Merge 1404304691 into 504a9e1df2

.github/workflows/build.yml

@@ -1,10 +1,6 @@
 name: Build dev environments
 on:
-  pull_request:
   push:
-    branches:
-      - main
-      - "test/**"
   schedule:
     - cron: "0 0 * * *" # Run every day at 00:00 UTC.
 
@@ -47,6 +43,8 @@ jobs:
             version: bookworm
           - distro: debian
             version: trixie
+          - distro: fedora
+            version: "39"
           - distro: fedora
             version: "40"
           - distro: fedora

.github/workflows/check_pr.yml

@@ -26,10 +26,9 @@ jobs:
         with:
           fetch-depth: 0
       - name: ensure CHANGELOG.md is populated
-        env:
-          BASE_REF: ${{ github.event.pull_request.base.ref }}
-        shell: bash
         run: |
-          if git diff --exit-code "origin/${BASE_REF}" -- CHANGELOG.md; then
-              echo "::warning::No CHANGELOG.md modifications found in this pull request. You can override this check by adding the 'no changelog' label to the pull request."
+          CHANGELOG_MODIFIED=$(git diff --name-only ${GITHUB_SHA} | grep -c "CHANGELOG.md")
+          if [ $CHANGELOG_MODIFIED -eq 0 ]; then
+            echo "::error::No CHANGELOG modifications found in this pull request. Please update the CHANGELOG."
+            exit 1
           fi

.github/workflows/ci.yml

@@ -1,10 +1,8 @@
 name: Tests
 on:
-  pull_request:
   push:
-    branches:
-      - main
-      - "test/**"
+  pull_request:
+    branches: [main]
   schedule:
     - cron: "2 0 * * *" # Run every day at 02:00 UTC.
   workflow_dispatch:
@@ -93,8 +91,7 @@ jobs:
 
   windows:
     runs-on: windows-latest
-    needs:
-      - download-tessdata
+    needs: download-tessdata
     env:
       DUMMY_CONVERSION: 1
     steps:
@@ -124,8 +121,7 @@ jobs:
   macOS:
     name: "macOS (${{ matrix.arch }})"
     runs-on: ${{ matrix.runner }}
-    needs:
-      - download-tessdata
+    needs: download-tessdata
     strategy:
       matrix:
         include:
@@ -153,10 +149,9 @@ jobs:
         run: poetry run make test
 
   build-deb:
-    needs:
-      - build-container-image
     name: "build-deb (${{ matrix.distro }} ${{ matrix.version }})"
     runs-on: ubuntu-latest
+    needs: build-container-image
     strategy:
       matrix:
         include:
@@ -224,8 +219,7 @@ jobs:
   install-deb:
     name: "install-deb (${{ matrix.distro }} ${{ matrix.version }})"
     runs-on: ubuntu-latest
-    needs: 
-      - build-deb
+    needs: build-deb
     strategy:
       matrix:
         include:
@@ -279,12 +273,11 @@ jobs:
   build-install-rpm:
     name: "build-install-rpm (${{ matrix.distro }} ${{matrix.version}})"
     runs-on: ubuntu-latest
-    needs:
-      - build-container-image
+    needs: build-container-image
     strategy:
       matrix:
         distro: ["fedora"]
-        version: ["40", "41"]
+        version: ["39", "40", "41"]
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -328,7 +321,7 @@ jobs:
         run: |
           ./dev_scripts/env.py --distro ${{ matrix.distro }} \
               --version ${{ matrix.version }} \
-              build
+              build --download-pyside6
 
       - name: Run a test command
         run: |
@@ -363,6 +356,8 @@ jobs:
             version: bookworm
           - distro: debian
             version: trixie
+          - distro: fedora
+            version: "39"
           - distro: fedora
             version: "40"
           - distro: fedora

.github/workflows/scan.yml

@@ -1,9 +1,8 @@
 name: Scan latest app and container
 on:
   push:
-    branches:
-      - main
   pull_request:
+    branches: [ main ]
   schedule:
     - cron: '0 0 * * *' # Run every day at 00:00 UTC.
   workflow_dispatch:

.github/workflows/scan_released.yml

@@ -6,22 +6,14 @@ on:
 
 jobs:
   security-scan-container:
-    strategy:
-      matrix:
-        include:
-          - runs-on: ubuntu-latest
-            arch: i686
-          # Do not scan Silicon mac for now to avoid masking release scan results for other plaforms.
-          # - runs-on: macos-latest
-          #   arch: arm64
-    runs-on: ${{ matrix.runs-on }}
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v4
       - name: Download container image for the latest release and load it
         run: |
-          VERSION=$(curl https://api.github.com/repos/freedomofpress/dangerzone/releases/latest | grep "tag_name" | cut -d '"' -f 4)
-          CONTAINER_FILENAME=container-${VERSION:1}-${{ matrix.arch }}.tar.gz
+          VERSION=$(curl https://api.github.com/repos/freedomofpress/dangerzone/releases/latest | jq -r '.tag_name')
+          CONTAINER_FILENAME=container-${VERSION:1}-i686.tar.gz
           wget https://github.com/freedomofpress/dangerzone/releases/download/${VERSION}/${CONTAINER_FILENAME} -O ${CONTAINER_FILENAME}
           docker load -i ${CONTAINER_FILENAME}
       # NOTE: Scan first without failing, else we won't be able to read the scan
@@ -38,7 +30,7 @@ jobs:
         uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: ${{ steps.scan_container.outputs.sarif }}
-          category: container-${{ matrix.arch }}
+          category: container
       - name: Inspect container scan report
         run: cat ${{ steps.scan_container.outputs.sarif }}
       - name: Scan container image

BUILD.md

@@ -260,17 +260,11 @@ The following instructions require typing commands in a terminal in dom0.
 
    ```
    qvm-create --class AppVM --label red --template fedora-40-dz dz
-   qvm-volume resize dz:private $(numfmt --from=auto 20Gi)
    ```
 
    > :bulb: Alternatively, you can use a different app qube for Dangerzone
    > development. In that case, replace `dz` with the qube of your choice in the
    > steps below.
-   >
-   > In the commands above, we also resize the private volume of the `dz` qube
-   > to 20GiB, since you may need some extra storage space when developing on
-   > Dangerzone (e.g., for container images, Tesseract data, and Python
-   > virtualenvs).
 
 4. Add an RPC policy (`/etc/qubes/policy.d/50-dangerzone.policy`) that will
    allow launching a disposable qube (`dz-dvm`) when Dangerzone converts a
@@ -314,9 +308,18 @@ test it.
 1. Install the `.rpm` package you just copied
 
    ```sh
+   sudo dnf install 'dnf-command(config-manager)'
+   sudo dnf-3 config-manager --add-repo=https://packages.freedom.press/yum-tools-prod/dangerzone/dangerzone.repo
    sudo dnf install ~/QubesIncoming/dz/*.rpm
    ```
 
+   In the above steps, we add the Dangerzone repo because it includes the
+   necessary PySide6 RPM in order to make Dangerzone work.
+
+   > [!NOTE]
+   > During the installation, you will be asked to
+   > [verify the Dangerzone GPG key](INSTALL.md#verifying-dangerzone-gpg-key).
+
 2. Shutdown the `fedora-40-dz` template
 
 ### Developing Dangerzone

CHANGELOG.md

@@ -7,14 +7,10 @@ since 0.4.1, and this project adheres to [Semantic Versioning](https://semver.or
 
 ## [Unreleased](https://github.com/freedomofpress/dangerzone/compare/v0.8.0...HEAD)
 
-### Added
+### Development changes
 
-- Disable gVisor's DirectFS feature ([#226](https://github.com/freedomofpress/dangerzone/issues/226)).
-  Thanks [EtiennePerot](https://github.com/EtiennePerot) for the contribution.
+- CI: Check that the changelog is populated on each pull request ([#995](https://github.com/freedomofpress/dangerzone/pull/995))
 
-### Removed
-
-- Platform support: Drop support for Fedora 39, since it's end-of-life ([#999](https://github.com/freedomofpress/dangerzone/pull/999))
 
 ## [0.8.0](https://github.com/freedomofpress/dangerzone/compare/v0.8.0...0.7.1)
 

Dockerfile

@@ -74,7 +74,9 @@ FROM alpine:latest
 RUN apk --no-cache -U upgrade && \
     apk --no-cache add python3
 
-RUN GVISOR_URL="https://storage.googleapis.com/gvisor/releases/release/latest/$(uname -m)"; \
+# Temporarily pin gVisor to the latest working version (release-20240826.0).
+# See: https://github.com/freedomofpress/dangerzone/issues/928
+RUN GVISOR_URL="https://storage.googleapis.com/gvisor/releases/release/20240826/$(uname -m)"; \
     wget "${GVISOR_URL}/runsc" "${GVISOR_URL}/runsc.sha512" && \
     sha512sum -c runsc.sha512 && \
     rm -f runsc.sha512 && \

INSTALL.md

@@ -1,21 +1,8 @@
 ## MacOS
-
-- Download [Dangerzone 0.8.0 for Mac (Apple Silicon CPU)](https://github.com/freedomofpress/dangerzone/releases/download/v0.8.0/Dangerzone-0.8.0-arm64.dmg)
-- Download [Dangerzone 0.8.0 for Mac (Intel CPU)](https://github.com/freedomofpress/dangerzone/releases/download/v0.8.0/Dangerzone-0.8.0-i686.dmg)
-
-You can also install Dangerzone for Mac using [Homebrew](https://brew.sh/): `brew install --cask dangerzone`
-
-> **Note**: you will also need to install [Docker Desktop](https://www.docker.com/products/docker-desktop/).
-> This program needs to run alongside Dangerzone at all times, since it is what allows Dangerzone to
-> create the secure environment.
+See instructions in [README.md](README.md#macos).
 
 ## Windows
-
-- Download [Dangerzone 0.8.0 for Windows](https://github.com/freedomofpress/dangerzone/releases/download/v0.8.0/Dangerzone-0.8.0.msi)
-
-> **Note**: you will also need to install [Docker Desktop](https://www.docker.com/products/docker-desktop/).
-> This program needs to run alongside Dangerzone at all times, since it is what allows Dangerzone to
-> create the secure environment.
+See instructions in [README.md](README.md#windows).
 
 ## Linux
 On Linux, Dangerzone uses [Podman](https://podman.io/) instead of Docker Desktop for creating
@@ -31,6 +18,7 @@ Dangerzone is available for:
 - Debian 11 (bullseye)
 - Fedora 41
 - Fedora 40
+- Fedora 39
 - Tails
 - Qubes OS (beta support)
 
@@ -137,6 +125,23 @@ sudo apt install -y dangerzone
 
 ### Fedora
 
+<table>
+  <tr>
+    <td>
+<details>
+  <summary><i>:information_source: Backport notice for Fedora users regarding the <code>python3-pyside6</code> package</i></summary>
+  </br>
+
+  Fedora 39+ onwards does not provide official Python bindings for Qt. For
+  this reason, we provide our own `python3-pyside6` package (see
+  [build instructions](https://github.com/freedomofpress/maint-dangerzone-pyside6))
+  from our YUM repo. For a deeper dive on this subject, you may read
+  [this issue](https://github.com/freedomofpress/dangerzone/issues/211#issuecomment-1827777122).
+</details>
+    </td>
+  </tr>
+</table>
+
 Type the following commands in a terminal:
 
 ```

README.md

@@ -6,21 +6,33 @@ Take potentially dangerous PDFs, office documents, or images and convert them to
 | ![Settings](./assets/screenshot1.png) | ![Converting](./assets/screenshot2.png)
 |--|--|
 
-Dangerzone works like this: You give it a document that you don't know if you can trust (for example, an email attachment). Inside of a sandbox, Dangerzone converts the document to a PDF (if it isn't already one), and then converts the PDF into raw pixel data: a huge list of RGB color values for each page. Then, outside of the sandbox, Dangerzone takes this pixel data and converts it back into a PDF.
+Dangerzone works like this: You give it a document that you don't know if you can trust (for example, an email attachment). Inside of a sandbox, Dangerzone converts the document to a PDF (if it isn't already one), and then converts the PDF into raw pixel data: a huge list of RGB color values for each page. Then, in a separate sandbox, Dangerzone takes this pixel data and converts it back into a PDF.
 
 _Read more about Dangerzone in the [official site](https://dangerzone.rocks/about/)._
 
 ## Getting started
 
-Follow the instructions for each platform:
+### MacOS
+- Download [Dangerzone 0.8.0 for Mac (Apple Silicon CPU)](https://github.com/freedomofpress/dangerzone/releases/download/v0.8.0/Dangerzone-0.8.0-arm64.dmg)
+- Download [Dangerzone 0.8.0 for Mac (Intel CPU)](https://github.com/freedomofpress/dangerzone/releases/download/v0.8.0/Dangerzone-0.8.0-i686.dmg)
 
-* [macOS](https://github.com/freedomofpress/dangerzone/blob/v0.8.0//INSTALL.md#macos)
-* [Windows](https://github.com/freedomofpress/dangerzone/blob/v0.8.0//INSTALL.md#windows)
-* [Ubuntu Linux](https://github.com/freedomofpress/dangerzone/blob/v0.8.0/INSTALL.md#ubuntu-debian)
-* [Debian Linux](https://github.com/freedomofpress/dangerzone/blob/v0.8.0/INSTALL.md#ubuntu-debian)
-* [Fedora Linux](https://github.com/freedomofpress/dangerzone/blob/v0.8.0/INSTALL.md#fedora)
-* [Qubes OS (beta)](https://github.com/freedomofpress/dangerzone/blob/v0.8.0/INSTALL.md#qubes-os)
-* [Tails](https://github.com/freedomofpress/dangerzone/blob/v0.8.0/INSTALL.md#tails)
+You can also install Dangerzone for Mac using [Homebrew](https://brew.sh/): `brew install --cask dangerzone`
+
+> **Note**: you will also need to install [Docker Desktop](https://www.docker.com/products/docker-desktop/).
+> This program needs to run alongside Dangerzone at all times, since it is what allows Dangerzone to
+> create the secure environment.
+
+### Windows
+
+- Download [Dangerzone 0.8.0 for Windows](https://github.com/freedomofpress/dangerzone/releases/download/v0.8.0/Dangerzone-0.8.0.msi)
+
+> **Note**: you will also need to install [Docker Desktop](https://www.docker.com/products/docker-desktop/).
+> This program needs to run alongside Dangerzone at all times, since it is what allows Dangerzone to
+> create the secure environment.
+
+### Linux
+
+See [installing Dangerzone](INSTALL.md#linux) for adding the Linux repositories to your system.
 
 ## Some features
 

RELEASE.md

@@ -9,6 +9,7 @@ Before making a release, all of these should be complete:
 - [ ] Copy the checkboxes from these instructions onto a new issue and call it **QA and Release version \<VERSION\>**
 - [ ] [Add new Linux platforms and remove obsolete ones](https://github.com/freedomofpress/dangerzone/blob/main/RELEASE.md#add-new-platforms-and-remove-obsolete-ones)
 - [ ] Bump the Python dependencies using `poetry lock`
+- [ ] [Check for official PySide6 versions](https://github.com/freedomofpress/dangerzone/blob/main/RELEASE.md#check-for-official-pyside6-versions)
 - [ ] Update `version` in `pyproject.toml`
 - [ ] Update `share/version.txt`
 - [ ] Update the "Version" field in `install/linux/dangerzone.spec`
@@ -43,6 +44,16 @@ In case of an EOL version:
    * Consult the previous paragraph, but also `grep` your way around.
 2. Add a notice in our `CHANGELOG.md` about the version removal.
 
+## Check for official PySide6 versions
+
+PySide6 6.7.0 is available from the Fedora Rawhide repo, and we expect that a
+similar version will be pushed soon to the rest of the stable releases. Prior to
+a release, we should check if this has happened already. Once this happens, we
+should update our CI tests accordingly, and remove this notice.
+
+For more info, read:
+https://github.com/freedomofpress/maint-dangerzone-pyside6/issues/5
+
 ## Large Document Testing
 
 Parallel to the QA process, the release candidate should be put through the large document tests in a dedicated machine to run overnight.

dangerzone/gvisor_wrapper/entrypoint.py

@@ -142,9 +142,6 @@ runsc_argv = [
     "--rootless=true",
     "--network=none",
     "--root=/home/dangerzone/.containers",
-    # Disable DirectFS for to make the seccomp filter even stricter,
-    # at some performance cost.
-    "--directfs=false",
 ]
 if os.environ.get("RUNSC_DEBUG"):
     runsc_argv += ["--debug=true", "--alsologtostderr=true"]

dev_scripts/env.py

@@ -16,6 +16,42 @@ DEFAULT_USER = "user"
 DEFAULT_DRY = False
 DEFAULT_DEV = False
 DEFAULT_SHOW_DOCKERFILE = False
+DEFAULT_DOWNLOAD_PYSIDE6 = False
+
+PYSIDE6_VERSION = "6.7.1"
+PYSIDE6_RPM = "python3-pyside6-{pyside6_version}-1.fc{fedora_version}.x86_64.rpm"
+PYSIDE6_URL = (
+    "https://packages.freedom.press/yum-tools-prod/dangerzone/f{fedora_version}/%s"
+    % PYSIDE6_RPM
+)
+
+PYSIDE6_DL_MESSAGE = """\
+Downloading PySide6 RPM from:
+
+    {pyside6_url}
+
+into the following local path:
+
+    {pyside6_local_path}
+
+The RPM is over 100 MB, so this operation may take a while...
+"""
+
+PYSIDE6_NOT_FOUND_ERROR = """\
+The following package is not present in your system:
+
+    {pyside6_local_path}
+
+You can build it locally and copy it in the expected path, following the instructions
+in:
+
+    https://github.com/freedomofpress/python3-pyside6-rpm
+
+Alternatively, you can rerun the command adding the '--download-pyside6' flag, which
+will download it from:
+
+    {pyside6_url}
+"""
 
 # The Linux distributions that we currently support.
 # FIXME: Add a version mapping to avoid mistakes.
@@ -196,6 +232,11 @@ RUN apt-get update \
     && rm -rf /var/lib/apt/lists/*
 """
 
+DOCKERFILE_BUILD_FEDORA_39_DEPS = r"""
+COPY {pyside6_rpm} /tmp/pyside6.rpm
+RUN dnf install -y /tmp/pyside6.rpm
+"""
+
 DOCKERFILE_BUILD_FEDORA_DEPS = r"""
 RUN dnf install -y mupdf thunar && dnf clean all
 
@@ -349,6 +390,74 @@ def get_files_in(*folders: list[str]) -> list[pathlib.Path]:
     return files
 
 
+class PySide6Manager:
+    """Provision PySide6 RPMs in our Dangerzone environments.
+
+    This class holds all the logic around checking and downloading PySide RPMs. It can
+    check if the required RPM version is present under "/dist", and optionally download
+    it.
+    """
+
+    def __init__(self, distro_name, distro_version):
+        if distro_name != "fedora":
+            raise RuntimeError("Managing PySide6 RPMs is available only in Fedora")
+        self.distro_name = distro_name
+        self.distro_version = distro_version
+
+    @property
+    def version(self):
+        """The version of the PySide6 RPM."""
+        return PYSIDE6_VERSION
+
+    @property
+    def rpm_name(self):
+        """The name of the PySide6 RPM."""
+        return PYSIDE6_RPM.format(
+            pyside6_version=self.version, fedora_version=self.distro_version
+        )
+
+    @property
+    def rpm_url(self):
+        """The URL of the PySide6 RPM, as hosted in FPF's RPM repo."""
+        return PYSIDE6_URL.format(
+            pyside6_version=self.version,
+            fedora_version=self.distro_version,
+        )
+
+    @property
+    def rpm_local_path(self):
+        """The local path where this script will look for the PySide6 RPM."""
+        return git_root() / "dist" / self.rpm_name
+
+    @property
+    def is_rpm_present(self):
+        """Check if PySide6 RPM is present in the user's system."""
+        return self.rpm_local_path.exists()
+
+    def download_rpm(self):
+        """Download PySide6 from FPF's RPM repo."""
+        print(
+            PYSIDE6_DL_MESSAGE.format(
+                pyside6_url=self.rpm_url,
+                pyside6_local_path=self.rpm_local_path,
+            ),
+            file=sys.stderr,
+        )
+        try:
+            with (
+                urllib.request.urlopen(self.rpm_url) as r,
+                open(self.rpm_local_path, "wb") as f,
+            ):
+                shutil.copyfileobj(r, f)
+        except:
+            # NOTE: We purposefully catch all exceptions, since we want to catch Ctrl-C
+            # as well.
+            print("Download interrupted, removing file", file=sys.stderr)
+            self.rpm_local_path.unlink()
+            raise
+        print("PySide6 was downloaded successfully", file=sys.stderr)
+
+
 class Env:
     """A class that implements actions on Dangerzone environments"""
 
@@ -627,6 +736,7 @@ class Env:
     def build(
         self,
         show_dockerfile=DEFAULT_SHOW_DOCKERFILE,
+        download_pyside6=DEFAULT_DOWNLOAD_PYSIDE6,
     ):
         """Build a Linux environment and install Dangerzone in it."""
         build_dir = distro_build(self.distro, self.version)
@@ -639,6 +749,28 @@ class Env:
             package = package_src.name
             package_dst = build_dir / package
             install_cmd = "dnf install -y"
+
+            # NOTE: For Fedora 39, we check if a PySide6 RPM package exists in
+            # the user's system. If not, we either throw an error or download it from
+            # FPF's repo, according to the user's choice.
+            if self.version == "39":
+                pyside6 = PySide6Manager(self.distro, self.version)
+                if not pyside6.is_rpm_present:
+                    if download_pyside6:
+                        pyside6.download_rpm()
+                    else:
+                        print(
+                            PYSIDE6_NOT_FOUND_ERROR.format(
+                                pyside6_local_path=pyside6.rpm_local_path,
+                                pyside6_url=pyside6.rpm_url,
+                            ),
+                            file=sys.stderr,
+                        )
+                        return 1
+                shutil.copy(pyside6.rpm_local_path, build_dir / pyside6.rpm_name)
+                install_deps = (
+                    DOCKERFILE_BUILD_FEDORA_DEPS + DOCKERFILE_BUILD_FEDORA_39_DEPS
+                ).format(pyside6_rpm=pyside6.rpm_name)
         else:
             install_deps = DOCKERFILE_BUILD_DEBIAN_DEPS
             if self.distro == "ubuntu" and self.version in ("20.04", "focal"):
@@ -712,6 +844,7 @@ def env_build(args):
     env = Env.from_args(args)
     return env.build(
         show_dockerfile=args.show_dockerfile,
+        download_pyside6=args.download_pyside6,
     )
 
 
@@ -808,6 +941,12 @@ def parse_args():
         action="store_true",
         help="Do not build, only show the Dockerfile",
     )
+    parser_build.add_argument(
+        "--download-pyside6",
+        default=DEFAULT_DOWNLOAD_PYSIDE6,
+        action="store_true",
+        help="Download PySide6 from FPF's RPM repo",
+    )
 
     return parser.parse_args()
 

dev_scripts/generate-release-notes.py

@@ -1,254 +0,0 @@
-#!/usr/bin/env python3
-
-import argparse
-import asyncio
-import re
-import sys
-from datetime import datetime
-from typing import Dict, List, Optional, Tuple
-
-import httpx
-
-REPOSITORY = "https://github.com/freedomofpress/dangerzone/"
-TEMPLATE = "- {title} ([#{number}]({url}))"
-
-
-def parse_version(version: str) -> Tuple[int, int]:
-    """Extract major.minor from version string, ignoring patch"""
-    match = re.match(r"v?(\d+)\.(\d+)", version)
-    if not match:
-        raise ValueError(f"Invalid version format: {version}")
-    return (int(match.group(1)), int(match.group(2)))
-
-
-async def get_last_minor_release(
-    client: httpx.AsyncClient, owner: str, repo: str
-) -> Optional[str]:
-    """Get the latest minor release date (ignoring patches)"""
-    response = await client.get(f"https://api.github.com/repos/{owner}/{repo}/releases")
-    response.raise_for_status()
-    releases = response.json()
-
-    if not releases:
-        return None
-
-    # Get the latest minor version by comparing major.minor numbers
-    current_version = parse_version(releases[0]["tag_name"])
-    latest_date = None
-
-    for release in releases:
-        try:
-            version = parse_version(release["tag_name"])
-            if version < current_version:
-                latest_date = release["published_at"]
-                break
-        except ValueError:
-            continue
-
-    return latest_date
-
-
-async def get_issue_details(
-    client: httpx.AsyncClient, owner: str, repo: str, issue_number: int
-) -> Optional[dict]:
-    """Get issue title and number if it exists"""
-    response = await client.get(
-        f"https://api.github.com/repos/{owner}/{repo}/issues/{issue_number}"
-    )
-    if response.is_success:
-        data = response.json()
-        return {
-            "title": data["title"],
-            "number": data["number"],
-            "url": data["html_url"],
-        }
-    return None
-
-
-def extract_issue_number(pr_body: Optional[str]) -> Optional[int]:
-    """Extract issue number from PR body looking for common formats like 'Fixes #123' or 'Closes #123'"""
-    if not pr_body:
-        return None
-
-    patterns = [
-        r"(?:closes|fixes|resolves)\s*#(\d+)",
-        r"(?:close|fix|resolve)\s*#(\d+)",
-    ]
-
-    for pattern in patterns:
-        match = re.search(pattern, pr_body.lower())
-        if match:
-            return int(match.group(1))
-
-    return None
-
-
-async def verify_commit_in_master(
-    client: httpx.AsyncClient, owner: str, repo: str, commit_id: str
-) -> bool:
-    """Verify if a commit exists in master"""
-    response = await client.get(
-        f"https://api.github.com/repos/{owner}/{repo}/commits/{commit_id}"
-    )
-    return response.is_success and response.json().get("commit") is not None
-
-
-async def process_issue_events(
-    client: httpx.AsyncClient, owner: str, repo: str, issue: Dict
-) -> Optional[Dict]:
-    """Process events for a single issue"""
-    events_response = await client.get(f"{issue['url']}/events")
-    if not events_response.is_success:
-        return None
-
-    for event in events_response.json():
-        if event["event"] == "closed" and event.get("commit_id"):
-            if await verify_commit_in_master(client, owner, repo, event["commit_id"]):
-                return {
-                    "title": issue["title"],
-                    "number": issue["number"],
-                    "url": issue["html_url"],
-                }
-    return None
-
-
-async def get_closed_issues(
-    client: httpx.AsyncClient, owner: str, repo: str, since: str
-) -> List[Dict]:
-    """Get issues closed by commits to master since the given date"""
-    response = await client.get(
-        f"https://api.github.com/repos/{owner}/{repo}/issues",
-        params={
-            "state": "closed",
-            "sort": "updated",
-            "direction": "desc",
-            "since": since,
-            "per_page": 100,
-        },
-    )
-    response.raise_for_status()
-
-    tasks = []
-    since_date = datetime.strptime(since, "%Y-%m-%dT%H:%M:%SZ")
-
-    for issue in response.json():
-        if "pull_request" in issue:
-            continue
-
-        closed_at = datetime.strptime(issue["closed_at"], "%Y-%m-%dT%H:%M:%SZ")
-        if closed_at <= since_date:
-            continue
-
-        tasks.append(process_issue_events(client, owner, repo, issue))
-
-    results = await asyncio.gather(*tasks)
-    return [r for r in results if r is not None]
-
-
-async def process_pull_request(
-    client: httpx.AsyncClient,
-    owner: str,
-    repo: str,
-    pr: Dict,
-    closed_issues: List[Dict],
-) -> Optional[str]:
-    """Process a single pull request"""
-    issue_number = extract_issue_number(pr.get("body"))
-    if issue_number:
-        issue = await get_issue_details(client, owner, repo, issue_number)
-        if issue:
-            if not any(i["number"] == issue["number"] for i in closed_issues):
-                return TEMPLATE.format(**issue)
-            return None
-
-    return TEMPLATE.format(title=pr["title"], number=pr["number"], url=pr["html_url"])
-
-
-async def get_changes_since_last_release(
-    owner: str, repo: str, token: Optional[str] = None
-) -> List[str]:
-    headers = {
-        "Accept": "application/vnd.github.v3+json",
-    }
-    if token:
-        headers["Authorization"] = f"token {token}"
-    else:
-        print(
-            "Warning: No token provided. API rate limiting may occur.", file=sys.stderr
-        )
-
-    async with httpx.AsyncClient(headers=headers, timeout=30.0) as client:
-        # Get the date of last minor release
-        since = await get_last_minor_release(client, owner, repo)
-        if not since:
-            return []
-
-        changes = []
-
-        # Get issues closed by commits to master
-        closed_issues = await get_closed_issues(client, owner, repo, since)
-        changes.extend([TEMPLATE.format(**issue) for issue in closed_issues])
-
-        # Get merged PRs
-        response = await client.get(
-            f"https://api.github.com/repos/{owner}/{repo}/pulls",
-            params={
-                "state": "closed",
-                "sort": "updated",
-                "direction": "desc",
-                "per_page": 100,
-            },
-        )
-        response.raise_for_status()
-
-        # Process PRs in parallel
-        pr_tasks = []
-        for pr in response.json():
-            if not pr["merged_at"]:
-                continue
-            if since and pr["merged_at"] <= since:
-                break
-
-            pr_tasks.append(
-                process_pull_request(client, owner, repo, pr, closed_issues)
-            )
-
-        pr_results = await asyncio.gather(*pr_tasks)
-        changes.extend([r for r in pr_results if r is not None])
-
-        return changes
-
-
-async def main_async():
-    parser = argparse.ArgumentParser(description="Generate release notes from GitHub")
-    parser.add_argument("--token", "-t", help="the file path to the GitHub API token")
-    args = parser.parse_args()
-
-    token = None
-    if args.token:
-        with open(args.token) as f:
-            token = f.read().strip()
-    try:
-        url_path = REPOSITORY.rstrip("/").split("github.com/")[1]
-        owner, repo = url_path.split("/")[-2:]
-    except (ValueError, IndexError):
-        print("Error: Invalid GitHub URL", file=sys.stderr)
-        sys.exit(1)
-
-    try:
-        notes = await get_changes_since_last_release(owner, repo, token)
-        print("\n".join(notes))
-    except httpx.HTTPError as e:
-        print(f"Error: {e}", file=sys.stderr)
-        sys.exit(1)
-    except Exception as e:
-        print(f"Error: {e}", file=sys.stderr)
-        sys.exit(1)
-
-
-def main():
-    asyncio.run(main_async())
-
-
-if __name__ == "__main__":
-    main()

dev_scripts/qa.py

@@ -3,20 +3,14 @@
 import abc
 import argparse
 import difflib
-import json
 import logging
 import re
 import selectors
 import subprocess
 import sys
-import urllib.request
-from pathlib import Path
 
 logger = logging.getLogger(__name__)
 
-PYTHON_VERSION = "3.12"
-EOL_PYTHON_URL = "https://endoflife.date/api/python.json"
-
 CONTENT_QA = r"""## QA
 
 To ensure that new releases do not introduce regressions, and support existing
@@ -782,10 +776,6 @@ class QABase(abc.ABC):
                 self.prompt("Does it pass?", choices=["y", "n"])
         logger.info("Successfully completed QA scenarios")
 
-    @task("Download Tesseract data", auto=True)
-    def download_tessdata(self):
-        self.run("python", str(Path("install", "common", "download-tessdata.py")))
-
     @classmethod
     @abc.abstractmethod
     def get_id(cls):
@@ -812,40 +802,6 @@ class QAWindows(QABase):
         while msvcrt.kbhit():
             msvcrt.getch()
 
-    def get_latest_python_release(self):
-        with urllib.request.urlopen(EOL_PYTHON_URL) as f:
-            resp = f.read()
-            releases = json.loads(resp)
-            for release in releases:
-                if release["cycle"] == PYTHON_VERSION:
-                    # Transform the Python version string (e.g., "3.12.7") into a list
-                    # (e.g., [3, 12, 7]), and return it
-                    return [int(num) for num in release["latest"].split(".")]
-
-            raise RuntimeError(
-                f"Could not find a Python release for version {PYTHON_VERSION}"
-            )
-
-    @QABase.task(
-        f"Install the latest version of Python {PYTHON_VERSION}", ref=REF_BUILD
-    )
-    def install_python(self):
-        logger.info("Getting latest Python release")
-        try:
-            latest_version = self.get_latest_python_release()
-        except Exception:
-            logger.error("Could not verify that the latest Python version is installed")
-
-        cur_version = list(sys.version_info[:3])
-        if latest_version > cur_version:
-            self.prompt(
-                f"You need to install the latest Python version ({latest_version})"
-            )
-        elif latest_version == cur_version:
-            logger.info(
-                f"Verified that the latest Python version ({latest_version}) is installed"
-            )
-
     @QABase.task("Install and Run Docker Desktop", ref=REF_BUILD)
     def install_docker(self):
         logger.info("Checking if Docker Desktop is installed and running")
@@ -860,7 +816,7 @@ class QAWindows(QABase):
     )
     def install_poetry(self):
         self.run("python", "-m", "pip", "install", "poetry")
-        self.run("poetry", "install", "--sync")
+        self.run("poetry", "install")
 
     @QABase.task("Build Dangerzone container image", ref=REF_BUILD, auto=True)
     def build_image(self):
@@ -882,11 +838,9 @@ class QAWindows(QABase):
         return "windows"
 
     def start(self):
-        self.install_python()
         self.install_docker()
         self.install_poetry()
         self.build_image()
-        self.download_tessdata()
         self.run_tests()
         self.build_dangerzone_exe()
 
@@ -961,6 +915,7 @@ class QALinux(QABase):
             "--version",
             self.VERSION,
             "build",
+            "--download-pyside6",
         )
 
     @classmethod
@@ -978,7 +933,6 @@ class QALinux(QABase):
     def start(self):
         self.build_dev_image()
         self.build_container_image()
-        self.download_tessdata()
         self.run_tests()
         self.build_package()
         self.build_qa_image()
@@ -1055,6 +1009,10 @@ class QAFedora40(QAFedora):
     VERSION = "40"
 
 
+class QAFedora39(QAFedora):
+    VERSION = "39"
+
+
 def parse_args():
     parser = argparse.ArgumentParser(
         prog=sys.argv[0],

poetry.lock

@@ -11,28 +11,6 @@ files = [
     {file = "altgraph-0.17.4.tar.gz", hash = "sha256:1b5afbb98f6c4dcadb2e2ae6ab9fa994bbb8c1d75f4fa96d340f9437ae454406"},
 ]
 
-[[package]]
-name = "anyio"
-version = "4.6.2.post1"
-description = "High level compatibility layer for multiple asynchronous event loop implementations"
-optional = false
-python-versions = ">=3.9"
-files = [
-    {file = "anyio-4.6.2.post1-py3-none-any.whl", hash = "sha256:6d170c36fba3bdd840c73d3868c1e777e33676a69c3a72cf0a0d5d6d8009b61d"},
-    {file = "anyio-4.6.2.post1.tar.gz", hash = "sha256:4c8bc31ccdb51c7f7bd251f51c609e038d63e34219b44aa86e47576389880b4c"},
-]
-
-[package.dependencies]
-exceptiongroup = {version = ">=1.0.2", markers = "python_version < \"3.11\""}
-idna = ">=2.8"
-sniffio = ">=1.1"
-typing-extensions = {version = ">=4.1", markers = "python_version < \"3.11\""}
-
-[package.extras]
-doc = ["Sphinx (>=7.4,<8.0)", "packaging", "sphinx-autodoc-typehints (>=1.2.0)", "sphinx-rtd-theme"]
-test = ["anyio[trio]", "coverage[toml] (>=7)", "exceptiongroup (>=1.2.0)", "hypothesis (>=4.0)", "psutil (>=5.9)", "pytest (>=7.0)", "pytest-mock (>=3.6.1)", "trustme", "truststore (>=0.9.1)", "uvloop (>=0.21.0b1)"]
-trio = ["trio (>=0.26.1)"]
-
 [[package]]
 name = "appdirs"
 version = "1.4.4"
@@ -426,63 +404,6 @@ files = [
 [package.extras]
 test = ["pytest (>=6)"]
 
-[[package]]
-name = "h11"
-version = "0.14.0"
-description = "A pure-Python, bring-your-own-I/O implementation of HTTP/1.1"
-optional = false
-python-versions = ">=3.7"
-files = [
-    {file = "h11-0.14.0-py3-none-any.whl", hash = "sha256:e3fe4ac4b851c468cc8363d500db52c2ead036020723024a109d37346efaa761"},
-    {file = "h11-0.14.0.tar.gz", hash = "sha256:8f19fbbe99e72420ff35c00b27a34cb9937e902a8b810e2c88300c6f0a3b699d"},
-]
-
-[[package]]
-name = "httpcore"
-version = "1.0.7"
-description = "A minimal low-level HTTP client."
-optional = false
-python-versions = ">=3.8"
-files = [
-    {file = "httpcore-1.0.7-py3-none-any.whl", hash = "sha256:a3fff8f43dc260d5bd363d9f9cf1830fa3a458b332856f34282de498ed420edd"},
-    {file = "httpcore-1.0.7.tar.gz", hash = "sha256:8551cb62a169ec7162ac7be8d4817d561f60e08eaa485234898414bb5a8a0b4c"},
-]
-
-[package.dependencies]
-certifi = "*"
-h11 = ">=0.13,<0.15"
-
-[package.extras]
-asyncio = ["anyio (>=4.0,<5.0)"]
-http2 = ["h2 (>=3,<5)"]
-socks = ["socksio (==1.*)"]
-trio = ["trio (>=0.22.0,<1.0)"]
-
-[[package]]
-name = "httpx"
-version = "0.27.2"
-description = "The next generation HTTP client."
-optional = false
-python-versions = ">=3.8"
-files = [
-    {file = "httpx-0.27.2-py3-none-any.whl", hash = "sha256:7bb2708e112d8fdd7829cd4243970f0c223274051cb35ee80c03301ee29a3df0"},
-    {file = "httpx-0.27.2.tar.gz", hash = "sha256:f7c2be1d2f3c3c3160d441802406b206c2b76f5947b11115e6df10c6c65e66c2"},
-]
-
-[package.dependencies]
-anyio = "*"
-certifi = "*"
-httpcore = "==1.*"
-idna = "*"
-sniffio = "*"
-
-[package.extras]
-brotli = ["brotli", "brotlicffi"]
-cli = ["click (==8.*)", "pygments (==2.*)", "rich (>=10,<14)"]
-http2 = ["h2 (>=3,<5)"]
-socks = ["socksio (==1.*)"]
-zstd = ["zstandard (>=0.18.0)"]
-
 [[package]]
 name = "idna"
 version = "3.10"
@@ -1070,17 +991,6 @@ files = [
     {file = "shiboken6-6.8.0.2-cp39-abi3-win_amd64.whl", hash = "sha256:b11e750e696bb565d897e0f5836710edfb86bd355f87b09988bd31b2aad404d3"},
 ]
 
-[[package]]
-name = "sniffio"
-version = "1.3.1"
-description = "Sniff out which async library your code is running under"
-optional = false
-python-versions = ">=3.7"
-files = [
-    {file = "sniffio-1.3.1-py3-none-any.whl", hash = "sha256:2f6da418d1f1e0fddd844478f41680e794e6051915791a034ff65e5f100525a2"},
-    {file = "sniffio-1.3.1.tar.gz", hash = "sha256:f4324edc670a0f49750a81b895f35c3adb843cca46f0530f79fc1babb23789dc"},
-]
-
 [[package]]
 name = "strip-ansi"
 version = "0.1.1"
@@ -1189,4 +1099,4 @@ type = ["pytest-mypy"]
 [metadata]
 lock-version = "2.0"
 python-versions = ">=3.9,<3.13"
-content-hash = "5d1ff28aa04c3a814280e55c0b2a307efe5ca953cd4cb281056c35fd2e53fdf0"
+content-hash = "44356eaeeb3dbe23b922413ee68f8c73c6ce8ebbdee8a80afecb410e060d0382"

pyproject.toml

@@ -57,9 +57,6 @@ pytest-rerunfailures = "^14.0"
 [tool.poetry.group.container.dependencies]
 pymupdf = "1.24.11" # Last version to support python 3.8 (needed for Ubuntu Focal support)
 
-[tool.poetry.group.dev.dependencies]
-httpx = "^0.27.2"
-
 [tool.isort]
 profile = "black"
 skip_gitignore = true