Re: Support for ckeditor3 in Debian
On 21/05/2022 12:06, Sylvain Beucler wrote:
On 21/05/2022 10:45, Mike Gabriel wrote:
as I have a company interest in Horde and thus in ckeditor3, I'd be
happy to co-fund work hours on ckeditor3. Esp. because ckeditor3 in
unstable needs the same love as in LTS. And we are currently working
on upgrading the company mailserver.
The extra funding from DAS-NETZWETKTEAM could either be directly
invoiced to me by the LTS contributor or funding could be piped
through Freexian if they can go with that and see that as a requirement.
So, ping@Raphael? I have something like 4-6 hours in mind. What is
your preferred way of handling individual package funding such as
Given that ckeditor is pretty opaque about their security fixes, I
personally wouldn't know how to identify fixes to ckeditor3 and
ckeditor(4) as shipped in Debian. (Actually I was asked to clarify
ckeditor3's situation so we don't offer to support a package that is
Maybe one way forward would be to upgrade ckeditor in upstream Horde,
bump all ckeditor(4) to the currently maintained 4.x in all Debian
dists, and fund this through e.g.
(with security team's OK of course)
Unless there are other ideas on how to maintain horde/ckeditor3 as-is.
- CKEditor's security announcements are too vague to identify the
vulnerabilities and their fixes,
- CKEditor4.x is maintained upstream,
- CKEditor3.x isn't,
- Upgrading to CKEditor4 breaks php-horde-editor and php-horde-imp's API
calls and specific plugins
- Horde's usage of CKEditor3 is standard and all the vulnerabilities are
relevant in this context.
Consequently I propose ckeditor3 be end-of-life for stretch.
I plan to prepare a pull request for debian-security-support next week.
Debian LTS Team