I’ve posted my MT 2.5 to 2.6 upgrade notes, which are also linked to from my MT 2.5 install notes.
[color=#CC0000]Important Security Note[/color]
Make sure you clean up any backup files created by your text editor. I have updated my 2.5 install notes to include appropriate instructions.
With Movable Type, you put your database password into a file called mt-db-pass.cgi. If you edit that file and save it with Emacs, you will get a mt-db-pass.cgi~ file with the original file contents. If a hacker guesses your directory structure, she can just ask the web server for that file. Since a .cgi~ file is nothing special to the web server if it is in an ordinary directory, it will serve it up just like a regular text file. Trust me, I recently discovered and confirmed this on my site.
Even if you changed your password in this file while editing it, a hacker would get the previous password, which might provide a clue to your new password or be a password you are using elsewhere. The worst case would be if you saved the file without changing the password.
Be sure to immediately remove editor generated backup files if they contain sensitive information. This is obviously not specific to Movable Type files.
This re-examination of file security was triggered by my discovery this afternoon that someone appears to have obtained the password I had been using with my blog and used it to post to my blog with my PhoneBlogger tool.