Le mardi 1 octobre 2024, 17:02:40 UTC Sylvain Beucler a écrit : > Hello Mike, > > On 12/08/2024 18:40, Santiago Ruano Rincón wrote: > > El 12/08/24 a las 00:27, Mike Gabriel escribió: > >> On So 11 Aug 2024 12:57:23 CEST, Moritz Muehlenhoff wrote: > >>> On Sat, Aug 10, 2024 at 11:19:24AM -0300, Santiago Ruano Rincón wrote: > >>>> El 31/05/22 a las 05:42, Mike Gabriel escribió: > >>>>> On Mo 30 Mai 2022 20:04:14 CEST, Moritz Mühlenhoff wrote: > >>>>>> Am Sun, May 29, 2022 at 09:36:43AM +0200 schrieb Salvatore Bonaccorso: > >>>>>>> While this is discouraged in general, we could opt here for this, to > >>>>>>> avoid that ckeditor3 might get additional users outside of > >>>>>>> php-horde-editor. > >>>>>> > >>>>>> This would also mean that only those bits of ckeditor3 which are > >>>> actually > >>>>>> used by Horde need to be updated. > >>>>> > >>>>> I read that embedding is ok with the security team for the > >>>> exceptional case > >>>>> php-horde-editor. I will put this on my todo list for the next > >>>> Horde update > >>>>> round (which is already overdue). > >>>> > >>>> AFAICS on tracker.d.o, php-horde-editor hasn't been updated since then, > >>>> so I guess the situation is the same than when buster was becoming LTS. > >>>> > >>>> I wonder if there is any action that could be made for bullseye and > >>>> bookworm. Is there a way to limit the ckeditor3 security support to > >>>> only cover the usage with php-horde-editor? > >>> > >>> Horde is pretty much unmaintained. php-horde-mime-viewer and > >>> php-horde-turba > >>> are in dsa-needed.txt for a long time, but pings were never replied to > >>> either. > >>> > >>> It seems best to drop Horde (and ckeditor3 alongside) from testing. > >> > >> I will take a look at this the coming week or the week after (when I will > >> have plenty of time for Debian stuff). > >> > >> For ckeditor3, I will drop the symlinking of ckeditor3 and use the bundled > >> version instead (which currently gets removed). I will also check the diff > >> between Horde's bundled version of ckeditor3 and the version we have in > >> Debian and amend things if needed. > >> > >> Regarding the nearly-non-maintenance state of Horde: Horde hasn't been > >> ported to PHP 8, yet. One of the upstream devs is working on that, but > >> there > >> are not official releases, yet. I will ping them about the current status. > > > > OK, that is for debian testing, right? Mike, any thought about bullseye? > > I am finding hard to find arguments to keep it supported, but I would > > like to hear from you (or from somebody else in the LTS Team) :-) ? > > > > Mike, could you please save me some time and point me to the bundled > > version of ckeditor3? > > Mike, > > Has there been news on horde* and ckeditor3? :) I can I think update the ckeditor to 4
But I need someone to test my change(I am not fluent in horde) Bastien > > If not I believe it's best we drop support for these packages in bullseye. > > Cheers! > Sylvain Beucler > Debian LTS Team > (Front-Desk this week) > >
signature.asc
Description: This is a digitally signed message part.
