solidprivacy-nl commited on
Commit
ef6d204
·
1 Parent(s): 11b1d8b

Align packaging decision with final-phase installer deferral

Browse files
Files changed (1) hide show
  1. DESKTOP_PACKAGING_DECISION.md +52 -341
DESKTOP_PACKAGING_DECISION.md CHANGED
@@ -3,291 +3,68 @@
3
  Status: completed decision/documentation-only
4
  Repository: `solidprivacy-nl/scrub`
5
 
6
- ## 1. Decision
7
 
8
- The recommended first local MVP distribution form is:
9
 
10
  ```text
11
- Portable Python folder with the existing local Streamlit launcher
12
- ```
13
-
14
- This means Scrub is distributed as a controlled local folder containing the repository/app code, documented dependency setup and a Windows-oriented launcher wrapper. The user or IT operator starts the app locally, bound to `127.0.0.1`, and opens the local browser UI.
15
-
16
- The recommended next concrete packaging proof, only if the coordinator approves it, is:
17
-
18
- ```text
19
- WP48B or WP49B — concrete portable/PyInstaller packaging proof
20
- ```
21
-
22
- The recommended later professional desktop direction is:
23
-
24
- ```text
25
- Tauri shell with reusable Python core, unless team capability or frontend requirements make Electron preferable
26
- ```
27
-
28
- A real MSI remains a future managed-deployment option only after packaging, signing, update, rollback, offline, network, temp-file and support boundaries have been validated.
29
-
30
- ## 2. Why portable Python folder first?
31
-
32
- A portable Python folder is the best first local MVP distribution form because it has the lowest architecture and security risk at this stage.
33
-
34
- It:
35
-
36
- - reuses the current Python/Streamlit app;
37
- - avoids a frontend rewrite;
38
- - avoids an opaque executable bundle during early privacy validation;
39
- - avoids installer/elevation/admin behavior;
40
- - keeps files and dependencies easier to inspect;
41
- - matches the WP46/WP47/WP48 local runtime path;
42
- - supports local confidential-processing validation without claiming production maturity.
43
-
44
- For a professional privacy product, this is important: the first serious claim should be that the app can run locally and that the local boundary is understandable and testable. It should not prematurely claim to be a finished secure desktop product.
45
-
46
- ## 3. Suitability for jurists and care organizations
47
-
48
- ### Controlled MVP / pilot
49
-
50
- For early legal and care pilots, the best fit is:
51
-
52
- ```text
53
- Portable Python folder managed by the coordinator or local IT
54
- ```
55
-
56
- Reason:
57
-
58
- - IT can inspect the folder and command before use;
59
- - no installer rights are required by the app packaging itself;
60
- - no production installer claim is made;
61
- - no automatic update channel is introduced;
62
- - confidential-processing instructions can stay explicit;
63
- - local-only behavior can be validated before organizational rollout.
64
-
65
- This is suitable for:
66
-
67
- - small internal pilots;
68
- - trusted testers;
69
- - local-first workflow validation;
70
- - demonstrations with synthetic or approved non-confidential data;
71
- - IT/security review of the local runtime boundary.
72
-
73
- It is not suitable yet as a broad unmanaged end-user deployment.
74
-
75
- ### Professional organizational deployment
76
-
77
- For jurists and care organizations at production scale, the likely future need is:
78
-
79
- ```text
80
- signed managed installer or enterprise deployment package
81
- ```
82
-
83
- But this should come later. Before production deployment, the project needs decisions on:
84
-
85
- - code signing;
86
- - update policy;
87
- - rollback policy;
88
- - offline dependency/model assets;
89
- - local storage location;
90
- - Scrub Key protection model;
91
- - logging and diagnostics;
92
- - endpoint management restrictions;
93
- - support process without sharing real documents;
94
- - managed deployment and uninstall behavior.
95
-
96
- ## 4. Option comparison
97
-
98
- | Option | Fit for first MVP | Fit for professional future | Security / management risk | Main reason |
99
- | --- | --- | --- | --- | --- |
100
- | Portable Python folder | Best | Limited but useful for controlled pilots | Lowest current risk | Transparent, inspectable, no installer/elevation, reuses current app |
101
- | PyInstaller | Good next proof, not first default | Possible bridge to Windows distribution | Medium | Hides Python setup, but can create dependency, antivirus, temp-file and signing issues |
102
- | Tauri | Too early for MVP | Best later professional shell candidate | Medium, after architecture work | Smaller desktop shell, good for future document-centric frontend, but requires Rust/frontend/backend design |
103
- | Electron | Too early for MVP | Viable later alternative | Higher | Mature and flexible, but heavier footprint and larger dependency/security surface |
104
- | MSI later | Out of scope now | Likely enterprise option after proof | High if premature; acceptable after signing/update policy | Managed deployment needs packaging maturity, signing, update/rollback and IT review |
105
-
106
- ## 5. Portable Python folder
107
-
108
- Description:
109
-
110
- ```text
111
- A local folder with the existing app, Python dependency setup, and launcher scripts.
112
- ```
113
-
114
- Recommended role:
115
-
116
- ```text
117
- First MVP local distribution and controlled pilot path.
118
- ```
119
-
120
- Benefits:
121
-
122
- - fastest route from current codebase to local-first validation;
123
- - easiest to inspect and debug;
124
- - no hidden packaging layer;
125
- - no installer behavior;
126
- - no admin/elevation requirement from packaging itself;
127
- - no new runtime framework;
128
- - no Streamlit UI changes;
129
- - no Docker/Hugging Face startup changes;
130
- - no cloud document processing.
131
-
132
- Risks:
133
-
134
- - less polished for non-technical users;
135
- - dependency setup can be fragile;
136
- - support burden remains higher than a signed installer;
137
- - does not prove full offline behavior by itself;
138
- - not ideal for broad unmanaged distribution.
139
-
140
- Decision:
141
-
142
- ```text
143
- Use this as the first local MVP distribution form.
144
- ```
145
-
146
- ## 6. PyInstaller
147
-
148
- Description:
149
-
150
- ```text
151
- Bundle Python app/dependencies into a Windows-friendly folder or executable.
152
- ```
153
-
154
- Recommended role:
155
-
156
- ```text
157
- Next approved packaging proof, not automatic production packaging.
158
- ```
159
-
160
- Benefits:
161
-
162
- - hides Python setup from end users;
163
- - can produce a more recognizable Windows launch experience;
164
- - can help validate bundled dependencies and local assets;
165
- - can be a bridge toward a future signed installer.
166
-
167
- Risks:
168
-
169
- - NLP/document/PDF dependencies may be hard to bundle;
170
- - model/data asset paths need careful testing;
171
- - one-file mode may create temp-file behavior that requires privacy validation;
172
- - antivirus false positives are possible;
173
- - signing and update policies remain unresolved;
174
- - still does not solve final professional UX if Streamlit remains the UI.
175
-
176
- Decision:
177
-
178
- ```text
179
- Use only as a separately approved proof package, preferably one-folder first. Do not jump directly to one-file or production installer claims.
180
- ```
181
-
182
- ## 7. Tauri
183
-
184
- Description:
185
-
186
- ```text
187
- Native desktop shell with web frontend and local backend integration.
188
- ```
189
-
190
- Recommended role:
191
-
192
- ```text
193
- Preferred later professional desktop direction if Scrub moves beyond Streamlit into a document-centric review interface.
194
- ```
195
-
196
- Benefits:
197
-
198
- - good fit for a polished desktop product;
199
- - smaller desktop-shell posture than Electron in many cases;
200
- - can support a future document-centric review UI;
201
- - can give better control over local file dialogs, windows and user flow;
202
- - can keep Python core local if backend boundaries are designed carefully.
203
-
204
- Risks:
205
-
206
- - requires frontend architecture work;
207
- - requires Rust/Tauri build capability;
208
- - Python backend/sidecar integration must be designed securely;
209
- - installer/signing/update policies are still needed;
210
- - premature adoption could slow privacy/core validation.
211
-
212
- Decision:
213
-
214
- ```text
215
- Keep as preferred later professional shell candidate, not MVP packaging.
216
- ```
217
-
218
- ## 8. Electron
219
-
220
- Description:
221
-
222
- ```text
223
- Desktop shell using Chromium/Node with a web frontend and local backend bridge.
224
- ```
225
-
226
- Recommended role:
227
-
228
- ```text
229
- Later alternative to Tauri if team skills, frontend requirements or ecosystem needs outweigh footprint and dependency concerns.
230
  ```
231
 
232
- Benefits:
233
 
234
- - mature desktop packaging ecosystem;
235
- - strong frontend flexibility;
236
- - many developers know web/Electron tooling;
237
- - good fit for rich document-centric interfaces.
238
 
239
- Risks:
240
 
241
- - heavier runtime footprint;
242
- - larger dependency/security surface;
243
- - Node/backend bridge requires strict security design;
244
- - update/signing policy still required;
245
- - overkill for the first local MVP.
246
-
247
- Decision:
248
 
249
  ```text
250
- Do not use Electron for the first MVP. Reconsider later only if Tauri is not practical or frontend needs clearly require Electron.
251
  ```
252
 
253
- ## 9. MSI later
254
-
255
- Description:
256
 
257
  ```text
258
- Managed Windows installer/deployment package for organizational rollout.
259
  ```
260
 
261
- Recommended role:
262
-
263
- ```text
264
- Future enterprise deployment option only.
265
- ```
266
 
267
- Benefits:
 
 
 
 
 
 
268
 
269
- - familiar for Windows IT teams;
270
- - supports managed deployment patterns;
271
- - can support install/uninstall and versioning expectations;
272
- - can fit legal/care organizational rollout.
273
 
274
- Risks:
 
 
 
 
 
 
275
 
276
- - premature MSI creates false production maturity;
277
- - signing, update, rollback and support policy are required;
278
- - installer may need admin or endpoint management review;
279
- - wrong defaults could store sensitive runtime data in unmanaged locations;
280
- - MSI does not itself solve privacy, offline, Scrub Key or telemetry risks.
281
 
282
- Decision:
283
 
284
- ```text
285
- Do not build MSI now. Treat MSI as a later packaging/distribution layer after the app, local storage, key lifecycle, update policy and support model are mature.
286
- ```
 
 
 
 
 
287
 
288
- ## 10. Proof-of-concept versus production installation
289
 
290
- ### Proof-of-concept
291
 
292
  A proof-of-concept may show:
293
 
@@ -295,8 +72,7 @@ A proof-of-concept may show:
295
  - the app binds to `127.0.0.1`;
296
  - Streamlit usage stats are disabled;
297
  - documents are processed in the local Python process;
298
- - no cloud document-processing endpoint is introduced by the launcher;
299
- - the local run path is understandable to IT/security reviewers.
300
 
301
  A proof-of-concept must not claim:
302
 
@@ -308,12 +84,10 @@ A proof-of-concept must not claim:
308
  - protected key storage;
309
  - enterprise support readiness.
310
 
311
- ### Production installation
312
-
313
- A production installation needs additional decisions and evidence:
314
 
315
  - reproducible build pipeline;
316
- - dependency lock and asset inventory;
317
  - code signing;
318
  - installer/update/rollback policy;
319
  - local storage policy;
@@ -324,30 +98,9 @@ A production installation needs additional decisions and evidence:
324
  - support process for legal/care organizations;
325
  - app verification with synthetic and approved pilot data.
326
 
327
- ## 11. Least security-/management-risk option
328
-
329
- For the next MVP step, the least security-/management-risk option is:
330
-
331
- ```text
332
- Portable Python folder with documented local launcher
333
- ```
334
-
335
- Reason:
336
-
337
- - no installer elevation;
338
- - no new desktop framework;
339
- - no opaque executable bundling;
340
- - no automatic updater;
341
- - no additional packaging temp-file behavior;
342
- - easier IT review;
343
- - easiest rollback: delete/replace the folder;
344
- - easiest to keep Hugging Face and local runtime boundaries separate.
345
-
346
- For later organizational deployment, the least long-term management risk may become a signed managed installer, but only after the packaging proof and security model are mature.
347
 
348
- ## 12. What remains outside scope
349
-
350
- WP49 does not implement or approve:
351
 
352
  - MSI;
353
  - PyInstaller build;
@@ -365,66 +118,24 @@ WP49 does not implement or approve:
365
  - automatic deletion or expiry blocking;
366
  - real-data packaging tests.
367
 
368
- ## 13. What comes before a real MSI?
369
-
370
- Before a real MSI, Scrub needs at least one approved concrete packaging proof package.
371
-
372
- Recommended next packaging proof options:
373
-
374
- ```text
375
- WP48B — Portable Python folder hardening proof
376
- ```
377
-
378
- or:
379
-
380
- ```text
381
- WP49B — PyInstaller one-folder packaging proof
382
- ```
383
-
384
- The proof should validate:
385
-
386
- - reproducible local build steps;
387
- - dependency and model asset inventory;
388
- - local-only launch behavior;
389
- - no document-content logging;
390
- - temp-file behavior;
391
- - network-traffic behavior;
392
- - Windows Defender/endpoint behavior;
393
- - supportable folder layout;
394
- - app version display;
395
- - synthetic diagnostics only;
396
- - no real data;
397
- - no cloud processing;
398
- - no change to export/reinsert semantics.
399
-
400
- Only after that should the project decide on:
401
-
402
- - code signing;
403
- - MSI/MSIX/installer format;
404
- - update channel;
405
- - rollback;
406
- - enterprise deployment;
407
- - managed storage;
408
- - helpdesk/support process;
409
- - professional desktop shell migration.
410
-
411
- ## 14. Final recommendation
412
 
413
  Recommended sequence:
414
 
415
  ```text
416
- 1. Keep portable Python folder as first MVP local distribution.
417
- 2. Run WP48B or WP49B only if the coordinator approves a concrete packaging proof.
418
- 3. Prefer PyInstaller one-folder before any one-file executable.
419
- 4. Keep Tauri as preferred later professional shell candidate.
420
- 5. Keep Electron as later alternative only.
421
- 6. Keep MSI as future enterprise deployment option, not current implementation.
 
422
  ```
423
 
424
  This keeps Scrub aligned with the product promise:
425
 
426
  ```text
427
- Sensitive information stays local.
428
  The user remains in control.
429
  The document stays readable.
430
  Residual risk is visible.
 
3
  Status: completed decision/documentation-only
4
  Repository: `solidprivacy-nl/scrub`
5
 
6
+ ## 1. Decision update after roadmap adjustment
7
 
8
+ The packaging decision remains valid, but the roadmap sequence is now stricter:
9
 
10
  ```text
11
+ Validate logic, interface, security and trustworthiness online first. Delay local installer/MSI work until the core product behavior is acceptable.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
12
  ```
13
 
14
+ This means the local installer is not a near-term default track. It belongs at the end of the roadmap.
15
 
16
+ The Hugging Face/Streamlit web prototype remains the preferred validation surface for synthetic and approved non-confidential testing because web-interface testing is faster and less labor-intensive than testing an installable desktop app.
 
 
 
17
 
18
+ ## 2. Packaging decision
19
 
20
+ The recommended first local MVP distribution form, when local distribution is revisited, remains:
 
 
 
 
 
 
21
 
22
  ```text
23
+ Portable Python folder with the existing local Streamlit launcher
24
  ```
25
 
26
+ The recommended later professional desktop direction remains:
 
 
27
 
28
  ```text
29
+ Tauri shell with reusable Python core, unless team capability or frontend requirements make Electron preferable
30
  ```
31
 
32
+ A real MSI remains a future managed-deployment option only after:
 
 
 
 
33
 
34
+ - logic is acceptable;
35
+ - interface is acceptable;
36
+ - security and trustworthiness are acceptable;
37
+ - recall/residual-risk behavior is credible;
38
+ - DOCX hygiene and Scrub Key risks are visibly handled;
39
+ - online/web workflow validation is strong;
40
+ - packaging, signing, update, rollback, offline, network, temp-file and support boundaries have been validated.
41
 
42
+ ## 3. Option comparison
 
 
 
43
 
44
+ | Option | Current role | Later role | Main risk |
45
+ | --- | --- | --- | --- |
46
+ | Portable Python folder | Final-phase MVP local distribution candidate | Controlled local pilot path | Dependency/setup support burden |
47
+ | PyInstaller | Not default next work | Later one-folder proof if approved | Bundling, temp files, antivirus/signing |
48
+ | Tauri | Too early now | Preferred later professional shell candidate | Frontend/Rust/backend integration complexity |
49
+ | Electron | Too early now | Later alternative if frontend/team needs require it | Larger dependency and security surface |
50
+ | MSI | Out of scope now | Future managed deployment option | False production maturity if premature |
51
 
52
+ ## 4. Why installer work is deferred
 
 
 
 
53
 
54
+ Installer work is deferred because it creates extra validation load before the product behavior is stable:
55
 
56
+ - OS-specific setup and support;
57
+ - antivirus/endpoint behavior;
58
+ - signing and trust warnings;
59
+ - update and rollback policy;
60
+ - dependency/model bundling;
61
+ - temp-file and network validation;
62
+ - enterprise deployment expectations;
63
+ - support process for legal/care organizations.
64
 
65
+ Those concerns matter, but they should not consume capacity before Scrub's core logic, interface, security and trustworthiness are acceptable.
66
 
67
+ ## 5. Proof-of-concept versus production installation
68
 
69
  A proof-of-concept may show:
70
 
 
72
  - the app binds to `127.0.0.1`;
73
  - Streamlit usage stats are disabled;
74
  - documents are processed in the local Python process;
75
+ - no cloud document-processing endpoint is introduced by the launcher.
 
76
 
77
  A proof-of-concept must not claim:
78
 
 
84
  - protected key storage;
85
  - enterprise support readiness.
86
 
87
+ A production installation needs:
 
 
88
 
89
  - reproducible build pipeline;
90
+ - dependency and model asset inventory;
91
  - code signing;
92
  - installer/update/rollback policy;
93
  - local storage policy;
 
98
  - support process for legal/care organizations;
99
  - app verification with synthetic and approved pilot data.
100
 
101
+ ## 6. What remains outside scope
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
102
 
103
+ This decision does not implement or approve:
 
 
104
 
105
  - MSI;
106
  - PyInstaller build;
 
118
  - automatic deletion or expiry blocking;
119
  - real-data packaging tests.
120
 
121
+ ## 7. Final recommendation
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
122
 
123
  Recommended sequence:
124
 
125
  ```text
126
+ 1. Keep validating logic/interface/security/trust online first.
127
+ 2. Continue DOCX hygiene, Scrub Key verification, review UX and pilot workflow before installer investment.
128
+ 3. Keep portable Python folder as the first local distribution candidate for the final phase.
129
+ 4. Consider PyInstaller one-folder only as a later approved proof.
130
+ 5. Keep Tauri as preferred later professional shell candidate.
131
+ 6. Keep Electron as later alternative only.
132
+ 7. Keep MSI as future enterprise deployment option, not current work.
133
  ```
134
 
135
  This keeps Scrub aligned with the product promise:
136
 
137
  ```text
138
+ Sensitive information stays local in the final trust environment.
139
  The user remains in control.
140
  The document stays readable.
141
  Residual risk is visible.