would (hence the joomla.xml file mentioned here must be a valid extension manifest and can't omit the <version> element).

@brianteeman What the hell is here off topic? Michael explained why the version can't be removed easily from the XML, ok, with a bit historic background, and I asked him a question about his comment in order to understand it right. Was your tea bad?

@mbabker Thanks for the explanation, I understand.

Not sure what the opinions are on this but closing for now. Can be reopened if need be.