[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Support for ckeditor3 in Debian


On 21/05/2022 12:06, Sylvain Beucler wrote:
On 21/05/2022 10:45, Mike Gabriel wrote:
as I have a company interest in Horde and thus in ckeditor3, I'd be happy to co-fund work hours on ckeditor3. Esp. because ckeditor3 in unstable needs the same love as in LTS. And we are currently working on upgrading the company mailserver.

The extra funding from DAS-NETZWETKTEAM could either be directly invoiced to me by the LTS contributor or funding could be piped through Freexian if they can go with that and see that as a requirement.

So, ping@Raphael? I have something like 4-6 hours in mind. What is your preferred way of handling individual package funding such as described above.

Given that ckeditor is pretty opaque about their security fixes, I personally wouldn't know how to identify fixes to ckeditor3 and ckeditor(4) as shipped in Debian.  (Actually I was asked to clarify ckeditor3's situation so we don't offer to support a package that is really unsupportable.)


Maybe one way forward would be to upgrade ckeditor in upstream Horde, bump all ckeditor(4) to the currently maintained 4.x in all Debian dists, and fund this through e.g.
(with security team's OK of course)

Unless there are other ideas on how to maintain horde/ckeditor3 as-is.

To recap:

- CKEditor's security announcements are too vague to identify the vulnerabilities and their fixes,

- CKEditor4.x is maintained upstream,

- CKEditor3.x isn't,

- Upgrading to CKEditor4 breaks php-horde-editor and php-horde-imp's API calls and specific plugins

- Horde's usage of CKEditor3 is standard and all the vulnerabilities are relevant in this context.

Consequently I propose ckeditor3 be end-of-life for stretch.
I plan to prepare a pull request for debian-security-support next week.

Sylvain Beucler
Debian LTS Team

Reply to: