> Could that please be disabled?
It's coming in version 8.
> a) It's a security risk. It's aboslutely unclear who controls these files
> (at least not debian).
I hear your concerns. These files are data that used to be shipped as part of
digikam and were later unbundled, which led to the download prompt. You can
read through the upstream bug for a full discussion.
That fixes the immediate issue, but it still doesn't answer the question
if it's legitimate that an application packaged for the Debian main
archive would ask for additional downloads from a 3rd party server to
enable full functionality.
Would it be possible to create a separate Debian package with this data
and add it as a Recommends: dependency?
I believe there is enough precedent for large optional companion data
packages in Debian. (0ad-data and kicad-packages3d come to mind)
This would make it much clearer what the user is getting and from whom,
and it would reduce the burden on the upstream CDN.
