On Sat, Aug 10, 2024 at 11:19:24AM -0300, Santiago Ruano Rincón wrote: > (I had tried to answer from the web debian-lts archive, and I don't know > why firefox ended up sending four empty emails to the list. Really sorry > for the noise) > > El 31/05/22 a las 05:42, Mike Gabriel escribió: > > Hi Moritz, Salvatore, Sylvain, > > > > On Mo 30 Mai 2022 20:04:14 CEST, Moritz Mühlenhoff wrote: > > > > > Am Sun, May 29, 2022 at 09:36:43AM +0200 schrieb Salvatore Bonaccorso: > > > > While this is discouraged in general, we could opt here for this, to > > > > avoid that ckeditor3 might get additional users outside of > > > > php-horde-editor. > > > > > > This would also mean that only those bits of ckeditor3 which are actually > > > used by Horde need to be updated. > > > > > > Cheers, > > > Moritz > > > > I read that embedding is ok with the security team for the exceptional case > > php-horde-editor. I will put this on my todo list for the next Horde update > > round (which is already overdue). > > > > Mike > > Hello Mike, > > AFAICS on tracker.d.o, php-horde-editor hasn't been updated since then, > so I guess the situation is the same than when buster was becoming LTS. > > I wonder if there is any action that could be made for bullseye and > bookworm. Is there a way to limit the ckeditor3 security support to > only cover the usage with php-horde-editor?
Horde is pretty much unmaintained. php-horde-mime-viewer and php-horde-turba are in dsa-needed.txt for a long time, but pings were never replied to either. It seems best to drop Horde (and ckeditor3 alongside) from testing. Cheers, Moritz