Split dangerzone image to a separate repository#1459
Open
Conversation
almet
force-pushed
the
split-dangerzone-image
branch
2 times, most recently
from
df4725e to
6ecb6a9
Compare
almet
commented
Apr 10, 2026
almet
commented
Apr 10, 2026
almet
force-pushed
the
split-dangerzone-image
branch
from
6ecb6a9 to
d6bcf46
Compare
apyrgio
reviewed
Apr 16, 2026
Contributor
apyrgio
left a comment
apyrgio
left a comment
There was a problem hiding this comment.
Amazing work Alexis! My review comments are pretty minor, I think we're very close to merging this.
Comment on lines
86
to
100
| def teleport_dz_module(self, wpipe: IO[bytes]) -> None: | ||
| """Send the dangerzone module to another qube, as a zipfile.""" | ||
| # Grab the absolute file path of the dangerzone module. | ||
| import dangerzone as _dz | ||
| """Send the conversion module to another qube, as a zipfile.""" | ||
| # Grab the absolute file path of the conversion module. | ||
| import conversion as _conv | ||
|
|
||
| _conv_path = Path(_dz.conversion.__file__).parent | ||
| _src_root = Path(_dz.__file__).parent.parent | ||
| _conv_path = Path(_conv.__file__).parent | ||
| temp_file = io.BytesIO() | ||
|
|
||
| with zipfile.ZipFile(temp_file, "w") as z: | ||
| z.mkdir("dangerzone/") | ||
| z.writestr("dangerzone/__init__.py", "") | ||
| for root, _, files in os.walk(_conv_path): | ||
| for file in files: | ||
| if file.endswith(".py"): | ||
| file_path = os.path.join(root, file) | ||
| relative_path = os.path.relpath(file_path, _src_root) | ||
| relative_path = os.path.relpath(file_path, _conv_path.parent) | ||
| z.write(file_path, relative_path) |
Contributor
There was a problem hiding this comment.
Note to self to test this part in Qubes.
apyrgio
reviewed
Apr 16, 2026
The conversion error classes used to live under dangerzone/conversion/ which is the code that runs inside the container. Now that the container image lives in a separate repository, the "client" side needs its own copy of the error types and shared constants (DEFAULT_DPI, INT_BYTES, MAX_PAGES) so it can decode the integer error codes that cross the sandbox boundary. This is now in dangerzone/conversion_errors.py with the ConversionException hierarchy and the constants that the client needs. Isolation provider tests have been modified to use this new location.
almet
force-pushed
the
split-dangerzone-image
branch
from
d6bcf46 to
29ebe10
Compare
The container image build, the conversion code that runs inside it, and the related CI/Dockerfiles now live in the freedomofpress/ dangerzone-image repository. Remove them from this repo and rewire the build pipeline to consume the published container image instead of building it in this repo. This drops the following folders and files: conversion/, container_helpers/, the Dockerfiles, the in-tree image build scripts, and updates ci.yml to call `dangerzone-image prepare-archive` against the published image rather than building it locally.
Now that the container image (and the actual format conversion) lives in a separate repo, this repo only needs to test the client-side interface to the sandbox, not the round-trip conversion of every supported format. Drop the per-format sample documents, their reference PDFs, the external HWP fixtures, the 11k-page compressed fixture, and the test_large_set.py module. Also drop the tests that exercised the now-removed conversion code: test_max_pages_server_enforcement (this is the container repo's concern) and the TestExtraFormats CLI test for HWP.
With the format-specific assets gone, the GUI and isolation provider tests no longer need a non-PDF document to drive their drag-drop and multi-document scenarios. Also refresh sample-pdf.pdf and its reference output to the latest version.
Set QT_QPA_PLATFORM=offscreen in tests/gui/conftest.py so the GUI test suite renders without a display server. Add an `--onscreen` opt-out for local debugging. With offscreen rendering in place, the CI job no longer needs to install xvfb, start an Xvfb server, or wrap the test command in xvfb-run. Drop all of that and pass `--no-gui` to dev_scripts/env.py so it doesn't try to forward the (now nonexistent) host X socket into the container.
Mark the container-backed tests (tests/isolation_provider/test_container.py and TestCliConversion in tests/test_cli.py) and the GUI tests as belonging to dedicated xdist groups so pytest-xdist runs each group on a single worker. This avoids contention over the container runtime and the offscreen Qt platform when running tests in parallel. Also register the xdist_group marker via addinivalue_line so it doesn't trigger PytestUnknownMarkWarning when pytest-xdist isn't installed (the marker is then a no-op), and group otherwise-ungrouped tests by file in tests/conftest.py so they never accidentally land on the container or gui worker.
The DangerzoneGui.__init__ logic that orders MIME handlers walks $XDG_DATA_DIRS to find .desktop files. Pin XDG_DATA_DIRS to a known value in the three GUI logic tests that exercise this path so the tests don't pick up arbitrary entries from the developer's or CI runner's environment.
Bump vfkit to 0.6.3 (now signed upstream, so use vfkit-unsigned and relax the version pin to >=0.6.1) and cosign to 2.6.3 in mazette.lock, and refresh the mazette config_checksum. Regenerate poetry.lock with Poetry 2.3, which adds platform/group markers to a couple of entries.
almet
force-pushed
the
split-dangerzone-image
branch
from
16c9cd1 to
f9bc177
Compare
Member
Author
|
I've fixed the CI issue doing the E2E update, and I did this by changing how the old-latest images are tagged on the dangerzone-image repository. It now tags Last item pending is the test on Qubes, and we should be good to merge! |
Modify the RPM package now that dangerzone-insecure-converter-qubes covers the server-side aspect of the conversion.
Now that the server-side components are not bundled in the Dangerzone repo, we need to slightly modify the teleport trick we did. The change is that we no longer import the `conversion` module, but we look for the source of the `dangerzone-insecure-converter` module via the `DANGERZONE_INSECURE_CONVERTER_PATH` envvar. Note that this is a dev-only argument.
Update the build instructions for Qubes, now that we have a separate component for the server-side part of the conversion.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Note
These changes come together with the https://github.com/freedomofpress/dangerzone-image repository, so be sure to review the code there as well.
This branch removes the in-tree container image (build, conversion code, Dockerfiles) and rewires the client-side code to consume the published image from the new freedomofpress/dangerzone-image repository. The bulk of the diff is deletions plus the test/CI changes, which don't test every supported format locally (it's done on the dangerzone-image repo now)
Look at the individual commits for more details.
Worth noting: this makes the tests stop popping on our dev machines, by setting the
QT_QPA_PLATFORMenv var tooffscreen(there is still the possibility to pass the--onscreenflag to pytest if required)