-
Notifications
You must be signed in to change notification settings - Fork 42
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for trusted PDF generation #235
Comments
An architectural decision here will be whether or not the client should keep track of processing steps and derivatives, e.g., hold on to trusted PDFs. Processing pipelines can get quite complex (redact -> generate trusted PDF; remove image metadata -> convert file format -> rename, etc.); if the client needs to hold on to all derivatives and the hierarchical and chronological relationship between them, that could get very complicated very fast. If we treat disposable export VMs are the point of alteration of documents, and leave it up to the news organization to organize them in a manner that makes sense outside of the context of the client, that may be much more manageable, and more realistic and in line with their real-world usage. The client, in this model, would be the source of truth for all file originals, but never for derivatives. |
^ The ux kid personally favors the latter option. Would love a step-thru on Qubes tomorrow, of what their current "Create Trusted PDF" workflow looks like, from File Manager! |
For the beta, the current plan of record is to strongly encourage use of print, and to add appropriate security warnings to the export dialogs. We may not be able to do much beyond that. I do think it's worth thinking about a safe way to export documents to a work VM, where such tools can be installed, and from which they can be sent to the USB drive. It would be simplest for this to be As we did with the very first export iteration for the alpha, this could be the kind of process we document manual steps for, and then think about supporting explicitly in the client. |
Closing for now in favor of freedomofpress/securedrop-workstation#26 , we can open a more clearly scoped issue once we have a plan for implementation. |
Export (#21) is a must-have feature for the beta; if we limit export to originals, we risk malware exposure once a PDF or other potentially problematic document is copied to another environment.
Qubes has first-class support for the creation of trusted PDFs (repo, technical background) in disposable VMs which is a good early functional target to integrate.
For simplicity, this could be integrated into the export processing workflow, so that any document that lands in the USB-connected export VM is already sanitized.
User Stories
As a journalist, I want to make sure that a PDF I export to another computer is safe, so that I do not accidentally compromise my news organization's security when sharing submissions from anonymous sources.
The text was updated successfully, but these errors were encountered: