We have several internal wikis that we maintain. We write extensions to these wikis. We are trying to convince management to upgrade our mediaWiki version to 1.23.x. At the same time we will upgrade our PHP version from 5.2.8 to 5.4.x. We have kept our PHP version to 5.2 because of the old mediaWiki version.
We are currently at mediaWiki 1.15.3. As developers we know that we are way overdue on upgrading, but no one has ever wanted to pay for it.
Some of the obvious things are:
1. Both the Media wiki version and the php version are no longer supported.
2. We do not have access to the most recent extensions.
3. Limited documentation for the old versions.
4. General security vulnerabilities. - I would love to have any specifics here.
Does anyone have any other points that I could add that would make management say yes? We have been reading about performance boasts. Any specifics?
I would also take any links that may be helpful.
Thanks,
Mary
Thanks for the question. I tried to summarise in one line the single most compelling reason to upgrade to each recent MediaWiki release at https://www.mediawiki.org/wiki/Manual:Upgrading#Why_upgrade.3F. More detailed "selling points" are in the wiki pages about each release and in bugzilla. What's convincing varies a lot depending on people; good luck, and let us know (e.g. on talk page) what convinced your management!
Nemo
On Thu, Jun 12, 2014 at 10:15 AM, Beebe, Mary J BeebeM@battelle.org wrote:
General security vulnerabilities. - I would love to have any specifics here.
You can start with https://bugzilla.wikimedia.org/buglist.cgi?f1=product&f2=product&f3=...
That's 55 reasons to upgrade :). CVE-2014-1610 is a compelling one for many installs.
Chris Steipp wrote:
On Thu, Jun 12, 2014 at 10:15 AM, Beebe, Mary J BeebeM@battelle.org wrote:
General security vulnerabilities. - I would love to have anyspecifics here.
You can start with https://bugzilla.wikimedia.org/buglist.cgi?f1=product&f2=product&f3=... on_ts&f4=resolution&list_id=321311&o1=changedfrom&o2=equals&o3=greaterthan &o4=equals&query_format=advanced&v1=Security&v2=MediaWiki&v3=2011&v4=FIXED
That's 55 reasons to upgrade :). CVE-2014-1610 is a compelling one for many installs.
Hmm, probably not quite 55 reasons. The original e-mail said that it was an internal wiki running 1.15.3. Internal is somewhat ambiguous, but if the wiki is on an intranet, most of the security issues are... not very severe. There's usually a presumption that people on an intranet are trusted. If there are untrusted users on the intranet, you probably have a lot larger problems than your MediaWiki installation. Of course part of the reason that companies put wikis on an intranet is that sysadmins don't trust large PHP applications (with good reason). Plus, when you're running a particularly old version of MediaWiki, many of the newer security vulnerabilities are irrelevant as they rely on code paths that didn't exist previously. For example, the XSS vulnerability in the info action wouldn't affect a wiki running 1.15.3, nor would a vulnerability in Special:Upload that was introduced in September 2009, assuming 1.15 was branched in March 2009, as mediawiki.org's "Branch points" page states.
That said, MediaWiki maintainers should absolutely try to keep up to date, but it's annoying to do. One of my old wikis is running 1.12.0 still. :-) Upgrading MediaWiki core and its extensions is tedious and it's not totally unreasonable for people to want to stick with what works.
MZMcBride
On 13 Jun 2014, at 01:28, MZMcBride z@mzmcbride.com wrote:
[..] companies put wikis on an intranet is that sysadmins don't trust large PHP applications (with good reason). Plus, when you're running a particularly old version of MediaWiki, many of the newer security vulnerabilities are irrelevant as they rely on code paths that didn't exist previously. For example, the XSS vulnerability in the info action wouldn't affect a wiki running 1.15.3, nor would a vulnerability in Special:Upload that was introduced in September 2009, assuming 1.15 was branched in March 2009, as mediawiki.org's "Branch points" page states.
That said, MediaWiki maintainers should absolutely try to keep up to date, but it's annoying to do. One of my old wikis is running 1.12.0 still. :-) Upgrading MediaWiki core and its extensions is tedious and it's not totally unreasonable for people to want to stick with what works.
And that's why we still have IE 6 and IE 7 :-)
-- Krinkle
wikitech-l@lists.wikimedia.org