Hi Mike,
On 21/05/2022 10:45, Mike Gabriel wrote:
as I have a company interest in Horde and thus in ckeditor3, I'd be
happy to co-fund work hours on ckeditor3. Esp. because ckeditor3 in
unstable needs the same love as in LTS. And we are currently working on
upgrading the company mailserver.
The extra funding from DAS-NETZWETKTEAM could either be directly
invoiced to me by the LTS contributor or funding could be piped through
Freexian if they can go with that and see that as a requirement.
So, ping@Raphael? I have something like 4-6 hours in mind. What is your
preferred way of handling individual package funding such as described
above.
Given that ckeditor is pretty opaque about their security fixes, I
personally wouldn't know how to identify fixes to ckeditor3 and
ckeditor(4) as shipped in Debian. (Actually I was asked to clarify
ckeditor3's situation so we don't offer to support a package that is
really unsupportable.)
Status:
https://security-tracker.debian.org/tracker/source-package/ckeditor
https://security-tracker.debian.org/tracker/source-package/ckeditor3
Maybe one way forward would be to upgrade ckeditor in upstream Horde,
bump all ckeditor(4) to the currently maintained 4.x in all Debian
dists, and fund this through e.g.
https://freexian-team.pages.debian.net/project-funding/
(with security team's OK of course)
Unless there are other ideas on how to maintain horde/ckeditor3 as-is.
Cheers!
Sylvain
