Re: Support for ckeditor3 in Debian
- To: Moritz Muehlenhoff <jmm@inutil.org>, debian-lts@lists.debian.org, Moritz Muehlenhoff <jmm@inutil.org>, debian-lts@lists.debian.org
- Cc: Santiago Ruano Rincón <santiagorr@riseup.net>, Sylvain Beucler <beuc@beuc.net>, Debian Security Team <team@security.debian.org>, debian@jugra.de, Debian LTS <debian-lts@lists.debian.org>, Mike Gabriel <sunweaver@debian.org>, Santiago Ruano Rincón <santiagorr@riseup.net>, Sylvain Beucler <beuc@beuc.net>, Debian Security Team <team@security.debian.org>, debian@jugra.de, Debian LTS <debian-lts@lists.debian.org>, Mike Gabriel <sunweaver@debian.org>
- Subject: Re: Support for ckeditor3 in Debian
- From: Bastien Roucariès <rouca@debian.org>
- Date: Mon, 12 Aug 2024 16:15:53 +0000
- Message-id: <[🔎] 2847937.AmMTCUTvJl@portable-bastien>
- In-reply-to: <[🔎] 20240812002717.Horde.GN4J8X1_GET8DouLG7JBML2@mail.das-netzwerkteam.de>
- References: <8c9d472b-ee18-5a9d-a114-e0a36d5f7173@beuc.net> <[🔎] 20240811105723.GA31009@inutil.org> <[🔎] 20240812002717.Horde.GN4J8X1_GET8DouLG7JBML2@mail.das-netzwerkteam.de>
Le lundi 12 août 2024, 00:27:17 UTC Mike Gabriel a écrit :
> Hi Moritz, hi Santiago,
>
> On So 11 Aug 2024 12:57:23 CEST, Moritz Muehlenhoff wrote:
>
> > On Sat, Aug 10, 2024 at 11:19:24AM -0300, Santiago Ruano Rincón wrote:
> >> (I had tried to answer from the web debian-lts archive, and I don't know
> >> why firefox ended up sending four empty emails to the list. Really sorry
> >> for the noise)
> >>
> >> El 31/05/22 a las 05:42, Mike Gabriel escribió:
> >> > Hi Moritz, Salvatore, Sylvain,
> >> >
> >> > On Mo 30 Mai 2022 20:04:14 CEST, Moritz Mühlenhoff wrote:
> >> >
> >> > > Am Sun, May 29, 2022 at 09:36:43AM +0200 schrieb Salvatore Bonaccorso:
> >> > > > While this is discouraged in general, we could opt here for this, to
> >> > > > avoid that ckeditor3 might get additional users outside of
> >> > > > php-horde-editor.
> >> > >
> >> > > This would also mean that only those bits of ckeditor3 which
> >> are actually
> >> > > used by Horde need to be updated.
> >> > >
> >> > > Cheers,
> >> > > Moritz
> >> >
> >> > I read that embedding is ok with the security team for the
> >> exceptional case
> >> > php-horde-editor. I will put this on my todo list for the next
> >> Horde update
> >> > round (which is already overdue).
> >> >
> >> > Mike
> >>
> >> Hello Mike,
> >>
> >> AFAICS on tracker.d.o, php-horde-editor hasn't been updated since then,
> >> so I guess the situation is the same than when buster was becoming LTS.
> >>
> >> I wonder if there is any action that could be made for bullseye and
> >> bookworm. Is there a way to limit the ckeditor3 security support to
> >> only cover the usage with php-horde-editor?
> >
> > Horde is pretty much unmaintained. php-horde-mime-viewer and php-horde-turba
> > are in dsa-needed.txt for a long time, but pings were never replied
> > to either.
> >
> > It seems best to drop Horde (and ckeditor3 alongside) from testing.
> >
> > Cheers,
> > Moritz
>
> I will take a look at this the coming week or the week after (when I
> will have plenty of time for Debian stuff).
>
> For ckeditor3, I will drop the symlinking of ckeditor3 and use the
> bundled version instead (which currently gets removed). I will also
> check the diff between Horde's bundled version of ckeditor3 and the
> version we have in Debian and amend things if needed.
Last time I checked I think it is possible to use newer ckeditor, but it need testing
ckeditor4 API is not so different
Bastien
>
> Regarding the nearly-non-maintenance state of Horde: Horde hasn't been
> ported to PHP 8, yet. One of the upstream devs is working on that, but
> there are not official releases, yet. I will ping them about the
> current status.
>
> Mike
>
Reply to: