LoginSign Up
← Back to all sparks
Chamilo logo

Chamilo

EDTECH
Velocity2.5

LMS and EdTech platform: Chamilo

github.com

Chamilo is racing a Symfony/Vue 2.0 rewrite to GA while hardening the legacy 1.11 line.

lmsedtechopen-sourceplatform-rewritesecurityplugin-ecosystem
Current state
Chamilo is running two tracks at once. The legacy 1.11.x line keeps shipping security and bugfix maintenance releases (1.11.38, 1.11.40), several addressing critical vulnerabilities. Meanwhile the 2.0 rewrite, a Symfony backend with a Vue frontend, is grinding through release candidates packed with plugin-system revival, LTI interoperability, ONLYOFFICE and H5P integrations, and a sweep of security fixes including removal of an eval()-based RCE.
Where it's heading
The center of gravity is the 2.0 RC series marching toward a GA that has already slipped past its milestone date. Each RC both ports legacy tools to Vue and re-enables the plugin ecosystem (CardGame, BBB, BuyCourses, XApi, Tour) on the new architecture, suggesting GA-readiness is gated on plugin parity and migration fidelity rather than new features. The parallel 1.11 security cadence signals Chamilo intends to support the old line through the transition.
Prediction
Expect continued 2.0 RCs focused on migration and plugin parity before a GA cut, with the 1.11 line receiving security-only releases in the interim. The volume of security fixes inside the RCs points to a hardening push as a GA gate.

Recent moves

  1. 3d ago

    Chamilo 1.11.40: security and bugfix maintenance release

    Keeps the legacy 1.11 line current with a security and bugfix release atop 1.11.38, reinforcing Chamilo's commitment to the old architecture while 2.0 matures.

    View source ↗
  2. 2mo ago

    Stop logging AI base-provider fallback events

    An internal change to stop logging AI base-provider fallback events, an infrastructure tweak with no user-visible effect.

    View source ↗
  3. 2mo ago

    Bump tar dependency 7.5.3 to 7.5.6

    A routine Dependabot dependency bump of the tar package; internal maintenance with no functional change for users.

    View source ↗
  4. 2mo ago

    Chamilo 2.0 RC3: LTI provider, ONLYOFFICE, and plugin revival

    ⚡ SPARK

    The clearest directional entry: RC3 of the 2.0 rewrite re-enables a broad plugin ecosystem on the new Symfony/Vue stack, adds LTI provider and client interoperability and ONLYOFFICE document editing, and removes an eval()-based RCE. It shows GA readiness is gated on plugin parity plus hardening.

    View source ↗
  5. 3mo ago

    v1.11.38

    A security-led 1.11.38 release fixing multiple vulnerabilities, including critical ones, plus Moodle export improvements. Confirms the legacy line is being actively defended, not just frozen, during the 2.0 transition.

    View source ↗
  6. 3mo ago

    v2.0.0 RC 2

    The RC preceding RC3 in this window, heavy on Vue redesigns, migration fixes, and access-control hardening such as IDOR fixes and authorization voters. Incremental progress on the same march toward a 2.0 GA.

    View source ↗