Dangerzone 0.7.0
This release includes various new features, stability improvements, and security fixes. If you are on a Mac or PC you should additionally ensure that the Docker Desktop application is up to date.
The highlights are:
-
Improved our document processing sandbox with gVisor
Our original sandbox where we processed untrusted documents relied on the container runtimes that Docker and Podman provided. These runtimes are battle-tested, and Dangerzone further restricted the spawned containers with as few privileges as possible. Still, the spawned container had direct access to the Linux kernel, which has a large, albeit not easily exploitable, attack surface.Starting on 0.7.0, we use gVisor as a sandbox between the conversion process and user's system, Linux kernel included. gVisor is written in a memory-safe language (Go), has a significantly smaller feature set than the Linux kernel, and reinterprets every system call that the container makes in a safer way. We believe that this integration empowers our users across all platforms (Windows, macOS, and Linux) to sanitize untrusted documents with even more confidence. We want to thank @EtiennePerot, an engineer on the gVisor project, who was the driving force behind this integration (#590).
-
Drag-and-drop interface
Dangerzone will undergo UX improvements in the next releases, in order to make it easier to work with and enable some workflows that were previously not possible. A first taste of these improvements is a new drag-and-drop interface, which allows users to simply select files from their file manager and drag them to Dangerzone in order to convert them (#752). -
Dropped support for Fedora 38, which is EOL
-
Community contributions:
For a full list of the changes, see our changelog.