Bug#1101984: RM: ckeditor3 -- NVIU; specific to php-horde, EOL'd upstream, unfixed security issues

[Sylvain Beucler <beuc@beuc.net>]

Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: team@security.debian.org, debian-lts@lists.debian.org, php-horde@packages.debian.org

Hello FTP Masters,

I am part of the Debian LTS Team and helping the Debian Horde Team
handle the ckeditor situation.

Please remove ckeditor3 from unstable.

The package was re-introduced as a backport specially for php-horde*:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959477

Horde was recently fixed to use ckeditor[v4], and was its only reverse
dependency, so ckeditor3 is no longer needed:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1042715

Additionally, ckeditor3 is EOL upstream, and has several open
vulnerabilities:
https://security-tracker.debian.org/tracker/source-package/ckeditor3
It was EOL'd in stretch-lts and buster-lts:
https://lists.debian.org/debian-lts/2022/08/msg00001.html
and I proposed the same for bullseye-lts and bookworm:
https://lists.debian.org/debian-lts/2025/04/msg00009.html

Note: ckeditor3 appears to be mistakenly used as a reverse
build-dependency for virtuoso-opensource. The maintainers have been
notified around 2 weeks ago:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1101019
I believe we can proceed with a removal from unstable nonetheless, but I'm open to suggestions :)

Cheers!
Sylvain Beucler
Debian LTS Team