WIP: Come on ci, do something

Add some CVEs in our ignore list, which are present in the new Debian
image. These CVEs are marked as "wont-fix" by the Debian Security team.

.github/workflows/check_repos.yml

@@ -46,30 +46,16 @@ jobs:
           apt update
           apt-get install python-all -y
 
-      - name: Add packages.freedom.press PGP key (gpg)
-        if: matrix.version != 'trixie'
+      - name: Add GPG key for the packages.freedom.press
         run: |
           apt-get update && apt-get install -y gnupg2 ca-certificates
           dirmngr  # NOTE: This is a command that's necessary only in containers
-          # The key needs to be in the GPG keybox database format so the
-          # signing subkey is detected by apt-secure.
           gpg --keyserver hkps://keys.openpgp.org \
               --no-default-keyring --keyring ./fpf-apt-tools-archive-keyring.gpg \
               --recv-keys "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281"
           mkdir -p /etc/apt/keyrings/
-          mv ./fpf-apt-tools-archive-keyring.gpg /etc/apt/keyrings/.
+          mv fpf-apt-tools-archive-keyring.gpg /etc/apt/keyrings
 
-      - name: Add packages.freedom.press PGP key (sq)
-        if: matrix.version == 'trixie'
-        run: |
-          apt-get update && apt-get install -y ca-certificates sq
-          mkdir -p /etc/apt/keyrings/
-          # On debian trixie, apt-secure uses `sqv` to verify the signatures
-          # so we need to retrieve PGP keys and store them using the base64 format.
-          sq network keyserver \
-             --server hkps://keys.openpgp.org \
-             search "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281" \
-             --output /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg
       - name: Add packages.freedom.press to our APT sources
         run: |
           . /etc/os-release
@@ -89,6 +75,8 @@ jobs:
     strategy:
       matrix:
         include:
+          - distro: fedora
+            version: 39
           - distro: fedora
             version: 40
           - distro: fedora

INSTALL.md

@@ -84,20 +84,9 @@ Dangerzone is available for:
   </tr>
 </table>
 
-First, retrieve the PGP keys.
+Add our repository following these instructions:
 
-Starting with Trixie, follow these instructions to download the PGP keys:
-
-```bash
-sudo apt-get update && sudo apt-get install sq -y
-mkdir -p /etc/apt/keyrings/
-sq network keyserver \
-   --server hkps://keys.openpgp.org \
-   search "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281" \
-   --output /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg
-```
-
-On other Debian-derivatives:
+Download the GPG key for the repo:
 
 ```sh
 sudo apt-get update && sudo apt-get install gnupg2 ca-certificates -y
@@ -105,12 +94,10 @@ gpg --keyserver hkps://keys.openpgp.org \
     --no-default-keyring --keyring ./fpf-apt-tools-archive-keyring.gpg \
     --recv-keys "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281"
 sudo mkdir -p /etc/apt/keyrings/
-sudo gpg --no-default-keyring --keyring ./fpf-apt-tools-archive-keyring.gpg \
-    --armor --export "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281" \
-    > /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg
+sudo mv fpf-apt-tools-archive-keyring.gpg /etc/apt/keyrings
 ```
 
-Then, on all distributions, add the URL of the repo in your APT sources:
+Add the URL of the repo in your APT sources:
 
 ```sh
 . /etc/os-release

RELEASE.md

@@ -8,13 +8,12 @@ Here is a list of tasks that should be done before issuing the release:
 
 - [ ] Create a new issue named **QA and Release for version \<VERSION\>**, to track the general progress.
       You can generate its content with the the `poetry run ./dev_scripts/generate-release-tasks.py` command.
-- [ ] [Add new Linux platforms and remove obsolete ones](https://github.com/freedomofpress/dangerzone/blob/main/RELEASE.md#add-new-linux-platforms-and-remove-obsolete-ones)
+- [ ] [Add new Linux platforms and remove obsolete ones](https://github.com/freedomofpress/dangerzone/blob/main/RELEASE.md#add-new-platforms-and-remove-obsolete-ones)
 - [ ] Bump the Python dependencies using `poetry lock`
 - [ ] Update `version` in `pyproject.toml`
 - [ ] Update `share/version.txt`
 - [ ] Update the "Version" field in `install/linux/dangerzone.spec`
 - [ ] Bump the Debian version by adding a new changelog entry in `debian/changelog`
-- [ ] [Bump the minimum Docker Desktop versions](https://github.com/freedomofpress/dangerzone/blob/main/RELEASE.md#bump-the-minimum-docker-desktop-version) in `isolation_provider/container.py`
 - [ ] Bump the dates and versions in the `Dockerfile`
 - [ ] Update screenshot in `README.md`, if necessary
 - [ ] CHANGELOG.md should be updated to include a list of all major changes since the last release
@@ -48,12 +47,6 @@ In case of the removal of a version:
    * Consult the previous paragraph, but also `grep` your way around.
 2. Add a notice in our `CHANGELOG.md` about the version removal.
 
-## Bump the minimum Docker Desktop version
-
-We embed the minimum docker desktop versions inside Dangerzone, as an incentive for our macOS and Windows users to upgrade to the latests version.
-
-You can find the latest version at the time of the release by looking at [their release notes](https://docs.docker.com/desktop/release-notes/)
-
 ## Large Document Testing
 
 Parallel to the QA process, the release candidate should be put through the large document tests in a dedicated machine to run overnight.

THIRD_PARTY_NOTICE

@@ -1,14 +0,0 @@
-This project includes third-party components as follows:
-
-1. gVisor APT Key
-   - URL: https://gvisor.dev/archive.key
-   - Last updated: 2025-01-21
-   - Description: This is the public key used for verifying packages from the gVisor repository.
-
-2. Reproducible Containers Helper Script
-   - URL: https://github.com/reproducible-containers/repro-sources-list.sh/blob/d15cf12b26395b857b24fba223b108aff1c91b26/repro-sources-list.sh
-   - Last updated: 2025-01-21
-   - Description: This script is used for building reproducible Debian images.
-
-Please refer to the respective sources for licensing information and further details regarding the use of these components.
-

dangerzone/cli.py

@@ -42,12 +42,6 @@ def print_header(s: str) -> None:
     type=click.UNPROCESSED,
     callback=args.validate_input_filenames,
 )
-@click.option(
-    "--debug",
-    "debug",
-    flag_value=True,
-    help="Run Dangerzone in debug mode, to get logs from gVisor.",
-)
 @click.version_option(version=get_version(), message="%(version)s")
 @errors.handle_document_errors
 def cli_main(
@@ -56,7 +50,6 @@ def cli_main(
     filenames: List[str],
     archive: bool,
     dummy_conversion: bool,
-    debug: bool,
 ) -> None:
     setup_logging()
 
@@ -65,7 +58,7 @@ def cli_main(
     elif is_qubes_native_conversion():
         dangerzone = DangerzoneCore(Qubes())
     else:
-        dangerzone = DangerzoneCore(Container(debug=debug))
+        dangerzone = DangerzoneCore(Container())
 
     display_banner()
     if len(filenames) == 1 and output_filename:

dangerzone/container_helpers/entrypoint.py

@@ -59,82 +59,17 @@ oci_config: dict[str, typing.Any] = {
     "root": {"path": "/", "readonly": True},
     "hostname": "dangerzone",
     "mounts": [
-        # Mask almost every system directory of the outer container, by mounting tmpfs
-        # on top of them. This is done to avoid leaking any sensitive information,
-        # either mounted by Podman/Docker, or when gVisor runs, since we reuse the same
-        # rootfs. We basically mask everything except for `/usr`, `/bin`, `/lib`,
-        # and `/etc`.
-        #
-        # Note that we set `--root /home/dangerzone/.containers` for the directory where
-        # gVisor will create files at runtime, which means that in principle, we are
-        # covered by the masking of `/home/dangerzone` that follows below.
-        #
-        # Finally, note that the following list has been taken from the dirs in our
-        # container image, and double-checked against the top-level dirs listed in the
-        # Filesystem Hierarchy Standard (FHS) [1]. It would be nice to have an allowlist
-        # approach instead of a denylist, but FHS is such an old standard that we don't
-        # expect any new top-level dirs to pop up any time soon.
-        #
-        # [1] https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard
-        {
-            "destination": "/boot",
-            "type": "tmpfs",
-            "source": "tmpfs",
-            "options": ["nosuid", "noexec", "nodev", "ro"],
-        },
-        {
-            "destination": "/dev",
-            "type": "tmpfs",
-            "source": "tmpfs",
-            "options": ["nosuid", "noexec", "nodev"],
-        },
-        {
-            "destination": "/home",
-            "type": "tmpfs",
-            "source": "tmpfs",
-            "options": ["nosuid", "noexec", "nodev", "ro"],
-        },
-        {
-            "destination": "/media",
-            "type": "tmpfs",
-            "source": "tmpfs",
-            "options": ["nosuid", "noexec", "nodev", "ro"],
-        },
-        {
-            "destination": "/mnt",
-            "type": "tmpfs",
-            "source": "tmpfs",
-            "options": ["nosuid", "noexec", "nodev", "ro"],
-        },
         {
             "destination": "/proc",
             "type": "proc",
             "source": "proc",
         },
         {
-            "destination": "/root",
-            "type": "tmpfs",
-            "source": "tmpfs",
-            "options": ["nosuid", "noexec", "nodev", "ro"],
-        },
-        {
-            "destination": "/run",
+            "destination": "/dev",
             "type": "tmpfs",
             "source": "tmpfs",
             "options": ["nosuid", "noexec", "nodev"],
         },
-        {
-            "destination": "/sbin",
-            "type": "tmpfs",
-            "source": "tmpfs",
-            "options": ["nosuid", "noexec", "nodev", "ro"],
-        },
-        {
-            "destination": "/srv",
-            "type": "tmpfs",
-            "source": "tmpfs",
-            "options": ["nosuid", "noexec", "nodev", "ro"],
-        },
         {
             "destination": "/sys",
             "type": "tmpfs",
@@ -147,27 +82,6 @@ oci_config: dict[str, typing.Any] = {
             "source": "tmpfs",
             "options": ["nosuid", "noexec", "nodev"],
         },
-        {
-            "destination": "/var",
-            "type": "tmpfs",
-            "source": "tmpfs",
-            "options": ["nosuid", "noexec", "nodev"],
-        },
-        # Also mask some files that are usually mounted by Docker / Podman. These files
-        # should not contain any sensitive information, since we use the `--network
-        # none` flag, but we want to make sure in any case.
-        {
-            "destination": "/etc/hostname",
-            "type": "bind",
-            "source": "/dev/null",
-            "options": ["rbind", "ro"],
-        },
-        {
-            "destination": "/etc/hosts",
-            "type": "bind",
-            "source": "/dev/null",
-            "options": ["rbind", "ro"],
-        },
         # LibreOffice needs a writable home directory, so just mount a tmpfs
         # over it.
         {

dangerzone/gui/main_window.py

@@ -124,7 +124,6 @@ class MainWindow(QtWidgets.QMainWindow):
 
         self.setWindowTitle("Dangerzone")
         self.setWindowIcon(self.dangerzone.get_window_icon())
-        self.alert: Optional[Alert] = None
 
         self.setMinimumWidth(600)
         if platform.system() == "Darwin":
@@ -227,13 +226,6 @@ class MainWindow(QtWidgets.QMainWindow):
         # This allows us to make QSS rules conditional on the OS color mode.
         self.setProperty("OSColorMode", self.dangerzone.app.os_color_mode.value)
 
-        if hasattr(self.dangerzone.isolation_provider, "check_docker_desktop_version"):
-            is_version_valid, version = (
-                self.dangerzone.isolation_provider.check_docker_desktop_version()
-            )
-            if not is_version_valid:
-                self.handle_docker_desktop_version_check(is_version_valid, version)
-
         self.show()
 
     def show_update_success(self) -> None:
@@ -287,46 +279,6 @@ class MainWindow(QtWidgets.QMainWindow):
         self.dangerzone.settings.set("updater_check", check)
         self.dangerzone.settings.save()
 
-    def handle_docker_desktop_version_check(
-        self, is_version_valid: bool, version: str
-    ) -> None:
-        hamburger_menu = self.hamburger_button.menu()
-        sep = hamburger_menu.insertSeparator(hamburger_menu.actions()[0])
-        upgrade_action = QAction("Docker Desktop should be upgraded", hamburger_menu)
-        upgrade_action.setIcon(
-            QtGui.QIcon(
-                load_svg_image(
-                    "hamburger_menu_update_dot_error.svg", width=64, height=64
-                )
-            )
-        )
-
-        message = """
-        <p>A new version of Docker Desktop is available. Please upgrade your system.</p>
-        <p>Visit the <a href="https://www.docker.com/products/docker-desktop">Docker Desktop website</a> to download the latest version.</p>
-        <em>Keeping Docker Desktop up to date allows you to have more confidence that your documents are processed safely.</em>
-        """
-        self.alert = Alert(
-            self.dangerzone,
-            title="Upgrade Docker Desktop",
-            message=message,
-            ok_text="Ok",
-            has_cancel=False,
-        )
-
-        def _launch_alert() -> None:
-            if self.alert:
-                self.alert.launch()
-
-        upgrade_action.triggered.connect(_launch_alert)
-        hamburger_menu.insertAction(sep, upgrade_action)
-
-        self.hamburger_button.setIcon(
-            QtGui.QIcon(
-                load_svg_image("hamburger_menu_update_error.svg", width=64, height=64)
-            )
-        )
-
     def handle_updates(self, report: UpdateReport) -> None:
         """Handle update reports from the update checker thread.
 
@@ -413,7 +365,7 @@ class MainWindow(QtWidgets.QMainWindow):
         self.content_widget.show()
 
     def closeEvent(self, e: QtGui.QCloseEvent) -> None:
-        self.alert = Alert(
+        alert_widget = Alert(
             self.dangerzone,
             message="Some documents are still being converted.\n Are you sure you want to quit?",
             ok_text="Abort conversions",
@@ -427,7 +379,7 @@ class MainWindow(QtWidgets.QMainWindow):
             else:
                 self.dangerzone.app.exit(0)
         else:
-            accept_exit = self.alert.launch()
+            accept_exit = alert_widget.launch()
             if not accept_exit:
                 e.ignore()
                 return
@@ -671,7 +623,7 @@ class ContentWidget(QtWidgets.QWidget):
 
     def documents_selected(self, docs: List[Document]) -> None:
         if self.conversion_started:
-            self.alert = Alert(
+            Alert(
                 self.dangerzone,
                 message="Dangerzone does not support adding documents after the conversion has started.",
                 has_cancel=False,
@@ -681,7 +633,7 @@ class ContentWidget(QtWidgets.QWidget):
         # Ensure all files in batch are in the same directory
         dirnames = {os.path.dirname(doc.input_filename) for doc in docs}
         if len(dirnames) > 1:
-            self.alert = Alert(
+            Alert(
                 self.dangerzone,
                 message="Dangerzone does not support adding documents from multiple locations.\n\n The newly added documents were ignored.",
                 has_cancel=False,
@@ -850,14 +802,14 @@ class DocSelectionDropFrame(QtWidgets.QFrame):
             text = f"{num_unsupported_docs} files are not supported."
             ok_text = "Continue without these files"
 
-        self.alert = Alert(
+        alert_widget = Alert(
             self.dangerzone,
             message=f"{text}\nThe supported extensions are: "
             + ", ".join(get_supported_extensions()),
             ok_text=ok_text,
         )
 
-        return self.alert.exec_()
+        return alert_widget.exec_()
 
 
 class SettingsWidget(QtWidgets.QWidget):

dangerzone/isolation_provider/base.py

@@ -5,9 +5,7 @@ import platform
 import signal
 import subprocess
 import sys
-import threading
 from abc import ABC, abstractmethod
-from io import BytesIO
 from typing import IO, Callable, Iterator, Optional
 
 import fitz
@@ -20,6 +18,10 @@ from ..util import get_tessdata_dir, replace_control_chars
 
 log = logging.getLogger(__name__)
 
+MAX_CONVERSION_LOG_CHARS = 150 * 50  # up to ~150 lines of 50 characters
+DOC_TO_PIXELS_LOG_START = "----- DOC TO PIXELS LOG START -----"
+DOC_TO_PIXELS_LOG_END = "----- DOC TO PIXELS LOG END -----"
+
 TIMEOUT_EXCEPTION = 15
 TIMEOUT_GRACE = 15
 TIMEOUT_FORCE = 5
@@ -73,9 +75,9 @@ def read_int(f: IO[bytes]) -> int:
     return int.from_bytes(untrusted_int, "big", signed=False)
 
 
-def sanitize_debug_text(text: bytes) -> str:
-    """Read all the buffer and return a sanitized version"""
-    untrusted_text = text.decode("ascii", errors="replace")
+def read_debug_text(f: IO[bytes], size: int) -> str:
+    """Read arbitrarily long text (for debug purposes), and sanitize it."""
+    untrusted_text = f.read(size).decode("ascii", errors="replace")
     return replace_control_chars(untrusted_text, keep_newlines=True)
 
 
@@ -84,16 +86,12 @@ class IsolationProvider(ABC):
     Abstracts an isolation provider
     """
 
-    def __init__(self, debug: bool = False) -> None:
-        self.debug = debug
-        if self.should_capture_stderr():
+    def __init__(self) -> None:
+        if getattr(sys, "dangerzone_dev", False) is True:
             self.proc_stderr = subprocess.PIPE
         else:
             self.proc_stderr = subprocess.DEVNULL
 
-    def should_capture_stderr(self) -> bool:
-        return self.debug or getattr(sys, "dangerzone_dev", False)
-
     @abstractmethod
     def install(self) -> bool:
         pass
@@ -329,11 +327,7 @@ class IsolationProvider(ABC):
         timeout_force: int = TIMEOUT_FORCE,
     ) -> Iterator[subprocess.Popen]:
         """Start a conversion process, pass it to the caller, and then clean it up."""
-        # Store the proc stderr in memory
-        stderr = BytesIO()
         p = self.start_doc_to_pixels_proc(document)
-        stderr_thread = self.start_stderr_thread(p, stderr)
-
         if platform.system() != "Windows":
             assert os.getpgid(p.pid) != os.getpgid(
                 os.getpid()
@@ -349,40 +343,15 @@ class IsolationProvider(ABC):
                 document, p, timeout_grace=timeout_grace, timeout_force=timeout_force
             )
 
-            if stderr_thread:
-                # Wait for the thread to complete. If it's still alive, mention it in the debug log.
-                stderr_thread.join(timeout=1)
-
-                debug_bytes = stderr.getvalue()
-                debug_log = sanitize_debug_text(debug_bytes)
-
-                incomplete = "(incomplete) " if stderr_thread.is_alive() else ""
-
+            # Read the stderr of the process only if:
+            # * Dev mode is enabled.
+            # * The process has exited (else we risk hanging).
+            if getattr(sys, "dangerzone_dev", False) and p.poll() is not None:
+                assert p.stderr
+                debug_log = read_debug_text(p.stderr, MAX_CONVERSION_LOG_CHARS)
                 log.info(
                     "Conversion output (doc to pixels)\n"
-                    f"----- DOC TO PIXELS LOG START {incomplete}-----\n"
+                    f"{DOC_TO_PIXELS_LOG_START}\n"
                     f"{debug_log}"  # no need for an extra newline here
-                    "----- DOC TO PIXELS LOG END -----"
+                    f"{DOC_TO_PIXELS_LOG_END}"
                 )
-
-    def start_stderr_thread(
-        self, process: subprocess.Popen, stderr: IO[bytes]
-    ) -> Optional[threading.Thread]:
-        """Start a thread to read stderr from the process"""
-
-        def _stream_stderr(process_stderr: IO[bytes]) -> None:
-            try:
-                for line in process_stderr:
-                    stderr.write(line)
-            except (ValueError, IOError) as e:
-                log.debug(f"Stderr stream closed: {e}")
-
-        if process.stderr:
-            stderr_thread = threading.Thread(
-                target=_stream_stderr,
-                args=(process.stderr,),
-                daemon=True,
-            )
-            stderr_thread.start()
-            return stderr_thread
-        return None

dangerzone/isolation_provider/container.py

@@ -3,7 +3,7 @@ import os
 import platform
 import shlex
 import subprocess
-from typing import List, Tuple
+from typing import List
 
 from .. import container_utils, errors
 from ..document import Document
@@ -11,10 +11,7 @@ from ..util import get_resource_path, get_subprocess_startupinfo
 from .base import IsolationProvider, terminate_process_group
 
 TIMEOUT_KILL = 5  # Timeout in seconds until the kill command returns.
-MINIMUM_DOCKER_DESKTOP = {
-    "Darwin": "4.36.0",
-    "Windows": "4.36.0",
-}
+
 
 # Define startupinfo for subprocesses
 if platform.system() == "Windows":
@@ -124,7 +121,6 @@ class Container(IsolationProvider):
     def is_available() -> bool:
         container_runtime = container_utils.get_runtime()
         runtime_name = container_utils.get_runtime_name()
-
         # Can we run `docker/podman image ls` without an error
         with subprocess.Popen(
             [container_runtime, "image", "ls"],
@@ -139,28 +135,6 @@ class Container(IsolationProvider):
                 )
             return True
 
-    def check_docker_desktop_version(self) -> Tuple[bool, str]:
-        # On windows and darwin, check that the minimum version is met
-        version = ""
-        if platform.system() != "Linux":
-            with subprocess.Popen(
-                ["docker", "version", "--format", "{{.Server.Platform.Name}}"],
-                stdout=subprocess.PIPE,
-                stderr=subprocess.PIPE,
-                startupinfo=get_subprocess_startupinfo(),
-            ) as p:
-                stdout, stderr = p.communicate()
-                if p.returncode != 0:
-                    # When an error occurs, consider that the check went
-                    # through, as we're checking for installation compatibiliy
-                    # somewhere else already
-                    return True, version
-                # The output is like "Docker Desktop 4.35.1 (173168)"
-                version = stdout.decode().replace("Docker Desktop", "").split()[0]
-                if version < MINIMUM_DOCKER_DESKTOP[platform.system()]:
-                    return False, version
-        return True, version
-
     def doc_to_pixels_container_name(self, document: Document) -> str:
         """Unique container name for the doc-to-pixels phase."""
         return f"dangerzone-doc-to-pixels-{document.id}"
@@ -194,10 +168,6 @@ class Container(IsolationProvider):
     ) -> subprocess.Popen:
         container_runtime = container_utils.get_runtime()
         security_args = self.get_runtime_security_args()
-        debug_args = []
-        if self.debug:
-            debug_args += ["-e", "RUNSC_DEBUG=1"]
-
         enable_stdin = ["-i"]
         set_name = ["--name", name]
         prevent_leakage_args = ["--rm"]
@@ -207,14 +177,14 @@ class Container(IsolationProvider):
         args = (
             ["run"]
             + security_args
-            + debug_args
             + prevent_leakage_args
             + enable_stdin
             + set_name
             + image_name
             + command
         )
-        return self.exec([container_runtime] + args)
+        args = [container_runtime] + args
+        return self.exec(args)
 
     def kill_container(self, name: str) -> None:
         """Terminate a spawned container.

dangerzone/logic.py

@@ -71,7 +71,6 @@ class DangerzoneCore(object):
                     ocr_lang,
                     stdout_callback,
                 )
-
             except Exception:
                 log.exception(
                     f"Unexpected error occurred while converting '{document}'"

dev_scripts/reproduce-image.py

@@ -34,7 +34,7 @@ def git_commit_get():
 
 
 def git_determine_tag():
-    return run("git", "describe", "--long", "--first-parent").decode().strip()[1:]
+    return run("git", "describe", "--long", "--first-parent").decode().strip()
 
 
 def git_verify(commit, source):
@@ -116,7 +116,7 @@ def parse_args():
     image_tag = git_determine_tag()
     # TODO: Remove the local "podman://" prefix once we have started pushing images to a
     # remote.
-    default_image_name = f"podman://{IMAGE_NAME}:{image_tag}"
+    default_image_name = "podman://" + IMAGE_NAME + ":" + image_tag
 
     parser = argparse.ArgumentParser(
         prog=sys.argv[0],
@@ -124,6 +124,7 @@ def parse_args():
     )
     parser.add_argument(
         "--source",
+        required=True,
         default=default_image_name,
         help=(
             "The name of the image that you want to reproduce. If the image resides in"
@@ -157,7 +158,7 @@ def main():
         diffoci_download()
 
     tag = f"reproduce-{commit}"
-    target = f"{IMAGE_NAME}:{tag}"
+    target = f"dangerzone.rocks/dangerzone:{tag}"
     logger.info(f"Building container image and tagging it as '{target}'")
     build_image(tag, args.use_cache)
 

tests/gui/test_main_window.py

@@ -587,57 +587,3 @@ def test_installation_failure_return_false(qtbot: QtBot, mocker: MockerFixture)
 
     assert "the following error occured" in widget.label.text()
     assert "The image cannot be found" in widget.traceback.toPlainText()
-
-
-def test_up_to_date_docker_desktop_does_nothing(
-    qtbot: QtBot, mocker: MockerFixture
-) -> None:
-    # Setup install to return False
-    mock_app = mocker.MagicMock()
-    dummy = mocker.MagicMock(spec=Container)
-    dummy.check_docker_desktop_version.return_value = (True, "1.0.0")
-    dz = DangerzoneGui(mock_app, dummy)
-
-    window = MainWindow(dz)
-    qtbot.addWidget(window)
-
-    menu_actions = window.hamburger_button.menu().actions()
-    assert "Docker Desktop should be upgraded" not in [
-        a.toolTip() for a in menu_actions
-    ]
-
-
-def test_outdated_docker_desktop_displays_warning(
-    qtbot: QtBot, mocker: MockerFixture
-) -> None:
-    # Setup install to return False
-    mock_app = mocker.MagicMock()
-    dummy = mocker.MagicMock(spec=Container)
-    dummy.check_docker_desktop_version.return_value = (False, "1.0.0")
-
-    dz = DangerzoneGui(mock_app, dummy)
-
-    load_svg_spy = mocker.spy(main_window_module, "load_svg_image")
-
-    window = MainWindow(dz)
-    qtbot.addWidget(window)
-
-    menu_actions = window.hamburger_button.menu().actions()
-    assert menu_actions[0].toolTip() == "Docker Desktop should be upgraded"
-
-    # Check that the hamburger icon has changed with the expected SVG image.
-    assert load_svg_spy.call_count == 4
-    assert (
-        load_svg_spy.call_args_list[2].args[0] == "hamburger_menu_update_dot_error.svg"
-    )
-
-    alert_spy = mocker.spy(window.alert, "launch")
-
-    # Clicking the menu item should open a warning message
-    def _check_alert_displayed() -> None:
-        alert_spy.assert_any_call()
-        if window.alert:
-            window.alert.close()
-
-    QtCore.QTimer.singleShot(0, _check_alert_displayed)
-    menu_actions[0].trigger()

tests/isolation_provider/test_container.py

@@ -1,5 +1,4 @@
 import os
-import platform
 
 import pytest
 from pytest_mock import MockerFixture
@@ -109,92 +108,6 @@ class TestContainer(IsolationProviderTest):
         with pytest.raises(errors.ImageNotPresentException):
             provider.install()
 
-    @pytest.mark.skipif(
-        platform.system() not in ("Windows", "Darwin"),
-        reason="macOS and Windows specific",
-    )
-    def test_old_docker_desktop_version_is_detected(
-        self, mocker: MockerFixture, provider: Container, fp: FakeProcess
-    ) -> None:
-        fp.register_subprocess(
-            [
-                "docker",
-                "version",
-                "--format",
-                "{{.Server.Platform.Name}}",
-            ],
-            stdout="Docker Desktop 1.0.0 (173100)",
-        )
-
-        mocker.patch(
-            "dangerzone.isolation_provider.container.MINIMUM_DOCKER_DESKTOP",
-            {"Darwin": "1.0.1", "Windows": "1.0.1"},
-        )
-        assert (False, "1.0.0") == provider.check_docker_desktop_version()
-
-    @pytest.mark.skipif(
-        platform.system() not in ("Windows", "Darwin"),
-        reason="macOS and Windows specific",
-    )
-    def test_up_to_date_docker_desktop_version_is_detected(
-        self, mocker: MockerFixture, provider: Container, fp: FakeProcess
-    ) -> None:
-        fp.register_subprocess(
-            [
-                "docker",
-                "version",
-                "--format",
-                "{{.Server.Platform.Name}}",
-            ],
-            stdout="Docker Desktop 1.0.1 (173100)",
-        )
-
-        # Require version 1.0.1
-        mocker.patch(
-            "dangerzone.isolation_provider.container.MINIMUM_DOCKER_DESKTOP",
-            {"Darwin": "1.0.1", "Windows": "1.0.1"},
-        )
-        assert (True, "1.0.1") == provider.check_docker_desktop_version()
-
-        fp.register_subprocess(
-            [
-                "docker",
-                "version",
-                "--format",
-                "{{.Server.Platform.Name}}",
-            ],
-            stdout="Docker Desktop 2.0.0 (173100)",
-        )
-        assert (True, "2.0.0") == provider.check_docker_desktop_version()
-
-    @pytest.mark.skipif(
-        platform.system() not in ("Windows", "Darwin"),
-        reason="macOS and Windows specific",
-    )
-    def test_docker_desktop_version_failure_returns_true(
-        self, mocker: MockerFixture, provider: Container, fp: FakeProcess
-    ) -> None:
-        fp.register_subprocess(
-            [
-                "docker",
-                "version",
-                "--format",
-                "{{.Server.Platform.Name}}",
-            ],
-            stderr="Oopsie",
-            returncode=1,
-        )
-        assert provider.check_docker_desktop_version() == (True, "")
-
-    @pytest.mark.skipif(
-        platform.system() != "Linux",
-        reason="Linux specific",
-    )
-    def test_linux_skips_desktop_version_check_returns_true(
-        self, mocker: MockerFixture, provider: Container
-    ) -> None:
-        assert (True, "") == provider.check_docker_desktop_version()
-
 
 class TestContainerTermination(IsolationProviderTermination):
     pass