[Pkg-kde-extras] Bug#1028507: digikam: downloads binary blobs from the internet

[Christoph Anton Mitterer]

Package: digikam
Version: 4:7.9.0-1+b1
Severity: important


Hey.

Every time when starting digikam, a dialog pops up asking to download
some engines for redeye removal and face detection from the internet,
which would cause them to be stored in /home/calestyo/.local/share/digikam/ 

Could that please be disabled?

a) It's a security risk. It's aboslutely unclear who controls these files
   (at least not debian).
   Further it would be code that circumvents the package management system
   and thus any security support or further things like checking for updates
   via tools like check_apt.

   Any code that's not distributed via Debian archives makes it always
   easier for an attacker to target only specific victims (rather than all
   which would be given if all users are guaranteed to get the same code),
   which makes it less likely to spot any breaches.

   Code ownloaders, even if they do e.g. signature verifications are actully
   much more difficult to do properly than just verfying a signature
   (see downgrade or replay attacks) - things which are all handled by the
   package management but perhaps not by any programs own downloaders.


b) If the files are only available as blobs, they aren't DFSG compatible
   so AFAIU, if digikam would still do so, wouldn't it no longer qualify
   for main.


c) Other packages in Debian, e.g. Firefox disable any such automatic downloads
   of security-wise at best questionable code downloaders or "self-updaters".



I also noticed that digikam, even if not downloading the stuff, creates:
  /home/user/.local/share/digikam/QtWebEngine/Default/blob_storage/
which also sounds a bit fishy.


Thanks,
Chris.