Bug#1028507: digikam: downloads binary blobs from the internet
clone 1028507 -1 retitle -1 Create face-recognition data package thanks On Tuesday, July 18, 2023 5:38:21 A.M. CDT Gregor Riepl wrote: > Would it be possible to create a separate Debian package with this data > and add it as a Recommends: dependency? Yes, and thanks for the reminder. The facility exists since DigiKam 8.1.0: https://mail.kde.org/pipermail/digikam-devel/2023-May/112408.html > I believe there is enough precedent for large optional companion data > packages in Debian. (0ad-data and kicad-packages3d come to mind) > This would make it much clearer what the user is getting and from whom, > and it would reduce the burden on the upstream CDN. -Steve signature.asc Description: This is a digitally signed message part.
Bug#1028507: digikam: downloads binary blobs from the internet
> Could that please be disabled? It's coming in version 8. > a) It's a security risk. It's aboslutely unclear who controls these files >(at least not debian). I hear your concerns. These files are data that used to be shipped as part of digikam and were later unbundled, which led to the download prompt. You can read through the upstream bug for a full discussion. That fixes the immediate issue, but it still doesn't answer the question if it's legitimate that an application packaged for the Debian main archive would ask for additional downloads from a 3rd party server to enable full functionality. Would it be possible to create a separate Debian package with this data and add it as a Recommends: dependency? I believe there is enough precedent for large optional companion data packages in Debian. (0ad-data and kicad-packages3d come to mind) This would make it much clearer what the user is getting and from whom, and it would reduce the burden on the upstream CDN.
Bug#1028507: digikam: downloads binary blobs from the internet
forwarded 1028507 https://bugs.kde.org/show_bug.cgi?id=438317 thanks On Thu, 12 Jan 2023 06:24:07 +0100 Christoph Anton Mitterer wrote: > Every time when starting digikam, a dialog pops up asking to download > some engines for redeye removal and face detection from the internet, > which would cause them to be stored in /home/calestyo/.local/share/digikam/ > > Could that please be disabled? It's coming in version 8. > a) It's a security risk. It's aboslutely unclear who controls these files >(at least not debian). I hear your concerns. These files are data that used to be shipped as part of digikam and were later unbundled, which led to the download prompt. You can read through the upstream bug for a full discussion. -Steve signature.asc Description: This is a digitally signed message part.
Bug#1028507: digikam: downloads binary blobs from the internet
Package: digikam Version: 4:7.9.0-1+b1 Severity: important Hey. Every time when starting digikam, a dialog pops up asking to download some engines for redeye removal and face detection from the internet, which would cause them to be stored in /home/calestyo/.local/share/digikam/ Could that please be disabled? a) It's a security risk. It's aboslutely unclear who controls these files (at least not debian). Further it would be code that circumvents the package management system and thus any security support or further things like checking for updates via tools like check_apt. Any code that's not distributed via Debian archives makes it always easier for an attacker to target only specific victims (rather than all which would be given if all users are guaranteed to get the same code), which makes it less likely to spot any breaches. Code ownloaders, even if they do e.g. signature verifications are actully much more difficult to do properly than just verfying a signature (see downgrade or replay attacks) - things which are all handled by the package management but perhaps not by any programs own downloaders. b) If the files are only available as blobs, they aren't DFSG compatible so AFAIU, if digikam would still do so, wouldn't it no longer qualify for main. c) Other packages in Debian, e.g. Firefox disable any such automatic downloads of security-wise at best questionable code downloaders or "self-updaters". I also noticed that digikam, even if not downloading the stuff, creates: /home/user/.local/share/digikam/QtWebEngine/Default/blob_storage/ which also sounds a bit fishy. Thanks, Chris.
