Package: digikam Version: 4:7.9.0-1+b1 Severity: important
Hey. Every time when starting digikam, a dialog pops up asking to download some engines for redeye removal and face detection from the internet, which would cause them to be stored in /home/calestyo/.local/share/digikam/ Could that please be disabled? a) It's a security risk. It's aboslutely unclear who controls these files (at least not debian). Further it would be code that circumvents the package management system and thus any security support or further things like checking for updates via tools like check_apt. Any code that's not distributed via Debian archives makes it always easier for an attacker to target only specific victims (rather than all which would be given if all users are guaranteed to get the same code), which makes it less likely to spot any breaches. Code ownloaders, even if they do e.g. signature verifications are actully much more difficult to do properly than just verfying a signature (see downgrade or replay attacks) - things which are all handled by the package management but perhaps not by any programs own downloaders. b) If the files are only available as blobs, they aren't DFSG compatible so AFAIU, if digikam would still do so, wouldn't it no longer qualify for main. c) Other packages in Debian, e.g. Firefox disable any such automatic downloads of security-wise at best questionable code downloaders or "self-updaters". I also noticed that digikam, even if not downloading the stuff, creates: /home/user/.local/share/digikam/QtWebEngine/Default/blob_storage/ which also sounds a bit fishy. Thanks, Chris.
