[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Security team POV about having ckeditor twice in jessie

(Please CC me, I'm not on the list)


Some context: There is currently an important bug in php-horde-editor
(#769031) which affects Horde IMP Webmail: With current version of
ckeditor (4.4.4), HTML composing doesn't work.

This remove some interrest of using php-horde-imp (without rendering
it useless).

I've filed a pre-unblock bug (#769033, more context here). Quoting myself :
>I see 3 possible solutions:
> - release Horde in Debian without HTML composing -> This would be odd
> - port IMP JS to CKeditor 4.x. I don't have the knowledge, help welcomed
> - use the included CKeditor 3.6.x . This requires copyright review and possible repacking
> - drop Horde from testing altogether. NOOOOOOOOOOOOOOOO !

I have choosed the solution 3. I have prepared a ckeditor3 package,
currently in the NEW queue. It is forked from the ckeditor version in

This solution implies that jessie will have ckeditor twice. This has
security implications. Is this OK for the security team?

Also note that ckeditor is only a dependency of sogo-common.


Reply to: