Hello,
Our school currently uses Moodle 1.9.7 and are happy with it. We have heard that it is no longer being supported. Is it still safe to use?
If we upgrade to Moodle 2.4 what are the comparisions? I'd like to hear some first hand reports of Pros and Cons to 2.4 and advice on whether to upgrade or not.
Thank you.
You may find that updating your site to the latest version of Moodle 1.9 will leave you safer than trying to move to Moodle 2.4, in no small part because Moodle 2 introduced lots of security issues. Additionally, Moodle devs have actually reintroduced defects that make upgrading to Moodle 2.x problematic.
Are they later versions of Moodle 1.9 still supported and upgraded with security fixes?
Hello Danielle,
I concur with Marc in that it is highly reccomendable to upgrade to the last version of 1.9 which is 1.9.19+. This version is not developed anymore, but security releases will be made occasionally until December 2013 according to the information on the download page.
Since your installation is from the same 1.9 branch, upgrading should not be troublesome. Upgrading to version 2.4 may be rather more momentous an operation and should not be attempted unless you have a back up plan (literally).
Rgrds,
Paul.
My concern is with what happens after Decemeber 2013 when the security updates aren't supported anymore.
We are happy with our Moodle 1.9.7 and are only looking to upgrade to 2.4 because of the security updates.
Hi Danielle,
If you are concerned about security updates, then surely you would have and will from now update from 1.9.7 to 1.9.19 as others have recommended. You have missed three years of security patches!
What will happen after December 2013? Probably nothing. As you have been running your site without security updates for several years now, you have not had any problems, right? But there will always be a possibility that a malicious hacker with tremendous ability will target your site. That is probably FUD, so I would not worry. Mostly, Moodle HQ is saying that from December, security on 1.9 is now your responsibility not theirs. And since security updates are not high on your priority list, I would say, just leave it and don't worry.
However, I did have an experience of leaving an old php forums script on my server. After 8 years, an automated spamming bot came and messed up the front page of that forum. No one ever looked at it, but my IT staff noticed the intrusion, reported the hack to me, and told me to remove the old script.
I am inclined to agree with Don here, staying current does not seem to have been an issue in the past so why worry about it now. If you do decide to upgrade to v2.4, then I would suggest you download v2.2.x, whatever the latest version is.
Marc may or may not be right about potential security risks, (I have learned to listen to his concerns even if I do not always agree) but I do understand that that the leap from a v1.9.19 to v2.4 is a rather large step, so a brief stopover in something a bit closer to what you have might be a safer route.
Hi Danielle, I have a few coments a little different to the other themes in this thread.
SHIFTING TO 2.X Firstly, there is pain in the upgrade to 2.X. You can end up with a lot of extra stuff in your database if you do the upgrade paths suggested. There are unresolved issues with what happens to legacy files. However you do get users/old data shifted across.
If you go another way, setting up a nice clean shiny new 2.4 server and importing courses one by one you are up for a lot of time. You can't shift users, but this can be managed. You can hit the "big file" limit. https://tracker.moodle.org/browse/MDL-34388 You can have audit/history requirements from your institution that mean this is not possible.
Many places have run two systems at the same time, and had a slow motion change over. This is my favoured route.
With either approach, you have the problem of plugins and customisations. You have user training needed (like the new file handling). And you DO need an upgrades system in terms of power and versions of PHP etc.
SECURITY. I'm not sure of Marc's comment about secturity: I'd need more information and specifics, but sometimes, unpopular as his posts are, he is at least partly right.
Delaying a shift may one day lead you to the place where your servers have moved on, a new version of PHP doesn't support 1.7 etc etc. But this is purely speculation. I remember having to migrate (rewrite) my DOS database programs to WINDOZE.
---
This is where you may not like my comments. You say: "Our school currently uses Moodle 1.9.7 and are happy with it".
This may well be a completely true statement. But trying to find an analogy: "We have an open fire, and we are quite happy with it. We don't need air conditioning".
There are a lot of nice new things in 2.4 core. Drag and drop. Duplicate activities. Section descriptions. Insert pictures in student posts. Assignment improvements. Conditional release. Better editor. New theme engines. Responsive design. Quiz improvements.
Some things are improved, but not fixed fully yet: single section display. (ie the scroll of death is partly solved). Sharing files between courses. (ie the silo of the course it partly solved). Some improvements to core enrolment plugins/functionality (but still no automation of user management and enrolments, so there is a huge overhead in managing accounts unless you have provisioning done another way). Navigation. (We now sometimes have a Navigation SOD)
Some really basic things things remain unresolved in Core Moodle. A small number of things have gone backwards.
---
However, You may not really be using Moodle 1.9.7 core, but have all sorts of addons and hacks, so you really don't NEED to move. I met someone years back who I respected. They said "We use Moodle and it is great" For me at the time there were huge show stoppers in Moodle. Then I found out that this guy did not realise they had a system with Moodle + hacks, + plugins and + customisations to make things easy to work. No scroll of death, no user management overheads, an alternative forum, provisioning courses with activities with less clicks, custom reports etc. So we were not talking about the same entity. This is the problem of maintainability if you stick with a highly patched 1.9.x. A faith statement: I believe that most of these issues (but possiblynot all) can be worked on with careful choice of plugins in a 2.4 install.
In summary:
Personally, I think that if we are on 1.9.x we need to consider how to make the shift from 1.x to 2 and when (using an approach with the least pain), and move beyond the question "if" we make the shift. While I still find some things difficult in 2.4, on balance we have gained far more than we have lost, and for other reasons, there may be problems eventually if we don't make the shift.
Much more than I ment to write.
-Derek
"Moodle 2 introduced lots of security issues"
Do you have any evidence for that statement? I think it is false.
Similarly: "Moodle devs have actually reintroduced defects that make upgrading to Moodle 2.x problematic", sorry, but WTF? Is this anything other than FUD. Again, please cite your evidence.
Sure....
a) Tracking the security fixes that have been published since the release of Moodle 2.x, the prepoderance has been Moodle 2 security issues resulting from new code. If you are doubtful about this, Tim, just go through them, something you arguably should have done before jumping up and complaining, lol.
b) AMong toher things, the tracker item showing that the ability to import 1.9 courses is now, wait for it, broken under Moodle 2.4
And for those who are now wondering about how a Moodle Dev could be unawares of the issues Tim claims are false, well, there you go......
Oh, and as lng as we are on the subject, Tim, please exaplain why one can't restore a Moodle 1.9 course with user data to Moodle 2.4?
Oh, now I see what you mean Marc. This is not a problem for me, in fact it is probably somethjng I regard as part of life. You write new code, you test as well as you can, even with the best of coders, you'll create bugs and security holes. I'm not sure MoodleINC is any different to other OS projects in this respect (and I follow a number including Mahara, WP, Canvas, Audacity, Drupal, Joombla, VLC). And probably better than most. Check out http://www.makeuseof.com/tag/the-10-best-open-source-projects-you-should-be-volunteering-to-help-with/
As to point b) I was a bit remiss in not posting on the tracker item when I was tinkering with this issue a while back: it seems fixed for me with at least two of the installs I work with. It is not clear from the thread what the status of this is - often people get the problem sorted and forget to come back and report in. https://tracker.moodle.org/browse/MDL-37879 There has been very little further chatter, which says nothing, but it could indicate this is not a worry. I guess I should add to my comments earlier about restoring into 2.4: do a test install, and check. Arguably MoodleINC does not do a good job of warning people of known problems with a specific upgrade activity. It is all there in the tracker (generally) but not easy or straighforward to find.
Your final question: you are probably asking the wrong person.
-Derek
With respect to the moodle 2 security issues, Derek, I was not suggesting that this was a problem with Moodle alone - only that at this point Moodle 1.9 was as secure as a Moodle product was likely ever to get, lol, while Moodle 2, generated many new security issues because it was new code, as you mention.
But, as to the ability to upgrade, Moodle has always been a bit of nightmare across major versions, and as someone who had hoped the difficulties would become smaller, not greater, the continuing lack of a smooth upgrade process to the current version is disappointing.
I have continued to recommend the same kind of response that you suggest in your post first post - if you want to do Moodle 2 and you have a Moodle 1.9, create your Moodle 2 instance and have your teachers build new for 2, taking advantages of 2 fgeatures whiole avoiding 1.9 pitfalls, while continuing to run the 1.9 production version, assuming that you need what 2 offers, or are unwilling to fall further behind.
I think for many Moodle 1.9 is all they will ever need, and while I can celebrate the ability to have a full featured editor in 2.5 that will provide the ability to have Math features that finally make Moodle a viable Math instruction platform, there are so many tradeoffs and so much pain that upgrading may not be worth it.
p.s. thanks to you and C for noting that something I might say might have some value
de nada... However, you, as always, raise interesting points, Marc. Unfortunately, the responsibility for the issues arising I would offer is due to a rather ambitious and demanding release cycle. I understand the logic behind the cycle, Martin was very clear about it, but it does not mean it is not ambitious. To sustain that is difficult, as there is not always enough time for repairs to be made, tested and included between minor upgrades to then pass on to major upgrades. Going from v1.9.x to v2.0 was a difficult enough process, but the time from v2.0 to 2.4 is, IMNSHO, a fairly rapid pace. Again, the logic is not necessarily flawed, or even arguable, but has anyone asked if it is really what is needed. At some point, might it not be better to stop and smell the coffee before moving on? Or maybe double the time cycle between minor version releases, which automatically, doubles the time between major upgrades.
I'm just not happy with the idea of Moodle shooting itself in the foot by trying too hard. Or perhaps placing people who work on the product under too much stress to complete things. I have seen both these things bring good works down too often to be comfortable with them while they may be going on.
Of course new code is more bugs than old code that has been in use for a long time and has had all the bugs found and fixed.
And Moodle 1.9 is now all old code that has not had significant new features added to it for years.
There are two types of security issue that you can get in software. There are what you might call tactical things: this specific page in Moodle has this specific security hole. Then there are strategic issues, about the design of Moodle, which affect the security of the whole thing. Moodle 2.x introduced several major strategic security improvements (e.g. switching to placeholders to insert values into DB queries). Strategic improvements like that that massively reduce the chance of certain classes of tactical security problem (in the placeholder case, they massively reduce the chance for SQL injection attacks.)
So, Moodle 2.x is stragegically more secure, but because it contain more new code, it is likely to be tactically less secure in the short term, but those things are likely to be easy to fix when found, and it is the inevitable price you pay for getting new features.
However, in recent years, the processes surrounding Moodle development have got more robust. New code going into Moodle now gets reviewed at least twice by other people, and testsed, before it is released. In the 1.9 days, many developers could add code directly to Moodle without review. So, new features in Moodle 2.x are likely to be far less buggy that new features that were added to Moodle 1.9 were in their day. (I have not done the data analysis to try to test that guess.)
"stragegically more secure, but * * * tactically less secure in the short term"
Maginot line?
Visvanath, yes, you are right, but I am thinking now I need to be a little more circumspect in my wording. What I was thinking was that if the intent is to update, then go to v1.9.19+++++++++ first, then to v2.2.x then to v2.4.x, with an emphasis on the word "if". Make a clear update path. For me, the fundamental issue is not the Moodle version, but that sooner or later, the environment will change and a v1.9.7 is just not going to be comfortable with that change. I know it should be, but eventually, as the hardware is updated, or the environmental software is upgraded, or the shell is updated, or some other factor changes, the old software, applications or tools, will just fall over. If there is at least a modicum of currency in the software being used, then this issue will not be as urgent.
I found, to my surprise, my original MS-Word v2.2 discs a few weeks ago, translated to a CD-ROM, but I doubt it will even work in Windows 7. OK, this is more than just a few years, but the principal is the same. Technologies change at increasingly faster pace than they used to. Currency in versioning is going to become a serious issue, if it hasn't already. Unfortunately, this means that being comfortable with any one version of something is no longer a possibility. Perhaps this is something that we need to make sure the Moodle community is aware of.
Why can't you restore user data form 1.9 to 2.4? Because no-one has developed that functionality.
It is a huge and difficult data transformation project. We are talking person-years of time to do it right. Everyone who controls that much Moodle development resource has done the cost-benefit analysis, and decided it is more productive to do something else instead.
The recommended route to get form 1.9 to 2.x is to upgrade. Moodle HQ have said that they will help fix any bugs that people enounter when trying to do that.
If you really need to get user data from 1.9 to 2.x, and want to start with a clean site, then upgrade a copy of your 1.9 site to 2.2.9, then backup from there, and restore into your 2.4 site.
MDL-37879 seems to be somethings weird to do with files on Windows servers, and there is not enough information there to know what. Without more information, it is not possible to work on a fix.
"...new code is more bugs than old code" and
..no-one has developed that functionality."
Is this not symptomatic of what I was talking about? The ability to make that transformation in v2.2.x does do it, but later versions have lost the functionality. I appreciate that there needs to be an endpoint where there can no longer be support for much earlier versions but this is a little short time, is it not? Should/could something be done?
Is there any reliable data for people who are using v1.9.x+++? I know here is a number of issues around these questions but simply put, there still needs to be a certain level of support for people who will not upgrade, for whatever reason. One day their Moodle won't work and they will get asked why have they not changed up? People will shake their heads and wonder at the obvious lack of interest when that may not be the issue at all. We had this problem some time back when someone was asking about transitioning from v1.4 or v1.5 to v1.9.11. In private conversation I found out the guy who was the Admin left and had not bothered to pass on any information. The newcomer had not even realised that Moodle had moved on nor that there was a Moodle community, she found it by accident. No-one could help her, for obvious reasons and in the end she basically had to rewrite all the courses in a v1.9.11. Isn't this same problem that has generated this conversation? So is it a frequent occurrence?
Obviously, there cannot be endless support, nor can Moodle ever be a "system of perfection". Just as obviously, this issue is going to arise and if it is a problem even now, then it will likely linger for quite a while, I suspect. I would suggest to get over this that a converter could be constructed as a separate downloadable that can be used to ease the transition for those Moodlers who have not updated. If that is available, it would make some things easier. I suggest half of it is probably constructed and is residing in v2.2.x. I know it is not that easy, and, realistically, if something could be done, should it be done? Or is it the dog chasing its own tail in ever diminishing circles? For me though, there is a certain profit in this kind of thing, even if it is only to promote a PR exercise about Moodle's consideration for long term, technically challenged, users.
Sorry, this is getting away from the topic and more than my two cents worth.
Thank you all for your advice and information. You have given us a lot to think about.
If anyone else has any insight into the subject, I'm happy to hear it.
Hi Danielle,
As mentioned on http://download.moodle.org/, 'We highly recommend you upgrade!'
Just making sure that you are aware that to upgrade to Moodle 2.4, you will first need to upgrade to Moodle 2.2. Also, it is recommended that you upgrade to the latest 1.9.x before you upgrade further. Please see the documentation Upgrading to Moodle 2.4 and Upgrading FAQ for more details.
Notice that the upgrading FAQ does not indicate that you have to upgrade to 2.2 to get to 2.4, while the upgrading to 2.4 doc does.... The tradition of making things just about as confusing as possible continues (and note that there is no explanation for this in either doc.)
And this is where people get their shorts in a twist and suggest I am trolling, because it seems to me that if whoever "we" is truly wanted to make this all simple, "we" would have eliminated the gazillion gotchas, lol. For all intents and purposes the OP has hit a wall, and frankly the energy required to make it over that wall makes it advisable for the OP to consider the wall much along the line of their first approach to an LMS system, recongizing that while one of the niceties of Moodle, its extensibility, also makes it virtually impossible to upgrade without surrending those extensions Suffice it to say that if you have a half dozen developers working in-house and Moodle 2.x, on analysis of it and its competitiors, is somewhere you want to go, that is all well and good.
Marc, I'm pleased you like 1.9 and are staying there, but using the evidence of the security fixes that we publish does not only lead to your conclusion. Logically that route could just as easily point to the conclusion that 2.4 has a lot LESS security bugs because they were found and fixed. To distinguish you need to work out what was not found or not reported (good luck).
Either way, 2.x will continue moving forward and we will keep providing the features that people are asking for (the ones we've been adding to Moodle 1.9 for the past 5 years).
Anyone who wants to migrate their data from 1.9 to 2.x just needs to go through the well-established and tested upgrade path.
"well established and tested upgrade path"
ROFL
life in oZ
Unfortunately, MD, you seem to have trouble reading what I wrote. I made no comment about what I am "pleased" with, and was simply responding to the concerns of the OP.... you know, that might be something you try from time to time
What's most interesting to me in this discussion is how the usual FUD can cause organizations, teachers, and students who would otherwise benefit greatly from Moodle to be denied the use of it.
Imagine, if you will, the following conversation:
Idealistic proponent of Moodle: "There's this cool new [old? mature?] open-source LMS/VLE called Moodle."
Dim person in position of authority in organization: "Oh, I've heard it has security problems."
IPOM: "Well, no more than other OS software. And Moodle employs a full-time security person!"
DPIPOAIO: "But people say it has security problems - I even read it in a Moodle forum. Get me the number of [insert name of provider of commercial CMS]."
I have heard that exact conversation! I swear, the FUD of "that software is not secure" is often enough to send many DPIPOAIO's into the arms of any provider who will guarantee some level of security.
The solution, I believe, is to have people within an organization who are smart enough and confident enough to work with OS software and not be scared off by FUD like "It's not very secure." But unfortunately not every organization has people like that. And I'd venture to guess that the organizations that are attracted to Moodle - by its low cost, flat learning curve, and overall cool-ness - are exactly the types of organizations unlikely to have a lot of those folks (small or one-person IT depts, or one-person training organizations).
I'm not sure how comforting my words are for the original poster, who just wanted to know if upgrading is a good idea, but I'd say that where you stand depends a lot on where you sit. I myself still haven't upgraded to Moodle 2.x, but when I do, I basically expect to re-build most of my courses, just as I'd expect a major re-tooling anytime I switch to a new, improved tool. And I'm confident I'll see better functionality and better security (but not perfection, which would just make me nervous).
Peter
I agree Peter, with the idea that far too many dimwits are in charge of multibillion dollar operations. They should go Open Source. However, Open Source is just not for those organisations. They don't care they could save perhaps $100,000 and an annual licensing fee of $20,000, they can afford it. So who cares what some DPIPOAIO thinks. Open Source is for not for profits, educational, start ups and similarly cashed strapped or poorly funded organisations for whom a $100 is still $100.
If any of those clowns ever bothered to do a simple comparison about days down due to security hacking, my guess is they would be unpleasantly surprised. However, having said that, the kinds of organisations that really have to worry about their security, I suspect are on Linux and are building their own applications.
And Visvanath, that is just brilliant.. And yes, we are right off topic, but clearly there is an issue that needs to be discussed.
If you do not think there is anything to discuss, please see this question... Mary's reply is interesting.
Yes you need to get on the latest version, the longer you wait the harder and more work it becomes to ultimately upgrade. The latest version is much cleaner looking. Just have to get used to some of the new features and presentation. All and all it is better.
The process of upgrading can be rather challenging. I recently went through the process and tried to document as much as possible to help others as I found it difficult to find accurate steps. Refer to my post for guidance:
https://moodle.org/mod/forum/discuss.php?d=224561
Good luck.
Oh my, Shawn.... how could you find upgrading challenging or documentation of accurate steps difficult to find when the moodle oracle hath proclaimeth:
Anyone who wants to migrate their data from 1.9 to 2.x just needs to go through the well-established and tested upgrade path.
where must your head have been???
I think the rating system needs a re-think to include a 'flamebait' category.
.....I'll get me coat on the way out....
