[Pkg-kde-extras] Bug#1028507: digikam: downloads binary blobs from the internet
Gregor Riepl
onitake at gmail.com
Tue Jul 18 11:38:21 BST 2023
> > Could that please be disabled?
>
> It's coming in version 8.
>
> > a) It's a security risk. It's aboslutely unclear who controls these files
> > (at least not debian).
>
> I hear your concerns. These files are data that used to be shipped as part of
> digikam and were later unbundled, which led to the download prompt. You can
> read through the upstream bug for a full discussion.
That fixes the immediate issue, but it still doesn't answer the question
if it's legitimate that an application packaged for the Debian main
archive would ask for additional downloads from a 3rd party server to
enable full functionality.
Would it be possible to create a separate Debian package with this data
and add it as a Recommends: dependency?
I believe there is enough precedent for large optional companion data
packages in Debian. (0ad-data and kicad-packages3d come to mind)
This would make it much clearer what the user is getting and from whom,
and it would reduce the burden on the upstream CDN.
More information about the pkg-kde-extras
mailing list