On Mon, Apr 04, 2022 at 07:56:20AM +0000, Peymaneh wrote:Originally, the app would download the whole container image at first use after Installation. For the new version upstream has decided to include build a whole Container-Image at build time and include the 700MB image in the .deb package. The absurd package size set aside, building the image on the Debian build servers would not be possible because a network connection is required for pulling the docker image. Therefore I moved the building of the image from build time into dangerzone.postinst[2], which is basically the build-script from upstream[3] only with some very basic error-handling added to it. I am not sure if in its current state it is very robust.If you download external files on install, the package should go to contrib and, I think, prominently say that it will do this. I also don't think you should keep the downloaded files in /usr instead of e.g. /var
Of course, that makes sense.. I haven't had considered the implications for user-privacy until now..
I have added a notice to the package description and copyright file and changed the destination for the downloaded files to /var/lib/dangerzone.
I juyt looked through the policy and it advises to use user-prompts for postinst-scripts as sparse as possible, so probably a prompt for user-consent would be a little overkill (?)
kind regards, Peymaneh
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature