Le mercredi 2 octobre 2024, 09:54:16 UTC Mike Gabriel a écrit : > Hi Bastien, > > On Di 01 Okt 2024 19:48:02 CEST, Bastien Roucariès wrote: > > > Le mardi 1 octobre 2024, 17:02:40 UTC Sylvain Beucler a écrit : > >> Hello Mike, > >> > >> On 12/08/2024 18:40, Santiago Ruano Rincón wrote: > >> > El 12/08/24 a las 00:27, Mike Gabriel escribió: > >> >> On So 11 Aug 2024 12:57:23 CEST, Moritz Muehlenhoff wrote: > >> >>> On Sat, Aug 10, 2024 at 11:19:24AM -0300, Santiago Ruano Rincón wrote: > >> >>>> El 31/05/22 a las 05:42, Mike Gabriel escribió: > >> >>>>> On Mo 30 Mai 2022 20:04:14 CEST, Moritz Mühlenhoff wrote: > >> >>>>>> Am Sun, May 29, 2022 at 09:36:43AM +0200 schrieb Salvatore > >> Bonaccorso: > >> >>>>>>> While this is discouraged in general, we could opt here for this, to > >> >>>>>>> avoid that ckeditor3 might get additional users outside of > >> >>>>>>> php-horde-editor. > >> >>>>>> > >> >>>>>> This would also mean that only those bits of ckeditor3 which are > >> >>>> actually > >> >>>>>> used by Horde need to be updated. > >> >>>>> > >> >>>>> I read that embedding is ok with the security team for the > >> >>>> exceptional case > >> >>>>> php-horde-editor. I will put this on my todo list for the next > >> >>>> Horde update > >> >>>>> round (which is already overdue). > >> >>>> > >> >>>> AFAICS on tracker.d.o, php-horde-editor hasn't been updated since then, > >> >>>> so I guess the situation is the same than when buster was becoming LTS. > >> >>>> > >> >>>> I wonder if there is any action that could be made for bullseye and > >> >>>> bookworm. Is there a way to limit the ckeditor3 security support to > >> >>>> only cover the usage with php-horde-editor? > >> >>> > >> >>> Horde is pretty much unmaintained. php-horde-mime-viewer and > >> php-horde-turba > >> >>> are in dsa-needed.txt for a long time, but pings were never replied to > >> >>> either. > >> >>> > >> >>> It seems best to drop Horde (and ckeditor3 alongside) from testing. > >> >> > >> >> I will take a look at this the coming week or the week after (when I will > >> >> have plenty of time for Debian stuff). > >> >> > >> >> For ckeditor3, I will drop the symlinking of ckeditor3 and use > >> the bundled > >> >> version instead (which currently gets removed). I will also > >> check the diff > >> >> between Horde's bundled version of ckeditor3 and the version we have in > >> >> Debian and amend things if needed. > >> >> > >> >> Regarding the nearly-non-maintenance state of Horde: Horde hasn't been > >> >> ported to PHP 8, yet. One of the upstream devs is working on > >> that, but there > >> >> are not official releases, yet. I will ping them about the > >> current status. > >> > > >> > OK, that is for debian testing, right? Mike, any thought about bullseye? > >> > I am finding hard to find arguments to keep it supported, but I would > >> > like to hear from you (or from somebody else in the LTS Team) :-) ? > >> > > >> > Mike, could you please save me some time and point me to the bundled > >> > version of ckeditor3? > >> > >> Mike, > >> > >> Has there been news on horde* and ckeditor3? :) > > I can I think update the ckeditor to 4 > > > > But I need someone to test my change(I am not fluent in horde) > > > > Bastien > > I have a running Horde instance based on Debian 10 and 11. Please > provide the change for php-horde-editor, I can test it. Sorry for not > being as active on Horde as I'd like to be these days. Could you test this https://salsa.debian.org/horde-team/php-horde-editor/-/merge_requests/1 Please fix syntax error my phpskills are old It will only normaly run an editor other thing may break but change are only here: https://sources.debian.org/src/php-horde-imp/6.2.27-3/imp-6.2.27/lib/Script/Package/Editor.php/?hl=33#L83 bastien > > Mike >
Attachment:
signature.asc
Description: This is a digitally signed message part.