Security team POV about having ckeditor twice in jessie

To: debian-security@lists.debian.org
Subject: Security team POV about having ckeditor twice in jessie
From: Mathieu Parent <math.parent@gmail.com>
Date: Sun, 23 Nov 2014 14:12:16 +0100
Message-id: <[🔎] CAFX5sbxt1RTVzqq6uFKPfswMWeXiW0Jt54Qa6FTX+986GZHwEg@mail.gmail.com>

(Please CC me, I'm not on the list)

Hello,

Some context: There is currently an important bug in php-horde-editor
(#769031) which affects Horde IMP Webmail: With current version of
ckeditor (4.4.4), HTML composing doesn't work.

This remove some interrest of using php-horde-imp (without rendering
it useless).

I've filed a pre-unblock bug (#769033, more context here). Quoting myself :
>I see 3 possible solutions:
> - release Horde in Debian without HTML composing -> This would be odd
> - port IMP JS to CKeditor 4.x. I don't have the knowledge, help welcomed
> - use the included CKeditor 3.6.x . This requires copyright review and possible repacking
> - drop Horde from testing altogether. NOOOOOOOOOOOOOOOO !

I have choosed the solution 3. I have prepared a ckeditor3 package,
currently in the NEW queue. It is forked from the ckeditor version in
wheezy.

This solution implies that jessie will have ckeditor twice. This has
security implications. Is this OK for the security team?

Also note that ckeditor is only a dependency of sogo-common.

Regards
-- 
Mathieu

Reply to:

Prev by Date: Re: [SECURITY] [DSA 3074-2] php5 regression update
Next by Date: W: Failed to fetch http://security.debian.org/dists/wheezy/updates/Release
Previous by thread: Re: [SECURITY] [DSA 3074-2] php5 regression update
Next by thread: W: Failed to fetch http://security.debian.org/dists/wheezy/updates/Release
Index(es):
- Date
- Thread