Do others consider it a security risk to leave CHANGELOG.txt web accessible; i.e., broadcasting what version of Drupal you're running, for those who know to look? -Matt