Hi, On Wed, May 25, 2022 at 03:33:11PM +0200, Sylvain Beucler wrote: > Hi, > > On 21/05/2022 12:06, Sylvain Beucler wrote: > > On 21/05/2022 10:45, Mike Gabriel wrote: > > > as I have a company interest in Horde and thus in ckeditor3, I'd be > > > happy to co-fund work hours on ckeditor3. Esp. because ckeditor3 in > > > unstable needs the same love as in LTS. And we are currently working > > > on upgrading the company mailserver. > > > > > > The extra funding from DAS-NETZWETKTEAM could either be directly > > > invoiced to me by the LTS contributor or funding could be piped > > > through Freexian if they can go with that and see that as a > > > requirement. > > > > > > So, ping@Raphael? I have something like 4-6 hours in mind. What is > > > your preferred way of handling individual package funding such as > > > described above. > > > > Given that ckeditor is pretty opaque about their security fixes, I > > personally wouldn't know how to identify fixes to ckeditor3 and > > ckeditor(4) as shipped in Debian. (Actually I was asked to clarify > > ckeditor3's situation so we don't offer to support a package that is > > really unsupportable.) > > > > Status: > > https://security-tracker.debian.org/tracker/source-package/ckeditor > > https://security-tracker.debian.org/tracker/source-package/ckeditor3 > > > > Maybe one way forward would be to upgrade ckeditor in upstream Horde, > > bump all ckeditor(4) to the currently maintained 4.x in all Debian > > dists, and fund this through e.g. > > https://freexian-team.pages.debian.net/project-funding/ > > (with security team's OK of course) > > > > Unless there are other ideas on how to maintain horde/ckeditor3 as-is. > > To recap: > > - CKEditor's security announcements are too vague to identify the > vulnerabilities and their fixes, > > - CKEditor4.x is maintained upstream, > > - CKEditor3.x isn't, > > - Upgrading to CKEditor4 breaks php-horde-editor and php-horde-imp's API > calls and specific plugins > > - Horde's usage of CKEditor3 is standard and all the vulnerabilities are > relevant in this context. > > Consequently I propose ckeditor3 be end-of-life for stretch. > I plan to prepare a pull request for debian-security-support next week.
One further aspect, which aims in particular for unstable and bookworm: As I understand above it's probably unfeasable to have a switch of Horde's use to ckeditor4, and so one further possibility is going back to using an ebedded ckeditor3 for php-horde-editor. While this is discouraged in general, we could opt here for this, to avoid that ckeditor3 might get additional users outside of php-horde-editor. That said, I understand It's not really a satisfactory situation. Regards, Salvatore