freedomofpress · micahflee · Jun 22, 2021 · Jun 17, 2021 · Jun 17, 2021 · Jun 17, 2021
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -81,37 +81,6 @@ jobs:
             package_cloud push firstlookmedia/code/ubuntu/groovy deb_dist/dangerzone_${VERSION}-1_all.deb
             package_cloud push firstlookmedia/code/ubuntu/groovy deb_dist/dangerzone_${VERSION}-1.dsc
 
-  build-ubuntu-focal:
-    docker:
-      - image: ubuntu:20.04
-    steps:
-      - run:
-          name: Install dependencies
-          command: |
-            export DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true
-            apt-get update
-            apt-get install -y git ssh ruby-dev rubygems python-all dh-python python3 python3-stdeb python3-pyside2.qtcore python3-pyside2.qtgui python3-pyside2.qtwidgets python3-appdirs python3-click python3-xdg python3-requests python3-colorama
-            gem install -N rake
-            gem install -N package_cloud
-      - checkout
-      - run:
-          name: Create the .deb package
-          command: |
-            ./install/linux/build_deb.py
-            dpkg -i deb_dist/dangerzone_*-1_all.deb
-      - run:
-          name: Deploy to packagecloud.io
-          # Linux Mint 20 (ulyana) and 20.1 (ulyssa) are based on Ubuntu 20.04 LTS
-          # https://en.wikipedia.org/wiki/Linux_Mint_version_history
-          command: |
-            VERSION=$(cat share/version.txt)
-            package_cloud push firstlookmedia/code/ubuntu/focal deb_dist/dangerzone_${VERSION}-1_all.deb
-            package_cloud push firstlookmedia/code/ubuntu/focal deb_dist/dangerzone_${VERSION}-1.dsc
-            package_cloud push firstlookmedia/code/linuxmint/ulyana deb_dist/dangerzone_${VERSION}-1_all.deb
-            package_cloud push firstlookmedia/code/linuxmint/ulyana deb_dist/dangerzone_${VERSION}-1.dsc
-            package_cloud push firstlookmedia/code/linuxmint/ulyssa deb_dist/dangerzone_${VERSION}-1_all.deb
-            package_cloud push firstlookmedia/code/linuxmint/ulyssa deb_dist/dangerzone_${VERSION}-1.dsc
-
   build-debian-bullseye:
     docker:
       - image: debian:bullseye
@@ -136,30 +105,6 @@ jobs:
             package_cloud push firstlookmedia/code/debian/bullseye deb_dist/dangerzone_${VERSION}-1_all.deb
             package_cloud push firstlookmedia/code/debian/bullseye deb_dist/dangerzone_${VERSION}-1.dsc
 
-  build-debian-buster:
-    docker:
-      - image: debian:buster
-    steps:
-      - run:
-          name: Install dependencies
-          command: |
-            apt-get update
-            apt-get install -y git ssh ruby-dev rubygems python-all dh-python python3 python3-stdeb python3-pyside2.qtcore python3-pyside2.qtgui python3-pyside2.qtwidgets python3-appdirs python3-click python3-xdg python3-requests python3-colorama
-            gem install --no-ri --no-rdoc rake
-            gem install --no-ri --no-rdoc package_cloud
-      - checkout
-      - run:
-          name: Create the .deb package
-          command: |
-            ./install/linux/build_deb.py
-            dpkg -i deb_dist/dangerzone_*-1_all.deb
-      - run:
-          name: Deploy to packagecloud.io
-          command: |
-            VERSION=$(cat share/version.txt)
-            package_cloud push firstlookmedia/code/debian/buster deb_dist/dangerzone_${VERSION}-1_all.deb
-            package_cloud push firstlookmedia/code/debian/buster deb_dist/dangerzone_${VERSION}-1.dsc
-
   build-fedora-34:
     docker:
       # The package_cloud ruby gem doesn't work properly when installed in fedora 34,
@@ -252,24 +197,12 @@ workflows:
               only: /^v.*/
             branches:
               ignore: /.*/
-      - build-ubuntu-focal:
-          filters:
-            tags:
-              only: /^v.*/
-            branches:
-              ignore: /.*/
       - build-debian-bullseye:
           filters:
             tags:
               only: /^v.*/
             branches:
               ignore: /.*/
-      - build-debian-buster:
-          filters:
-            tags:
-              only: /^v.*/
-            branches:
-              ignore: /.*/
       - build-fedora-34:
           filters:
             tags:

diff --git a/BUILD.md b/BUILD.md
@@ -5,11 +5,9 @@
 Install dependencies:
 
 ```sh
-sudo apt install -y dh-python python3 python3-stdeb python3-pyside2.qtcore python3-pyside2.qtgui python3-pyside2.qtwidgets python3-appdirs python3-click python3-xdg python3-requests python3-colorama
+sudo apt install -y podman dh-python python3 python3-stdeb python3-pyside2.qtcore python3-pyside2.qtgui python3-pyside2.qtwidgets python3-appdirs python3-click python3-xdg python3-requests python3-colorama
 ```
 
-You also need docker, either by installing the [Docker snap package](https://snapcraft.io/docker), installing the `docker.io` package, or by installing `docker-ce` by following [these instructions for Ubuntu](https://docs.docker.com/install/linux/docker-ce/ubuntu/) or [for Debian](https://docs.docker.com/install/linux/docker-ce/debian/).
-
 Run from source tree:
 
 ```sh
@@ -27,11 +25,9 @@ Create a .deb:
 Install dependencies:
 
 ```sh
-sudo dnf install -y rpm-build python3 python3-setuptools python3-pyside2 python3-appdirs python3-click python3-pyxdg python3-requests python3-colorama
+sudo dnf install -y rpm-build podman python3 python3-setuptools python3-pyside2 python3-appdirs python3-click python3-pyxdg python3-requests python3-colorama
 ```
 
-You also need docker, either by installing the `docker` package, or by installing `docker-ce` by following [these instructions](https://docs.docker.com/install/linux/docker-ce/fedora/).
-
 Run from source tree:
 
 ```sh
@@ -46,6 +42,8 @@ Create a .rpm:
 
 ## macOS
 
+Install [Docker Desktop](https://www.docker.com/products/docker-desktop).
+
 Install [email protected] from Homebrew:
 
 ```
@@ -87,6 +85,8 @@ The output is in the `dist` folder.
 
 ## Windows
 
+Install [Docker Desktop](https://www.docker.com/products/docker-desktop).
+
 These instructions include adding folders to the path in Windows. To do this, go to Start and type "advanced system settings", and open "View advanced system settings" in the Control Panel. Click Environment Variables. Under "System variables" double-click on Path. From there you can add and remove folders that are available in the PATH.
 
 Download Python 3.9.0, 32-bit (x86) from https://www.python.org/downloads/release/python-390/. I downloaded python-3.9.0.exe. When installing it, make sure to check the "Add Python 3.9 to PATH" checkbox on the first page of the installer.

diff --git a/dangerzone/cli.py b/dangerzone/cli.py
@@ -9,7 +9,7 @@
 
 def print_header(s):
     click.echo("")
-    click.echo(Style.BRIGHT + Fore.LIGHTWHITE_EX + s)
+    click.echo(Style.BRIGHT + s)
 
 
 def exec_container(global_common, args):
@@ -22,7 +22,7 @@ def exec_container(global_common, args):
             # Hack to add colors to the command executing
             if line.startswith(b"> "):
                 print(
-                    Fore.YELLOW + "> " + Fore.LIGHTCYAN_EX + line.decode()[2:],
+                    Style.DIM + "> " + Style.NORMAL + Fore.CYAN + line.decode()[2:],
                     end="",
                 )
             else:

diff --git a/dangerzone/common.py b/dangerzone/common.py
@@ -2,6 +2,7 @@
 import stat
 import platform
 import tempfile
+import appdirs
 
 
 class Common(object):
@@ -11,26 +12,16 @@ class Common(object):
 
     def __init__(self):
         # Temporary directory to store pixel data and safe PDFs
-        if platform.system() == "Windows":
-            self.pixel_dir = tempfile.TemporaryDirectory(prefix="dangerzone-pixel-")
-            self.safe_dir = tempfile.TemporaryDirectory(prefix="dangerzone-safe-")
-        elif platform.system() == "Darwin":
-            # In macOS, temp dirs must be in /tmp (or a few other paths) for Docker to mount them
-            self.pixel_dir = tempfile.TemporaryDirectory(
-                prefix="/tmp/dangerzone-pixel-"
-            )
-            self.safe_dir = tempfile.TemporaryDirectory(prefix="/tmp/dangerzone-safe-")
-        else:
-            # In Linux, temp dirs must be in the homedir for the snap package version of Docker to mount them
-            cache_dir = os.path.expanduser("~/.cache/dangerzone")
-            os.makedirs(cache_dir, exist_ok=True)
-            self.pixel_dir = tempfile.TemporaryDirectory(
-                prefix=os.path.join(cache_dir, "pixel-")
-            )
-            self.safe_dir = tempfile.TemporaryDirectory(
-                prefix=os.path.join(cache_dir, "safe-")
-            )
+        cache_dir = appdirs.user_cache_dir("dangerzone")
+        os.makedirs(cache_dir, exist_ok=True)
+        self.pixel_dir = tempfile.TemporaryDirectory(
+            prefix=os.path.join(cache_dir, "pixel-")
+        )
+        self.safe_dir = tempfile.TemporaryDirectory(
+            prefix=os.path.join(cache_dir, "safe-")
+        )
 
+        try:
             # Make the folders world-readable to ensure that the container has permission
             # to access it even if it's owned by root or someone else
             permissions = (
@@ -44,6 +35,8 @@ def __init__(self):
             )
             os.chmod(self.pixel_dir.name, permissions)
             os.chmod(self.safe_dir.name, permissions)
+        except:
+            pass
 
         # Name of input and out files
         self.document_filename = None

diff --git a/dangerzone/container.py b/dangerzone/container.py
@@ -4,13 +4,21 @@
 import sys
 import pipes
 import shutil
+import os
 
 # What is the container runtime for this platform?
 if platform.system() == "Darwin":
-    container_runtime = "/usr/local/bin/docker"
+    container_tech = "docker"
+    container_runtime = shutil.which("docker")
 elif platform.system() == "Windows":
+    container_tech = "docker"
     container_runtime = shutil.which("docker.exe")
+elif platform.system() == "Linux":
+    container_tech = "podman"
+    container_runtime = shutil.which("podman")
 else:
+    print("Unknown operating system, defaulting to Docker")
+    container_tech = "docker"
     container_runtime = shutil.which("docker")
 
 # Define startupinfo for subprocesses
@@ -28,6 +36,17 @@ def exec_container(args):
     print("> " + args_str)
     sys.stdout.flush()
 
+    # In Tails, tell the container runtime to download over Tor
+    if (
+        platform.system() == "Linux"
+        and os.getlogin() == "amnesia"
+        and os.getuid() == 1000
+    ):
+        env = os.environ.copy()
+        env["HTTP_PROXY"] = "socks5://127.0.0.1:9050"
+    else:
+        env = None
+
     with subprocess.Popen(
         args,
         stdin=None,
@@ -36,6 +55,7 @@ def exec_container(args):
         bufsize=1,
         universal_newlines=True,
         startupinfo=startupinfo,
+        env=env,
     ) as p:
         p.communicate()
         return p.returncode
@@ -51,7 +71,7 @@ def container_main():
 
 
 @container_main.command()
-@click.option("--container-name", default="flmcode/dangerzone")
+@click.option("--container-name", default="docker.io/flmcode/dangerzone")
 def ls(container_name):
     """docker image ls [container_name]"""
     sys.exit(exec_container(["image", "ls", container_name]))
@@ -60,37 +80,36 @@ def ls(container_name):
 @container_main.command()
 def pull():
     """docker pull flmcode/dangerzone"""
-    sys.exit(exec_container(["pull", "flmcode/dangerzone"]))
+    sys.exit(exec_container(["pull", "docker.io/flmcode/dangerzone"]))
 
 
 @container_main.command()
 @click.option("--document-filename", required=True)
 @click.option("--pixel-dir", required=True)
-@click.option("--container-name", default="flmcode/dangerzone")
+@click.option("--container-name", default="docker.io/flmcode/dangerzone")
 def documenttopixels(document_filename, pixel_dir, container_name):
     """docker run --network none -v [document_filename]:/tmp/input_file -v [pixel_dir]:/dangerzone [container_name] document-to-pixels"""
-    sys.exit(
-        exec_container(
-            [
-                "run",
-                "--network",
-                "none",
-                "--security-opt=no-new-privileges:true",
-                "-v",
-                f"{document_filename}:/tmp/input_file",
-                "-v",
-                f"{pixel_dir}:/dangerzone",
-                container_name,
-                "document-to-pixels",
-            ]
-        )
-    )
+    args = ["run", "--network", "none"]
+
+    # docker uses --security-opt, podman doesn't
+    if container_tech == "docker":
+        args += ["--security-opt=no-new-privileges:true"]
+
+    args += [
+        "-v",
+        f"{document_filename}:/tmp/input_file",
+        "-v",
+        f"{pixel_dir}:/dangerzone",
+        container_name,
+        "document-to-pixels",
+    ]
+    sys.exit(exec_container(args))
 
 
 @container_main.command()
 @click.option("--pixel-dir", required=True)
 @click.option("--safe-dir", required=True)
-@click.option("--container-name", default="flmcode/dangerzone")
+@click.option("--container-name", default="docker.io/flmcode/dangerzone")
 @click.option("--ocr", required=True)
 @click.option("--ocr-lang", required=True)
 def pixelstopdf(pixel_dir, safe_dir, container_name, ocr, ocr_lang):

diff --git a/dangerzone/global_common.py b/dangerzone/global_common.py
@@ -384,7 +384,7 @@ def get_container_name(self):
         if self.custom_container:
             return self.custom_container
         else:
-            return "flmcode/dangerzone"
+            return "docker.io/flmcode/dangerzone"
 
     def get_resource_path(self, filename):
         if getattr(sys, "dangerzone_dev", False):
@@ -439,18 +439,11 @@ def get_dangerzone_container_path(self):
                 return "/usr/bin/dangerzone-container"
 
     def exec_dangerzone_container(self, args):
-        # Prefix the args with the retainer runtime, and in the case linux when the user isn't in the docker group, pkexec
-        if platform.system() == "Linux":
-            if self.settings.get("linux_prefers_typing_password"):
-                args = ["/usr/bin/pkexec", self.dz_container_path] + args
-            else:
-                args = [self.dz_container_path] + args
-        else:
-            args = [self.dz_container_path] + args
+        args = [self.dz_container_path] + args
+        args_str = " ".join(pipes.quote(s) for s in args)
+        print(Style.DIM + "> " + Style.NORMAL + Fore.CYAN + args_str)
 
         # Execute dangerzone-container
-        args_str = " ".join(pipes.quote(s) for s in args)
-        print(Fore.YELLOW + "> " + Fore.CYAN + args_str)
         return subprocess.Popen(
             args,
             startupinfo=self.get_subprocess_startupinfo(),

diff --git a/dangerzone/gui/__init__.py b/dangerzone/gui/__init__.py
@@ -71,18 +71,6 @@ def gui_main(custom_container, filename):
     # Allow Ctrl-C to smoothly quit the program instead of throwing an exception
     signal.signal(signal.SIGINT, signal.SIG_DFL)
 
-    # If we're using Linux and docker, see if we need to add the user to the docker group or if the user prefers typing their password
-    if platform.system() == "Linux":
-        if not gui_common.ensure_docker_group_preference():
-            return
-        try:
-            if not gui_common.ensure_docker_service_is_started():
-                click.echo("Failed to start docker service")
-                return
-        except AuthorizationFailed:
-            click.echo("Authorization failed")
-            return
-
     # See if we need to install Docker...
     if (platform.system() == "Darwin" or platform.system() == "Windows") and (
         not is_docker_installed() or not is_docker_ready(global_common)