almet/dangerzone
1
0
Fork 0
mirror of https://github.com/freedomofpress/dangerzone.git synced 2025-05-17 18:51:50 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 7
1509 commits 54 branches 42 tags 54 MiB
Commit graph

1509 commits

This branch
This branch
All branches
Author SHA1 Message Date
Alex Pyrgiotis
9daf30154b
FIXUP: Copy all the Python files from the conversion/ dir 2025-01-16 18:56:34 +02:00
Alex Pyrgiotis
92d8a4c556
FIXUP: Improve readability 2025-01-14 23:49:43 +02:00
Alex Pyrgiotis
aa710e84c9
FIXUP: Improve the reproducibility check section 2025-01-14 23:47:16 +02:00
Alex Pyrgiotis
c1f25484ff
FIXUP: Invalidate downloaded diffoci helper if checksum differs 2025-01-14 23:43:53 +02:00
Alex Pyrgiotis
6cf4c5cc46
Update docs/developer/reproducibility.md 
Co-authored-by: Alexis Métaireau <alexis@freedom.press>
 2025-01-14 23:43:46 +02:00
Alex Pyrgiotis
e77580f845
Update docs/developer/reproducibility.md 
Co-authored-by: Alexis Métaireau <alexis@freedom.press>
 2025-01-14 23:42:49 +02:00
Alex Pyrgiotis
b8755f26ee
FIXUP: Remove stray comment 2025-01-14 23:14:05 +02:00
Alex Pyrgiotis
f019ce05d6
Update RELEASE.md 
Co-authored-by: Alexis Métaireau <alexis@freedom.press>
 2025-01-14 15:04:31 +02:00
Alex Pyrgiotis
cbeb103067
FIXUP: Separate some Dockerfile commands 2025-01-14 14:53:31 +02:00
Alex Pyrgiotis
96ab442873
FIXUP: Add links for container params 2025-01-14 14:46:32 +02:00
Alex Pyrgiotis
10b8cd48af
FIXUP: Change name of reproduce CI job 2025-01-14 14:21:39 +02:00
Alex Pyrgiotis
b42bd67f6c
FIXUP: Remove stray podmna load command 2025-01-14 14:20:36 +02:00
Alex Pyrgiotis
45f43964a5
fixup! Do not use poetry.lock when building the container image 2025-01-14 14:19:12 +02:00
Alex Pyrgiotis
e02dbfdc79
WIP: Reproduce 2025-01-14 12:29:09 +02:00
Alex Pyrgiotis
d53c4d06b5
fixup! Render the Dockerfile from a template and some params 2025-01-14 12:07:45 +02:00
Alex Pyrgiotis
279322bf43
ci: Add a CI job that enforces image reproducibility 
Add a CI job that uses the `reproduce.py` dev script to enforce image
reproducibility, for every PR that we send to the repo.

Fixes #1047
 2025-01-14 11:58:22 +02:00
Alex Pyrgiotis
7a59940493
dev_scripts: Add script for enforcing image reproducibility 
Add a dev script for Linux platforms that verifies that a source image
can be reproducibly built from the current Git commit. The
reproducibility check is enforced by the `diffoci` tool, which is
downloaded as part of running the script.
 2025-01-14 11:58:22 +02:00
Alex Pyrgiotis
375efe5af4
Allow setting a tag for the container image 
Allow setting a tag for the container image, when building it with the
`build-image.py` script. This should be used for development purposes
only, since the proper image name should be dictated by the script.
 2025-01-14 11:58:22 +02:00
Alex Pyrgiotis
a8436bba98
Render the Dockerfile from a template and some params 
Allow updating the Dockerfile from a template and some envs, so that
it's easier to bump the dates in it.
 2025-01-14 11:58:22 +02:00
Alex Pyrgiotis
fccfd510b7
Add jinja2-cli package dependency 
Add jinja2-cli as a package dependency, since it will be used to create
the Dockerfile from some user parameters and a template.
 2025-01-14 11:58:20 +02:00
Alex Pyrgiotis
1ca3ef9796
Allow using the container engine cache when building our image 
Remove our suggestions for not using the container cache, which stemmed
from the fact that our Dangerzone image was not reproducible. Now that
we have switched to Debian Stable and the Dockerfile is all we need to
reproducibly build the exact same container image, we can just use the
cache to speed up builds.
 2025-01-14 11:58:08 +02:00
Alex Pyrgiotis
460b7a178b
Do not use poetry.lock when building the container image 
Remove all the scaffolding in our `build-image.py` script for using the
`poetry.lock` file, now that we install PyMuPDF from the Debian repos.
 2025-01-14 11:58:06 +02:00
Alex Pyrgiotis
42646877d7
Switch base image to Debian Stable 
Switch base image from Alpine Linux to Debian Stable, in order to reduce
our image footprint, improve our security posture, and build our
container image reproducibly.

Fixes #1046
Refs #1047
 2025-01-14 11:57:37 +02:00
Alex Pyrgiotis
5ff1d30278
container: Copy gVisor public key and a helper script 
Download and copy the following artifacts that will be used for building
a Debian-based Dangerzone container image in the subsequent commits:
* The APT key for the gVisor repo [1]
* A helper script for building reproducible Debian images [2]

[1] https://gvisor.dev/archive.key
[2] d15cf12b26/repro-sources-list.sh
 2025-01-14 10:53:11 +02:00
Alex Pyrgiotis
9c0c880cd3
docs: Add design document for artifact reproducibility 
Refs #1047
 2025-01-14 10:53:11 +02:00
Alex Pyrgiotis
e554a573e5
Reuse the same rootfs for the inner and outer container 
Remove the need to copy the Dangerzone container image (used by the
inner container) within a wrapper gVisor image (used by the outer
container). Instead, use the root of the container filesystem for both
containers. We can do this safely because we don't mount any secrets to
the container, and because gVisor offers a read-only view of the
underlying filesystem

Fixes #1048
 2025-01-13 18:14:23 +02:00
Alex Pyrgiotis
d2f483e970
Move container-only build context to dangerzone/container 
Move container-only build context - currently just the entrypoint script
- from `dangerzone/gvisor_wrapper` to `dangerzone/container`. Update the
  rest of the scripts to use this location as well.
 2025-01-13 18:14:15 +02:00
Alex Pyrgiotis
df3a60edc6
Whitespace fixes 2025-01-13 15:41:52 +02:00
Alexis Métaireau
1298e9c398
build: add build_scripts/env.py to the hashed files
Some checks failed
Scan latest app and container / security-scan-container (push) Has been cancelled
Details
Scan latest app and container / security-scan-app (push) Has been cancelled
Details
Tests / windows (push) Has been cancelled
Details
Tests / macOS (arch64) (push) Has been cancelled
Details
Tests / build-deb (ubuntu 22.04) (push) Has been cancelled
Details
Tests / macOS (x86_64) (push) Has been cancelled
Details
Tests / build-deb (debian bookworm) (push) Has been cancelled
Details
Tests / build-deb (debian bullseye) (push) Has been cancelled
Details
Tests / build-deb (debian trixie) (push) Has been cancelled
Details
Tests / build-deb (ubuntu 20.04) (push) Has been cancelled
Details
Tests / build-deb (ubuntu 24.04) (push) Has been cancelled
Details
Tests / build-deb (ubuntu 24.10) (push) Has been cancelled
Details
Tests / install-deb (debian bookworm) (push) Has been cancelled
Details
Tests / install-deb (debian bullseye) (push) Has been cancelled
Details
Tests / install-deb (debian trixie) (push) Has been cancelled
Details
Tests / install-deb (ubuntu 20.04) (push) Has been cancelled
Details
Tests / install-deb (ubuntu 22.04) (push) Has been cancelled
Details
Tests / install-deb (ubuntu 24.04) (push) Has been cancelled
Details
Tests / install-deb (ubuntu 24.10) (push) Has been cancelled
Details
Tests / build-install-rpm (fedora 40) (push) Has been cancelled
Details
Tests / build-install-rpm (fedora 41) (push) Has been cancelled
Details
Tests / run tests (debian bookworm) (push) Has been cancelled
Details
Tests / run tests (debian bullseye) (push) Has been cancelled
Details
Tests / run tests (debian trixie) (push) Has been cancelled
Details
Tests / run tests (fedora 40) (push) Has been cancelled
Details
Tests / run tests (fedora 41) (push) Has been cancelled
Details
Tests / run tests (ubuntu 20.04) (push) Has been cancelled
Details
Tests / run tests (ubuntu 22.04) (push) Has been cancelled
Details
Tests / run tests (ubuntu 24.04) (push) Has been cancelled
Details
Tests / run tests (ubuntu 24.10) (push) Has been cancelled
Details 
It contains information that define the build environments, and as such, modifying it should result in a new release of the dev containers.
 2025-01-08 06:18:30 +01:00
Alexis Métaireau
00e58a8707
build: add poetry-plugin-export to the dependencies 
Since Poetry 2.0.0, the `export` command has been removed and it's
advised to use the "poetry-plugin-export" package instead.

This commit adds this dependency to the different places it's needed
(debian environments, CI, build instructions, etc).
 2025-01-08 06:18:01 +01:00
Alexis Métaireau
77975a8e50
Update links to the 0.8.1 release
Some checks failed
Tests / build-container-image (push) Has been cancelled
Details
Tests / Download and cache Tesseract data (push) Has been cancelled
Details
Tests / windows (push) Has been cancelled
Details
Tests / macOS (arch64) (push) Has been cancelled
Details
Tests / macOS (x86_64) (push) Has been cancelled
Details
Tests / build-deb (debian bookworm) (push) Has been cancelled
Details
Tests / build-deb (debian bullseye) (push) Has been cancelled
Details
Tests / build-deb (debian trixie) (push) Has been cancelled
Details
Tests / build-deb (ubuntu 20.04) (push) Has been cancelled
Details
Tests / build-deb (ubuntu 22.04) (push) Has been cancelled
Details
Tests / build-deb (ubuntu 24.04) (push) Has been cancelled
Details
Tests / build-deb (ubuntu 24.10) (push) Has been cancelled
Details
Tests / install-deb (debian bookworm) (push) Has been cancelled
Details
Tests / install-deb (debian bullseye) (push) Has been cancelled
Details
Tests / install-deb (debian trixie) (push) Has been cancelled
Details
Tests / install-deb (ubuntu 20.04) (push) Has been cancelled
Details
Tests / install-deb (ubuntu 22.04) (push) Has been cancelled
Details
Tests / install-deb (ubuntu 24.04) (push) Has been cancelled
Details
Tests / install-deb (ubuntu 24.10) (push) Has been cancelled
Details
Tests / build-install-rpm (fedora 40) (push) Has been cancelled
Details
Tests / build-install-rpm (fedora 41) (push) Has been cancelled
Details
Tests / run tests (debian bookworm) (push) Has been cancelled
Details
Tests / run tests (debian bullseye) (push) Has been cancelled
Details
Tests / run tests (debian trixie) (push) Has been cancelled
Details
Tests / run tests (fedora 40) (push) Has been cancelled
Details
Tests / run tests (fedora 41) (push) Has been cancelled
Details
Tests / run tests (ubuntu 20.04) (push) Has been cancelled
Details
Tests / run tests (ubuntu 22.04) (push) Has been cancelled
Details
Tests / run tests (ubuntu 24.04) (push) Has been cancelled
Details
Tests / run tests (ubuntu 24.10) (push) Has been cancelled
Details
2024-12-24 18:11:17 +01:00
Alexis Métaireau
5b9e9c82fc
Add a security advisory for gst-plugins-base 2024-12-24 18:11:17 +01:00
Alexis Métaireau
f4fa1f87eb
Bump version to 0.8.1 2024-12-24 18:11:17 +01:00
Alexis Métaireau
eb345562da
Lint: Add click to the dependencies used by mypy
Some checks failed
Scan latest app and container / security-scan-container (push) Has been cancelled
Details
Scan latest app and container / security-scan-app (push) Has been cancelled
Details
Tests / windows (push) Has been cancelled
Details
Tests / macOS (arch64) (push) Has been cancelled
Details
Tests / macOS (x86_64) (push) Has been cancelled
Details
Tests / build-deb (debian bookworm) (push) Has been cancelled
Details
Tests / build-deb (debian bullseye) (push) Has been cancelled
Details
Tests / build-deb (debian trixie) (push) Has been cancelled
Details
Tests / build-deb (ubuntu 20.04) (push) Has been cancelled
Details
Tests / build-deb (ubuntu 22.04) (push) Has been cancelled
Details
Tests / build-deb (ubuntu 24.04) (push) Has been cancelled
Details
Tests / build-deb (ubuntu 24.10) (push) Has been cancelled
Details
Tests / install-deb (debian bookworm) (push) Has been cancelled
Details
Tests / install-deb (debian bullseye) (push) Has been cancelled
Details
Tests / install-deb (debian trixie) (push) Has been cancelled
Details
Tests / install-deb (ubuntu 20.04) (push) Has been cancelled
Details
Tests / install-deb (ubuntu 22.04) (push) Has been cancelled
Details
Tests / install-deb (ubuntu 24.04) (push) Has been cancelled
Details
Tests / install-deb (ubuntu 24.10) (push) Has been cancelled
Details
Tests / build-install-rpm (fedora 40) (push) Has been cancelled
Details
Tests / build-install-rpm (fedora 41) (push) Has been cancelled
Details
Tests / run tests (debian bookworm) (push) Has been cancelled
Details
Tests / run tests (debian bullseye) (push) Has been cancelled
Details
Tests / run tests (debian trixie) (push) Has been cancelled
Details
Tests / run tests (fedora 40) (push) Has been cancelled
Details
Tests / run tests (fedora 41) (push) Has been cancelled
Details
Tests / run tests (ubuntu 20.04) (push) Has been cancelled
Details
Tests / run tests (ubuntu 22.04) (push) Has been cancelled
Details
Tests / run tests (ubuntu 24.04) (push) Has been cancelled
Details
Tests / run tests (ubuntu 24.10) (push) Has been cancelled
Details
2024-12-17 17:44:51 +01:00
jkarasti
d080d03f5a
Lint: Enable isort (I) rules 2024-12-17 17:44:32 +01:00
jkarasti
767bfa7e48
Lint: Fix unused-variable (F841) 2024-12-17 17:44:32 +01:00
jkarasti
37ec91aae2
Lint: Fix f-string-missing-placeholders (F541) 2024-12-17 17:44:32 +01:00
jkarasti
cecfe63338
Lint: Fix unused-import (F401) 2024-12-17 17:44:32 +01:00
jkarasti
4da6b92e12
Format: Run ruff format over the source code 2024-12-17 17:44:31 +01:00
jkarasti
b06d1aebed
Lint: Remove unused black and isort dependencies 2024-12-17 17:44:30 +01:00
jkarasti
da5490a5a1
Lint: Merge mypy makefile targets into the lint target 2024-12-17 17:44:09 +01:00
jkarasti
e96b44e10a
Lint: adapt Makefile targets for ruff 
- Use `ruff` instead of `black` and `isort` in the `lint` target for linting and code formatting.

- Add a new target `fix` which applies all suggestions from `ruff check` and `ruff format`.
 2024-12-17 17:44:09 +01:00
jkarasti
7624624471
Lint: add ruff for linting and formatting 2024-12-17 17:44:07 +01:00
Alex Pyrgiotis
fb7c2088e2
grype: Ignore CVE-2024-11053 
Ignore the CVE-2024-11053 vulnerability, since it's a libcurl one, and
the Dangerzone container does not make network calls.

Also, clear the previous vulnerabilities, now that we have a new image
out.
 2024-12-17 17:41:07 +01:00
Alexis Métaireau
1ea2f109cb
Run apt update before running apt get install 2024-12-17 17:24:46 +01:00
dependabot[bot]
df3063a825
build(deps): bump anchore/scan-action from 5 to 6
Some checks are pending
Tests / windows (push) Blocked by required conditions
Details
Tests / macOS (arch64) (push) Blocked by required conditions
Details
Tests / macOS (x86_64) (push) Blocked by required conditions
Details
Tests / build-deb (debian bookworm) (push) Blocked by required conditions
Details
Tests / build-deb (debian bullseye) (push) Blocked by required conditions
Details
Tests / build-deb (debian trixie) (push) Blocked by required conditions
Details
Tests / build-deb (ubuntu 20.04) (push) Blocked by required conditions
Details
Tests / build-deb (ubuntu 22.04) (push) Blocked by required conditions
Details
Tests / build-deb (ubuntu 24.04) (push) Blocked by required conditions
Details
Tests / build-deb (ubuntu 24.10) (push) Blocked by required conditions
Details
Tests / install-deb (debian bookworm) (push) Blocked by required conditions
Details
Tests / install-deb (debian bullseye) (push) Blocked by required conditions
Details
Tests / install-deb (debian trixie) (push) Blocked by required conditions
Details
Tests / install-deb (ubuntu 20.04) (push) Blocked by required conditions
Details
Tests / install-deb (ubuntu 22.04) (push) Blocked by required conditions
Details
Tests / install-deb (ubuntu 24.04) (push) Blocked by required conditions
Details
Tests / install-deb (ubuntu 24.10) (push) Blocked by required conditions
Details
Tests / build-install-rpm (fedora 40) (push) Blocked by required conditions
Details
Tests / build-install-rpm (fedora 41) (push) Blocked by required conditions
Details
Tests / run tests (debian bookworm) (push) Blocked by required conditions
Details
Tests / run tests (debian bullseye) (push) Blocked by required conditions
Details
Tests / run tests (debian trixie) (push) Blocked by required conditions
Details
Tests / run tests (fedora 40) (push) Blocked by required conditions
Details
Tests / run tests (fedora 41) (push) Blocked by required conditions
Details
Tests / run tests (ubuntu 20.04) (push) Blocked by required conditions
Details
Tests / run tests (ubuntu 22.04) (push) Blocked by required conditions
Details
Tests / run tests (ubuntu 24.04) (push) Blocked by required conditions
Details
Tests / run tests (ubuntu 24.10) (push) Blocked by required conditions
Details
Scan latest app and container / security-scan-container (push) Waiting to run
Details
Scan latest app and container / security-scan-app (push) Waiting to run
Details 
Bumps [anchore/scan-action](https://github.com/anchore/scan-action) from 5 to 6.
- [Release notes](https://github.com/anchore/scan-action/releases)
- [Changelog](https://github.com/anchore/scan-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/anchore/scan-action/compare/v5...v6)

---
updated-dependencies:
- dependency-name: anchore/scan-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-12-16 19:49:37 +02:00
jkarasti
57bb7286ef
Install more type stubs wanted by mypy 2024-12-16 19:49:03 +02:00
Alex Pyrgiotis
fbe05065c9
docs: Update release instructions
Some checks failed
Scan latest app and container / security-scan-container (push) Has been cancelled
Details
Scan latest app and container / security-scan-app (push) Has been cancelled
Details
Tests / windows (push) Has been cancelled
Details
Tests / macOS (arch64) (push) Has been cancelled
Details
Tests / macOS (x86_64) (push) Has been cancelled
Details
Tests / build-deb (debian bookworm) (push) Has been cancelled
Details
Tests / build-deb (debian bullseye) (push) Has been cancelled
Details
Tests / build-deb (debian trixie) (push) Has been cancelled
Details
Tests / build-deb (ubuntu 20.04) (push) Has been cancelled
Details
Tests / build-deb (ubuntu 22.04) (push) Has been cancelled
Details
Tests / build-deb (ubuntu 24.04) (push) Has been cancelled
Details
Tests / build-deb (ubuntu 24.10) (push) Has been cancelled
Details
Tests / install-deb (debian bookworm) (push) Has been cancelled
Details
Tests / install-deb (debian bullseye) (push) Has been cancelled
Details
Tests / install-deb (debian trixie) (push) Has been cancelled
Details
Tests / install-deb (ubuntu 20.04) (push) Has been cancelled
Details
Tests / install-deb (ubuntu 22.04) (push) Has been cancelled
Details
Tests / install-deb (ubuntu 24.04) (push) Has been cancelled
Details
Tests / install-deb (ubuntu 24.10) (push) Has been cancelled
Details
Tests / build-install-rpm (fedora 40) (push) Has been cancelled
Details
Tests / build-install-rpm (fedora 41) (push) Has been cancelled
Details
Tests / run tests (debian bookworm) (push) Has been cancelled
Details
Tests / run tests (debian bullseye) (push) Has been cancelled
Details
Tests / run tests (debian trixie) (push) Has been cancelled
Details
Tests / run tests (fedora 40) (push) Has been cancelled
Details
Tests / run tests (fedora 41) (push) Has been cancelled
Details
Tests / run tests (ubuntu 20.04) (push) Has been cancelled
Details
Tests / run tests (ubuntu 22.04) (push) Has been cancelled
Details
Tests / run tests (ubuntu 24.04) (push) Has been cancelled
Details
Tests / run tests (ubuntu 24.10) (push) Has been cancelled
Details 
Update our release instructions with a way to run manual tasks via
`doit`. Also, add developer documentation on how to use `doit`, and some
tips and tricks.
 2024-12-10 15:28:16 +02:00
Alex Pyrgiotis
54ffc63c4f
Add build-* targets in Makefile based on doit 
Add Make targets that build release artifacts with doit.
 2024-12-10 15:28:16 +02:00
Alex Pyrgiotis
bdc4cf13c4
Add doit configuration options 2024-12-10 15:28:16 +02:00