Re: Support for ckeditor3 in Debian

To: Santiago Ruano Rincón <santiagorr@riseup.net>
Cc: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, Sylvain Beucler <beuc@beuc.net>, Debian Security Team <team@security.debian.org>, debian@jugra.de, Debian LTS <debian-lts@lists.debian.org>
Subject: Re: Support for ckeditor3 in Debian
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Sun, 11 Aug 2024 12:57:23 +0200
Message-id: <[🔎] 20240811105723.GA31009@inutil.org>
In-reply-to: <[🔎] Zrd27JjGfvUmUDJ2@voleno>
References: <8c9d472b-ee18-5a9d-a114-e0a36d5f7173@beuc.net> <20220512063546.kp7pn6dofug2kpwa@sunobo.das-netzwerkteam.de> <4a8bfc47-5777-a515-784b-290f61239127@beuc.net> <20220521084547.Horde.-yKUWC40VmXCC-W01Mq2BiU@mail.das-netzwerkteam.de> <36e7d0a3-9cd4-4eb6-b340-420bd0407434@beuc.net> <a69bed8c-aa61-c06f-b1c9-13b5f2d8d7f0@beuc.net> <YpMiiwhmQ54YLSFC@eldamar.lan> <YpUHHmKB4/72eAXC@pisco.westfalen.local> <20220531054200.Horde.ZMSH8tRX-fV0agN46MS32ZM@mail.das-netzwerkteam.de> <[🔎] Zrd27JjGfvUmUDJ2@voleno>

On Sat, Aug 10, 2024 at 11:19:24AM -0300, Santiago Ruano Rincón wrote:
> (I had tried to answer from the web debian-lts archive, and I don't know
> why firefox ended up sending four empty emails to the list. Really sorry
> for the noise)
> 
> El 31/05/22 a las 05:42, Mike Gabriel escribió:
> > Hi Moritz, Salvatore, Sylvain,
> > 
> > On  Mo 30 Mai 2022 20:04:14 CEST, Moritz Mühlenhoff wrote:
> > 
> > > Am Sun, May 29, 2022 at 09:36:43AM +0200 schrieb Salvatore Bonaccorso:
> > > > While this is discouraged in general, we could opt here for this, to
> > > > avoid that ckeditor3 might get additional users outside of
> > > > php-horde-editor.
> > > 
> > > This would also mean that only those bits of ckeditor3 which are actually
> > > used by Horde need to be updated.
> > > 
> > > Cheers,
> > >         Moritz
> > 
> > I read that embedding is ok with the security team for the exceptional case
> > php-horde-editor. I will put this on my todo list for the next Horde update
> > round (which is already overdue).
> > 
> > Mike
> 
> Hello Mike,
> 
> AFAICS on tracker.d.o, php-horde-editor hasn't been updated since then,
> so I guess the situation is the same than when buster was becoming LTS.
> 
> I wonder if there is any action that could be made for bullseye and
> bookworm. Is there a way to limit the ckeditor3 security support to
> only cover the usage with php-horde-editor?

Horde is pretty much unmaintained. php-horde-mime-viewer and php-horde-turba
are in dsa-needed.txt for a long time, but pings were never replied to either.

It seems best to drop Horde (and ckeditor3 alongside) from testing.

Cheers,
        Moritz

Reply to:

Follow-Ups:
- Re: Support for ckeditor3 in Debian
  - From: Mike Gabriel <sunweaver@debian.org>

References:
- Re: Support for ckeditor3 in Debian
  - From: Santiago Ruano Rincón <santiagorr@riseup.net>

Prev by Date: ELTS report for July 2024
Next by Date: Re: Support for ckeditor3 in Debian
Previous by thread: Re: Support for ckeditor3 in Debian
Next by thread: Re: Support for ckeditor3 in Debian
Index(es):
- Date
- Thread