Open deeplow opened 3 months ago
A very primitive implementation of this would be to essentially create a "print to PDF" printer which then sends it off for printing. UX messaging around errors may present some challenges, though.
I agree it would be great to print from sd-viewer and/or to have sd-viewer not be a "dead end". Somewhere (maybe in the "print architecture" ticket, or maybe in its own epic) we should figure out a better overall data flow that allows material to flow through the VMs, whether that's a sanitized print rpc that we've talked about occasionally upstream, or an 'export -> dz/sanitize -> print' workflow, or the "briefcase" / one-disp-per-source idea that you had a few years back @deeplow, or what :)
Just noticed that was also mentioned in the SD Qubes Summit talk from 2022:
This adds the risk that a malicious document could export / print itself. Since a malicious file could potentially compromize sd-viewer, it follows that it could order its printing.
Added a potential threat with this approach.
Description
Some may find confusing the fact that sd-viewer has a print menu, but doesn't actually allow you to print (https://github.com/freedomofpress/securedrop-workstation/issues/278). What it we made it work?
How will this impact SecureDrop/SecureDrop Workstation users?
Improved usability since users could print right away the documents they find worth printing.
How would this affect the SecureDrop Workstation threat model?
If implemented properly (i.e. unidirection communication from sd-viewer to the print vm), it shouldn't add any more risks.This adds the risk that a malicious document could export / print itself. Since a malicious file could potentially compromize sd-viewer, it follows that it could order its printing.User Stories
As as journalist I would like to be able to print documents immediately.