The 1.0 and 1.0a are almost identical, but the latter fixes a security bug which uses the OAuth key to sign the originating domain as well as the request, not just the URL.
One key to understanding is to realize exactly why it is that the kind of bug report non-source-aware users normally turn in tends not to be very useful.