Merge 2ba247e09c into 68f8338d20

This reverts commit 73b0f8b7d4.
Unfortunately, disabling DirectFS causes a problem in Linux systems that
enable Yama mode 2. Turns out that Tails is such a system, so we have to
revert this change, if we want to support it.

Refs #982

.github/workflows/build.yml

@@ -1,6 +1,6 @@
 name: Build dev environments
 on:
-  push:
+  pull_request:
   schedule:
     - cron: "0 0 * * *" # Run every day at 00:00 UTC.
 
@@ -33,8 +33,6 @@ jobs:
             version: "20.04"
           - distro: ubuntu
             version: "22.04"
-          - distro: ubuntu
-            version: "23.10"
           - distro: ubuntu
             version: "24.04"
           - distro: ubuntu

.github/workflows/check_push.yml

@@ -1,6 +1,6 @@
 name: Check branch conformity
 on:
-  push:
+  pull_request:
 
 jobs:
   prevent-fixup-commits:

.github/workflows/check_repos.yml

@@ -23,8 +23,6 @@ jobs:
             version: "24.10"  # oracular
           - distro: ubuntu
             version: "24.04"  # noble
-          - distro: ubuntu
-            version: "23.10"  # mantic
           - distro: ubuntu
             version: "22.04"  # jammy
           - distro: ubuntu

.github/workflows/ci.yml

@@ -1,8 +1,9 @@
 name: Tests
 on:
   push:
+    branches:
+      - main
   pull_request:
-    branches: [main]
   schedule:
     - cron: "2 0 * * *" # Run every day at 02:00 UTC.
   workflow_dispatch:
@@ -24,7 +25,24 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
+  should-run:
+    runs-on: ubuntu-latest
+    outputs:
+      run-workflow: ${{ steps.check.outputs.run-workflow }}
+    steps:
+      - id: check
+        run: |
+          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
+            echo "run-workflow=true" >> $GITHUB_OUTPUT
+          elif [[ "${{ github.event_name }}" == "push" && "${{ github.ref }}" != "refs/heads/main" ]]; then
+            echo "run-workflow=true" >> $GITHUB_OUTPUT
+          else
+            echo "run-workflow=false" >> $GITHUB_OUTPUT
+          fi
+
   run-lint:
+    needs: should-run
+    if: needs.should-run.outputs.run-workflow == 'true'
     runs-on: ubuntu-latest
     container:
       image: debian:bookworm
@@ -43,6 +61,8 @@ jobs:
   # This is already built daily by the "build.yml" file
   # But we also want to include this in the checks that run on each push.
   build-container-image:
+    needs: should-run
+    if: needs.should-run.outputs.run-workflow == 'true'
     runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@v4
@@ -67,6 +87,8 @@ jobs:
           python3 ./install/common/build-image.py
 
   download-tessdata:
+    needs: should-run
+    if: needs.should-run.outputs.run-workflow == 'true'
     name: Download and cache Tesseract data
     runs-on: ubuntu-latest
     steps:
@@ -91,7 +113,10 @@ jobs:
 
   windows:
     runs-on: windows-latest
-    needs: download-tessdata
+    needs:
+      - download-tessdata
+      - should-run
+    if: needs.should-run.outputs.run-workflow == 'true'
     env:
       DUMMY_CONVERSION: 1
     steps:
@@ -121,7 +146,10 @@ jobs:
   macOS:
     name: "macOS (${{ matrix.arch }})"
     runs-on: ${{ matrix.runner }}
-    needs: download-tessdata
+    needs:
+      - download-tessdata
+      - should-run
+    if: needs.should-run.outputs.run-workflow == 'true'
     strategy:
       matrix:
         include:
@@ -149,9 +177,12 @@ jobs:
         run: poetry run make test
 
   build-deb:
+    needs:
+      - should-run
+      - build-container-image
+    if: needs.should-run.outputs.run-workflow == 'true'
     name: "build-deb (${{ matrix.distro }} ${{ matrix.version }})"
     runs-on: ubuntu-latest
-    needs: build-container-image
     strategy:
       matrix:
         include:
@@ -159,8 +190,6 @@ jobs:
             version: "20.04"
           - distro: ubuntu
             version: "22.04"
-          - distro: ubuntu
-            version: "23.10"
           - distro: ubuntu
             version: "24.04"
           - distro: ubuntu
@@ -221,7 +250,10 @@ jobs:
   install-deb:
     name: "install-deb (${{ matrix.distro }} ${{ matrix.version }})"
     runs-on: ubuntu-latest
-    needs: build-deb
+    needs: 
+      - build-deb
+      - should-run
+    if: needs.should-run.outputs.run-workflow == 'true'
     strategy:
       matrix:
         include:
@@ -229,8 +261,6 @@ jobs:
             version: "20.04"
           - distro: ubuntu
             version: "22.04"
-          - distro: ubuntu
-            version: "23.10"
           - distro: ubuntu
             version: "24.04"
           - distro: ubuntu
@@ -277,7 +307,10 @@ jobs:
   build-install-rpm:
     name: "build-install-rpm (${{ matrix.distro }} ${{matrix.version}})"
     runs-on: ubuntu-latest
-    needs: build-container-image
+    needs:
+      - build-container-image
+      - should-run
+    if: needs.should-run.outputs.run-workflow == 'true'
     strategy:
       matrix:
         distro: ["fedora"]
@@ -343,6 +376,8 @@ jobs:
     needs:
       - build-container-image
       - download-tessdata
+      - should-run
+    if: needs.should-run.outputs.run-workflow == 'true'
     strategy:
       matrix:
         include:
@@ -350,8 +385,6 @@ jobs:
             version: "20.04"
           - distro: ubuntu
             version: "22.04"
-          - distro: ubuntu
-            version: "23.10"
           - distro: ubuntu
             version: "24.04"
           - distro: ubuntu

.github/workflows/scan.yml

@@ -1,8 +1,9 @@
 name: Scan latest app and container
 on:
   push:
+    branches:
+      - main
   pull_request:
-    branches: [ main ]
   schedule:
     - cron: '0 0 * * *' # Run every day at 00:00 UTC.
   workflow_dispatch:

INSTALL.md

@@ -11,7 +11,6 @@ an isolated environment. It will be installed automatically when installing Dang
 Dangerzone is available for:
 - Ubuntu 24.10 (oracular)
 - Ubuntu 24.04 (noble)
-- Ubuntu 23.10 (mantic)
 - Ubuntu 22.04 (jammy)
 - Ubuntu 20.04 (focal)
 - Debian 13 (trixie)

dangerzone/gvisor_wrapper/entrypoint.py

@@ -142,9 +142,6 @@ runsc_argv = [
     "--rootless=true",
     "--network=none",
     "--root=/home/dangerzone/.containers",
-    # Disable DirectFS for to make the seccomp filter even stricter,
-    # at some performance cost.
-    "--directfs=false",
 ]
 if os.environ.get("RUNSC_DEBUG"):
     runsc_argv += ["--debug=true", "--alsologtostderr=true"]

dev_scripts/env.py

@@ -696,8 +696,6 @@ class Env:
                     DOCKERFILE_CONMON_UPDATE + DOCKERFILE_BUILD_DEV_DEBIAN_DEPS
                 )
             elif self.distro == "ubuntu" and self.version in (
-                "23.10",
-                "mantic",
                 "24.04",
                 "noble",
                 "24.10",
@@ -784,8 +782,6 @@ class Env:
                 # package (see https://github.com/freedomofpress/dangerzone/issues/685)
                 install_deps = DOCKERFILE_CONMON_UPDATE + DOCKERFILE_BUILD_DEBIAN_DEPS
             elif self.distro == "ubuntu" and self.version in (
-                "23.10",
-                "mantic",
                 "24.04",
                 "noble",
                 "24.10",

dev_scripts/qa.py

@@ -978,11 +978,6 @@ class QAUbuntu2204(QADebianBased):
     VERSION = "22.04"
 
 
-class QAUbuntu2310(QADebianBased):
-    DISTRO = "ubuntu"
-    VERSION = "23.10"
-
-
 class QAUbuntu2404(QADebianBased):
     DISTRO = "ubuntu"
     VERSION = "24.04"

setup-windows.py

@@ -4,7 +4,6 @@ from cx_Freeze import Executable, setup
 with open("share/version.txt") as f:
     version = f.read().strip()
 
-packages = ["dangerzone", "dangerzone.gui"]
 
 setup(
     name="dangerzone",
@@ -12,10 +11,13 @@ setup(
     # On Windows description will show as the app's name in the "Open With" menu. See:
     # https://github.com/freedomofpress/dangerzone/issues/283#issuecomment-1365148805
     description="Dangerzone",
-    packages=packages,
     options={
         "build_exe": {
-            "packages": packages,
+            # Explicitly specify pymupdf.util module to fix building the executables
+            # with cx_freeze. See https://github.com/marcelotduarte/cx_Freeze/issues/2653
+            # for more details.
+            # TODO: Upgrade to cx_freeze 7.3.0 which should include a fix.
+            "packages": ["dangerzone", "dangerzone.gui", "pymupdf.utils"],
             "excludes": ["test", "tkinter"],
             "include_files": [("share", "share"), ("LICENSE", "LICENSE")],
             "include_msvcr": True,

tests/isolation_provider/base.py

@@ -164,6 +164,7 @@ class IsolationProviderTermination:
         terminate_proc_mock = mocker.patch.object(
             provider, "terminate_doc_to_pixels_proc", return_value=None
         )
+        kill_pg_orig = base.kill_process_group
         kill_pg_mock = mocker.patch(
             "dangerzone.isolation_provider.base.kill_process_group", return_value=None
         )
@@ -178,6 +179,7 @@ class IsolationProviderTermination:
 
         # Reset the function to the original state.
         provider.terminate_doc_to_pixels_proc = terminate_proc_orig  # type: ignore [method-assign]
+        base.kill_process_group = kill_pg_orig
 
         # Really kill the spawned process, so that it doesn't linger after the tests
         # complete.