28 July 2023, 21:30

Moodle 4.2.1 running PHP 8.0 (as recommended)

Mahara 23.04.2 running PHP 8.1 (as recommended)

Please note Kristina: we are juridically forced to run PHP 8.x in Europe. AS PHP 7.4 is deprecated, we are no longer allowed by GDPR legislation to run PHP 7.4. It will not get any security updates.

I will come back to this, because the path Mahara has chosen (with subscription) I do understand. We are also sponsoring the Moodle Users Association with a higher amount than we pay now for Mahara.

It's just that we didn't have any choice that bothers me. I will send you an Email about this, because I preach 'open source' in our organisation for years, yet Mahara has let me to the worst vendor lockin I have experienced so far.

But that's beside the point right now. What is urgent for us is that we have a working Moodle-Mahara on August 21, when our schools are starting again. And so far... Mahara assignments are not working for us. Which we have used a lot in the past years (with MNET), so we are going backwards in critical functionality right now.

31 July 2023, 6:05

Hi Richard,

Can you please point me to the section in the GDPR legislation that  you mention requires you to go with a supported version of PHP? I fully understand that is always the best, so am not disputing that. I'd just like to know where this is stated as you seem to have it handy.

You can submit Mahara assignments via the External Tool in Moodle. Since I don't know what your grading workflow is and which grading methods you use, I can't tell though if that were a viable short term solution.

Thank you

Kristina

31 July 2023, 20:56

@Kristina, I will send you an Email about the legal stuff. It's just what has been told to me by server admins & security officers. See also my message to Dan Marsden. I'm confronted with this: https://www.php.net/supported-versions.php which tells me no more security updates for PHP 7.4.

As for the Mahara-Moodle problem: 

You can submit Mahara assignments via the External Tool in Moodle.

This will not work for us as assignment grades are being synchronized to an external SIS and external tool grades are not synchronized to the SIS. We need to submit portfolio's in a Moodle assignment, like we did the past 2 years.

Since I don't know what your grading workflow is and which grading methods you use, I can't tell though if that were a viable short term solution.

What do you mean by 'grading workflow'? We just use the assignment in Moodle and installed the plugin supported by Mahara. Last year we used this plugin: https://moodle.org/plugins/assignsubmission_mahara

So students just go to Moodle, submit their portfolio's as an assignment in Moodle. Then teachers grade it. Nothing special I think, but please let me know what information you are missing?

31 July 2023, 21:32

OK, follow up on t he GDPR question (but I will go into more detail in an Email Kristina)

The thing is this: we store personal data on our servers, like most schools. There's an obligation on our part to do this safe. Part of this obligation makes that we do not run outdated end-of-life software with no security support.

This obligation comes from article 5.1.f of the GDPR which says: 'Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).'

Imagine the following: in november 2023 some security flaw in PHP 7.4 is being discovered. We run to the PHP website to make sure we upgrade to a version that fixes that security flaw. PHP website already stated PHP 7.4 is end of life. No security updates available. We are then forced to make the step to PHP 8.x which will have security updates.

Lets be practical about this and look forward and upgrade now, when the schools are closed due to summer holidays, and when the PHP website explicitly tells us to do so.

When a data breach occurs, legal procedures will look at the amount an organisation is to blame. Knowingly running end-of-life software doesn't really help your case in the fine that will be following.

Hence, the legal need for us to upgrade to a supported version of PHP.

Hope this clears things.

BTW, I changed my test server to PHP 7.4 and tested the Mahara assignment submission in Moodle. Still gave me the same errors, so the PHP version doesn't seem to be the cause of this problem.

31 July 2023, 10:32

Hi Richard!

Just to clarify a misconception there - PHP 7.4 is definitely still supported for security updates by the operating system vendors.

Here at Catalyst we recommend the use of Ubuntu LTS releases for your web-servers, and Ubuntu 20.04 comes with a fully supported PHP 7.4, including security issues "for free" until April 2025 - many other operating system vendors do the same thing. We also on occasion rely on Ubuntu's "ESM" service, which provides even longer security support for both the operating system and PHP version on the release.

This does require that you use the PHP version that comes bundled with the operating system release rather than managing your own PHP builds on the server, but that's generally a good thing to do anyway as the operating system will automatically pull through security updates for PHP as well as the O/S rather than having to manually manage PHP on it's own.

I haven't read anything that suggests that using LTS releases of Linux based operating systems is not allowed in Europe (in fact I know of a number of organisations that do) - but I'd be really interested in any reading/links you can provide that say otherwise?

thanks!

31 July 2023, 20:50

@Dan Marsden,

I'm just looking here: https://www.php.net/supported-versions.php

This tells me 7.4 is End-Of-Life. No security support.

See also: https://www.php.net/eol.php

And my hostingpanel says this:

I think the server is running CentOS Linux, but that will change in the future.

01 August 2023, 11:59

yes - I know this is super confusing! :-)

You are referring to the manual builds that come from PHP.net - most Linux-based operating system vendors including Red Hat for Centos support PHP including security fixes for longer than this period for PHP versions that are included as part of their standard releases.

Of course you can break that update process by installing PHP manually via other methods on your server so you need to make sure you are using the standard version of PHP for that operating system build - and are keeping your operating system up to date with all official patches from upstream.

You mention a "hosting panel" - which suggests to me that you might be purchasing web-hosting from a provider rather than managing your own hosting systems so you may have no control over how PHP has been deployed to these servers. If your current provider is unable to provide you with a well managed/up to date PHP version, you may need to find another provider who can help - of course there are also various Mahara partners that can provide software as a service hosting (on supported operating systems including php support) as well! :-)

Hopefully the new subscription model will also help to grow the Mahara development team further allowing them to move faster on improving support for future PHP releases in future too!

 hope that helps to explain things in terms of PHP support - all the best!

02 August 2023, 22:40

Hi Dan,

Just to clear things up: we are not using a hosting provider.

I don't think it is confusing and frankly I don't agree with you, but I leave this issue to rest. We have bigger problems now, which is why I posted here. And I still don't see an answer to the Moodle-Mahara assign submission not working.

03 August 2023, 10:14

I don't think we completely disagree - in an ideal world, The Mahara core team would have heaps of developers with a funding model that supports them to add and test PHP support for every new version in a timely manner, but unfortunately there is a very small team of developers working on Mahara core and if the team was only focusing on PHP support, they would never get anything else done! - hopefully the new subscription model they have implemented will help to improve this in future! 

Another project I know you're familiar with also has community members who struggle with the policies that their core team has chosen around what PHP versions are supported in which versions:
https://moodle.org/mod/forum/discuss.php?d=440148

As you know, I work at Catalyst IT and we host a number of Mahara sites (and other systems) with clients all over the world including many in the EU that are concerned specifically with GDPR policies like yourself. Security and running up-to-date and patched systems is extremely important to us which is why we rely on the operating system vendors like Ubuntu to provide security back-ports to PHP versions that are no longer in support by the main PHP project. We also take this a step further and can provide security backport services for unsupported applications like Moodle and Mahara when a client needs to run an older application release longer than the officially supported period (at a significant cost).

To give a specific example, Ubuntu 20.04 is supported by Ubuntu (for free) until May 2025, Ubuntu 20.04 comes with PHP 7.4 and the Ubuntu security team provides full support for PHP 7.4 (including the back-porting of any security issues reported in newer PHP versions) - this is also why we run applications  like Moodle 3.9 on Ubuntu 20.04 servers.

From Catalyst's perspective we are compliant with GDPR legislation when running systems like Ubuntu 20.04 with PHP 7.4 - but of course, if you wanted to fund time for a developer to look into improving PHP support or helping with the issues you're having, I'm sure the Mahara team would love to hear from you.

In the NZ Elearning team here at Catalyst (not Mahara core team) I do have an internal work requests in our system to spend some time looking further into the Mahara LTI assignment submission plugins - of course the priority of work we are "paid to do by clients" has to be prioritized way before "free work we do for the community" so it's hard to give you any timeframe on when that might actually happen - any help you can provide in investigating the issues you are having and posting the research here in the forums (or in the github issues tracker) would be great!

Keep in touch!!

03 August 2023, 18:15

Hi Dan,

I don't expect free work. We donate a lot of money to the Moodle User Association. We also already signed up for Mahara Enterprise subscription.

My simple question is: how do we get the functionality back that we so need. Our schools will open in 2 weeks time and yet I seem to be losing a lot of time spending on this problem but not going further.