[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Support for ckeditor3 in Debian

Hi,

On Wed, May 25, 2022 at 03:33:11PM +0200, Sylvain Beucler wrote:
> Hi,
> 
> On 21/05/2022 12:06, Sylvain Beucler wrote:
> > On 21/05/2022 10:45, Mike Gabriel wrote:
> > > as I have a company interest in Horde and thus in ckeditor3, I'd be
> > > happy to co-fund work hours on ckeditor3. Esp. because ckeditor3 in
> > > unstable needs the same love as in LTS. And we are currently working
> > > on upgrading the company mailserver.
> > > 
> > > The extra funding from DAS-NETZWETKTEAM could either be directly
> > > invoiced to me by the LTS contributor or funding could be piped
> > > through Freexian if they can go with that and see that as a
> > > requirement.
> > > 
> > > So, ping@Raphael? I have something like 4-6 hours in mind. What is
> > > your preferred way of handling individual package funding such as
> > > described above.
> > 
> > Given that ckeditor is pretty opaque about their security fixes, I
> > personally wouldn't know how to identify fixes to ckeditor3 and
> > ckeditor(4) as shipped in Debian.  (Actually I was asked to clarify
> > ckeditor3's situation so we don't offer to support a package that is
> > really unsupportable.)
> > 
> > Status:
> > https://security-tracker.debian.org/tracker/source-package/ckeditor
> > https://security-tracker.debian.org/tracker/source-package/ckeditor3
> > 
> > Maybe one way forward would be to upgrade ckeditor in upstream Horde,
> > bump all ckeditor(4) to the currently maintained 4.x in all Debian
> > dists, and fund this through e.g.
> > https://freexian-team.pages.debian.net/project-funding/
> > (with security team's OK of course)
> > 
> > Unless there are other ideas on how to maintain horde/ckeditor3 as-is.
> 
> To recap:
> 
> - CKEditor's security announcements are too vague to identify the
> vulnerabilities and their fixes,
> 
> - CKEditor4.x is maintained upstream,
> 
> - CKEditor3.x isn't,
> 
> - Upgrading to CKEditor4 breaks php-horde-editor and php-horde-imp's API
> calls and specific plugins
> 
> - Horde's usage of CKEditor3 is standard and all the vulnerabilities are
> relevant in this context.
> 
> Consequently I propose ckeditor3 be end-of-life for stretch.
> I plan to prepare a pull request for debian-security-support next week.

One further aspect, which aims in particular for unstable and
bookworm: As I understand above it's probably unfeasable to have a
switch of Horde's use to ckeditor4, and so one further possibility is
going back to using an ebedded ckeditor3 for php-horde-editor.

While this is discouraged in general, we could opt here for this, to
avoid that ckeditor3 might get additional users outside of
php-horde-editor.

That said, I understand It's not really a satisfactory situation.

Regards,
Salvatore
Reply to: