El 12/08/24 a las 00:27, Mike Gabriel escribió:
> Hi Moritz, hi Santiago,
> 
> On  So 11 Aug 2024 12:57:23 CEST, Moritz Muehlenhoff wrote:
> 
> > On Sat, Aug 10, 2024 at 11:19:24AM -0300, Santiago Ruano Rincón wrote:
> > > (I had tried to answer from the web debian-lts archive, and I don't know
> > > why firefox ended up sending four empty emails to the list. Really sorry
> > > for the noise)
> > > 
> > > El 31/05/22 a las 05:42, Mike Gabriel escribió:
> > > > Hi Moritz, Salvatore, Sylvain,
> > > >
> > > > On  Mo 30 Mai 2022 20:04:14 CEST, Moritz Mühlenhoff wrote:
> > > >
> > > > > Am Sun, May 29, 2022 at 09:36:43AM +0200 schrieb Salvatore Bonaccorso:
> > > > > > While this is discouraged in general, we could opt here for this, to
> > > > > > avoid that ckeditor3 might get additional users outside of
> > > > > > php-horde-editor.
> > > > >
> > > > > This would also mean that only those bits of ckeditor3 which are
> > > actually
> > > > > used by Horde need to be updated.
> > > > >
> > > > > Cheers,
> > > > >         Moritz
> > > >
> > > > I read that embedding is ok with the security team for the
> > > exceptional case
> > > > php-horde-editor. I will put this on my todo list for the next
> > > Horde update
> > > > round (which is already overdue).
> > > >
> > > > Mike
> > > 
> > > Hello Mike,
> > > 
> > > AFAICS on tracker.d.o, php-horde-editor hasn't been updated since then,
> > > so I guess the situation is the same than when buster was becoming LTS.
> > > 
> > > I wonder if there is any action that could be made for bullseye and
> > > bookworm. Is there a way to limit the ckeditor3 security support to
> > > only cover the usage with php-horde-editor?
> > 
> > Horde is pretty much unmaintained. php-horde-mime-viewer and php-horde-turba
> > are in dsa-needed.txt for a long time, but pings were never replied to
> > either.
> > 
> > It seems best to drop Horde (and ckeditor3 alongside) from testing.
> > 
> > Cheers,
> >         Moritz
> 
> I will take a look at this the coming week or the week after (when I will
> have plenty of time for Debian stuff).
> 
> For ckeditor3, I will drop the symlinking of ckeditor3 and use the bundled
> version instead (which currently gets removed). I will also check the diff
> between Horde's bundled version of ckeditor3 and the version we have in
> Debian and amend things if needed.
> 
> Regarding the nearly-non-maintenance state of Horde: Horde hasn't been
> ported to PHP 8, yet. One of the upstream devs is working on that, but there
> are not official releases, yet. I will ping them about the current status.

OK, that is for debian testing, right? Mike, any thought about bullseye?
I am finding hard to find arguments to keep it supported, but I would
like to hear from you (or from somebody else in the LTS Team) :-) ?

Mike, could you please save me some time and point me to the bundled
version of ckeditor3?

Cheers,

 -- S

Attachment: signature.asc
Description: PGP signature

Reply via email to