Hi Bastien, On Di 01 Okt 2024 19:48:02 CEST, Bastien Roucariès wrote:
Le mardi 1 octobre 2024, 17:02:40 UTC Sylvain Beucler a écrit :Hello Mike, On 12/08/2024 18:40, Santiago Ruano Rincón wrote: > El 12/08/24 a las 00:27, Mike Gabriel escribió: >> On So 11 Aug 2024 12:57:23 CEST, Moritz Muehlenhoff wrote: >>> On Sat, Aug 10, 2024 at 11:19:24AM -0300, Santiago Ruano Rincón wrote: >>>> El 31/05/22 a las 05:42, Mike Gabriel escribió: >>>>> On Mo 30 Mai 2022 20:04:14 CEST, Moritz Mühlenhoff wrote:>>>>>> Am Sun, May 29, 2022 at 09:36:43AM +0200 schrieb Salvatore Bonaccorso:>>>>>>> While this is discouraged in general, we could opt here for this, to >>>>>>> avoid that ckeditor3 might get additional users outside of >>>>>>> php-horde-editor. >>>>>> >>>>>> This would also mean that only those bits of ckeditor3 which are >>>> actually >>>>>> used by Horde need to be updated. >>>>> >>>>> I read that embedding is ok with the security team for the >>>> exceptional case >>>>> php-horde-editor. I will put this on my todo list for the next >>>> Horde update >>>>> round (which is already overdue). >>>> >>>> AFAICS on tracker.d.o, php-horde-editor hasn't been updated since then, >>>> so I guess the situation is the same than when buster was becoming LTS. >>>> >>>> I wonder if there is any action that could be made for bullseye and >>>> bookworm. Is there a way to limit the ckeditor3 security support to >>>> only cover the usage with php-horde-editor? >>>>>> Horde is pretty much unmaintained. php-horde-mime-viewer and php-horde-turba>>> are in dsa-needed.txt for a long time, but pings were never replied to >>> either. >>> >>> It seems best to drop Horde (and ckeditor3 alongside) from testing. >> >> I will take a look at this the coming week or the week after (when I will >> have plenty of time for Debian stuff). >>>> For ckeditor3, I will drop the symlinking of ckeditor3 and use the bundled >> version instead (which currently gets removed). I will also check the diff>> between Horde's bundled version of ckeditor3 and the version we have in >> Debian and amend things if needed. >> >> Regarding the nearly-non-maintenance state of Horde: Horde hasn't been>> ported to PHP 8, yet. One of the upstream devs is working on that, but there >> are not official releases, yet. I will ping them about the current status.> > OK, that is for debian testing, right? Mike, any thought about bullseye? > I am finding hard to find arguments to keep it supported, but I would > like to hear from you (or from somebody else in the LTS Team) :-) ? > > Mike, could you please save me some time and point me to the bundled > version of ckeditor3? Mike, Has there been news on horde* and ckeditor3? :)I can I think update the ckeditor to 4 But I need someone to test my change(I am not fluent in horde) Bastien
I have a running Horde instance based on Debian 10 and 11. Please provide the change for php-horde-editor, I can test it. Sorry for not being as active on Horde as I'd like to be these days.
Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net
pgpbeqSGqmzVy.pgp
Description: Digitale PGP-Signatur
