Hi Security Team, On 12/08/2024 02:27, Mike Gabriel wrote:
Hi Moritz, hi Santiago, On So 11 Aug 2024 12:57:23 CEST, Moritz Muehlenhoff wrote:On Sat, Aug 10, 2024 at 11:19:24AM -0300, Santiago Ruano Rincón wrote:(I had tried to answer from the web debian-lts archive, and I don't know why firefox ended up sending four empty emails to the list. Really sorry for the noise) El 31/05/22 a las 05:42, Mike Gabriel escribió: > Hi Moritz, Salvatore, Sylvain, > > On Mo 30 Mai 2022 20:04:14 CEST, Moritz Mühlenhoff wrote: >> > Am Sun, May 29, 2022 at 09:36:43AM +0200 schrieb Salvatore Bonaccorso: > > > While this is discouraged in general, we could opt here for this, to> > > avoid that ckeditor3 might get additional users outside of > > > php-horde-editor. > >> > This would also mean that only those bits of ckeditor3 which are actually> > used by Horde need to be updated. > > > > Cheers, > > Moritz >> I read that embedding is ok with the security team for the exceptional case > php-horde-editor. I will put this on my todo list for the next Horde update> round (which is already overdue). > > Mike Hello Mike, AFAICS on tracker.d.o, php-horde-editor hasn't been updated since then, so I guess the situation is the same than when buster was becoming LTS. I wonder if there is any action that could be made for bullseye and bookworm. Is there a way to limit the ckeditor3 security support to only cover the usage with php-horde-editor?Horde is pretty much unmaintained. php-horde-mime-viewer and php- horde-turba are in dsa-needed.txt for a long time, but pings were never replied to either.It seems best to drop Horde (and ckeditor3 alongside) from testing. Cheers, MoritzI will take a look at this the coming week or the week after (when I will have plenty of time for Debian stuff).For ckeditor3, I will drop the symlinking of ckeditor3 and use the bundled version instead (which currently gets removed). I will also check the diff between Horde's bundled version of ckeditor3 and the version we have in Debian and amend things if needed.Regarding the nearly-non-maintenance state of Horde: Horde hasn't been ported to PHP 8, yet. One of the upstream devs is working on that, but there are not official releases, yet. I will ping them about the current status.
- We're working on a ckeditor3->ckeditor[v4] upgrade for php-horde-*, which will allow dropping ckeditor3.
https://lists.debian.org/debian-lts/2025/03/msg00011.html - However, > to avoid that ckeditor3 might get additional users outside of > php-horde-editor.it appears that was already the case, as virtuoso-opensource has a *build*-dependency on ckeditor3 (says dak).
I contacted the maintainers with https://bugs.debian.org/1101019 . Cheers! Sylvain Beucler Debian LTS Team