GNU bug report logs -
#31307
[PATCH] Add MAT, the Metadata Anonymisation Toolkit from Boum
Previous Next
To reply to this bug, email your comments to 31307 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#31307; Package
guix-patches.
(Sat, 28 Apr 2018 21:39:03 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Chris Marusich <cmmarusich <at> gmail.com>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Sat, 28 Apr 2018 21:39:03 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi Guix,
This patch adds MAT, the Metadata Anonymisation Toolkit from Boum. I've
successfully used its CLI tool to purge metadata from JPEG image files;
I verified using exiftool that it works for this purpose. However, not
all of its features work (see the TODO for details), and more
importantly, the website says people shouldn't use it. For these
reasons, I'm not sure if we should add it, so I'd like to ask for your
opinion.
The author state on their website:
https://mat.boum.org/
Current status
The MAT maintenance and development is currently on hold, mostly for
health reasons. I might go back to it at some point in the future.
The current version might have bugs, and doesn't work on Python3: Please
avoid using it.
However, packages exist for some distributions. For example, here's a
MAT package for Debian:
https://packages.qa.debian.org/m/mat.html
And like I said, the CLI tool does seem to work.
Should we refrain from adding this package simply because the author is
not maintaining it any more? I'm inclined to say "no", but one also has
to consider whether it is a a good idea to encourage people to use an
unmaintained tool for protecting their privacy/anonymity. I'm not sure.
In addition, I notice that the license is GPL 2, but it seems the author
did not specify whether "any later version" can be used. Therefore, I
have listed this as gpl2, instead of gpl2+.
What do you think?
--
Chris
[0001-gnu-Add-mat.patch (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#31307; Package
guix-patches.
(Sat, 28 Apr 2018 22:11:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 31307 <at> debbugs.gnu.org (full text, mbox):
Chris Marusich transcribed 5.9K bytes:
> Hi Guix,
>
> This patch adds MAT, the Metadata Anonymisation Toolkit from Boum. I've
Nice! This one has been a "low-hanging fruit" on my roadmap for a very long time.
Good to see it.
> successfully used its CLI tool to purge metadata from JPEG image files;
> I verified using exiftool that it works for this purpose. However, not
> all of its features work (see the TODO for details), and more
> importantly, the website says people shouldn't use it. For these
> reasons, I'm not sure if we should add it, so I'd like to ask for your
> opinion.
>
> The author state on their website:
>
> https://mat.boum.org/
>
> Current status
>
> The MAT maintenance and development is currently on hold, mostly for
> health reasons. I might go back to it at some point in the future.
>
> The current version might have bugs, and doesn't work on Python3: Please
> avoid using it.
>
> However, packages exist for some distributions. For example, here's a
> MAT package for Debian:
>
> https://packages.qa.debian.org/m/mat.html
>
> And like I said, the CLI tool does seem to work.
>
> Should we refrain from adding this package simply because the author is
> not maintaining it any more? I'm inclined to say "no", but one also has
> to consider whether it is a a good idea to encourage people to use an
> unmaintained tool for protecting their privacy/anonymity. I'm not sure.
>
> In addition, I notice that the license is GPL 2, but it seems the author
> did not specify whether "any later version" can be used. Therefore, I
> have listed this as gpl2, instead of gpl2+.
The tails people (iirc it is a tails project, who are hosted on boum.org infra)
are generally okay with questions, I think you should ask about wether it's GPL2 or GPL2+.
We could also ask them about the state of MAT, as once upon a time they used to
include it in Tails. No idea if they stil do.
> What do you think?
>
> --
> Chris
> From c30a26364fdf919deb9bc6bd907b75de58a17a7b Mon Sep 17 00:00:00 2001
> From: Chris Marusich <cmmarusich <at> gmail.com>
> Date: Sat, 28 Apr 2018 14:03:47 -0700
> Subject: [PATCH] gnu: Add mat.
>
> * gnu/packages/photo.scm (mat): New variable.
> ---
> gnu/packages/photo.scm | 52 ++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 52 insertions(+)
>
> diff --git a/gnu/packages/photo.scm b/gnu/packages/photo.scm
> index 2c0c2313f..a6380cc63 100644
> --- a/gnu/packages/photo.scm
> +++ b/gnu/packages/photo.scm
> @@ -26,6 +26,7 @@
> #:use-module (guix build-system cmake)
> #:use-module (guix build-system gnu)
> #:use-module (guix build-system perl)
> + #:use-module (guix build-system python)
> #:use-module (guix download)
> #:use-module ((guix licenses) #:prefix license:)
> #:use-module (guix packages)
> @@ -52,6 +53,7 @@
> #:use-module (gnu packages llvm)
> #:use-module (gnu packages man)
> #:use-module (gnu packages maths)
> + #:use-module (gnu packages music)
> #:use-module (gnu packages perl)
> #:use-module (gnu packages pkg-config)
> #:use-module (gnu packages popt)
> @@ -521,3 +523,53 @@ workflow by facilitating the handling of large numbers of images. Most raw
> formats are supported, including Pentax Pixel Shift, Canon Dual-Pixel, and those
> from Foveon and X-Trans sensors.")
> (license license:gpl3+)))
> +
> +;; TODO: Add inputs for PDF support (e.g., Poppler, python-pdfrw).
> +;; TODO: Add inputs for GUI support (e.g., gi).
> +;; TODO: Fix some hard-coded paths. For example, get_datafile_path embeds
> +;; paths like "/usr/local/share/mat", which we should probably rewrite so that
> +;; they point to mat's output directory in the store. This specific example
> +;; causes "mat --list" to fail with an exception.
I'm all for making it less hard for a package to get initially into Guix, but
shouldn't at least hardcoded paths that make an often used function(?) be fixed
first? On the other hand it is functional as you wrote.
> +(define-public python2-mat
> + (package
> + (name "python2-mat")
Since people will expect this as "MAT" or "mat" and not "python2-mat", and to my
knowledge there is no python3 variant, we should name it just mat.
> + (version "0.6.1")
> + (source (origin
> + (method url-fetch)
> + (uri (string-append
> + "https://mat.boum.org/files/mat-" version ".tar.xz"))
> + (sha256
> + (base32
> + "1faiiq7cjspafjjf4kmm7bbn8m506qgcijbizpgdvlaaapdyg0h7"))))
> + (build-system python-build-system)
> + (arguments
> + `(#:python ,python-2
> + #:use-setuptools? #f))
> + (propagated-inputs
> + `(("python2-pycairo" ,python2-pycairo)
> + ("python2-mutagen" ,python2-mutagen)
> + ("perl-image-exiftool" ,perl-image-exiftool)))
> + (native-inputs
> + `(("python2-distutils-extra" ,python2-distutils-extra)
> + ("intltool" ,intltool)))
> + (synopsis "Anonymize/remove metadata from files")
> + (description
> + "MAT (Metadata Anonymisation Toolkit) is a toolbox composed of a GUI
> +application, a CLI application and a library, to anonymize/remove metadata
> +from files. It supports the following file formats:
> +
> +@itemize @bullet
> +@item Portable Network Graphics (.png)
> +@item Joint Photographic Experts Group (.jpg, .jpeg, etc.)
> +@item Tagged Image File Format (.tif, tiff, etc.)
> +@item Open Documents (.odt, .odx, .ods, etc.)
> +@item Office OpenXml (.docx, .pptx, .xlsx, etc.)
> +@item Portable Document Fileformat (.pdf)
> +@item Tape Archives (.tar, .tar.bz2, etc.)
> +@item Moving Picture Experts Group (MPEG) (.mp3, .mp2, .mp1, etc.)
> +@item Ogg Vorbis (.ogg, etc.)
> +@item Free Lossless Audio Codec (.flac)
> +@item Torrent (.torrent)
> +@end itemize")
> + (home-page "https://mat.boum.org")
> + (license license:gpl2)))
> --
> 2.17.0
>
Information forwarded
to
guix-patches <at> gnu.org:
bug#31307; Package
guix-patches.
(Sun, 29 Apr 2018 03:11:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 31307 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Nils Gillmann <ng0 <at> n0.is> writes:
>> In addition, I notice that the license is GPL 2, but it seems the author
>> did not specify whether "any later version" can be used. Therefore, I
>> have listed this as gpl2, instead of gpl2+.
>
> The tails people (iirc it is a tails project, who are hosted on boum.org infra)
> are generally okay with questions, I think you should ask about wether
> it's GPL2 or GPL2+.
>
> We could also ask them about the state of MAT, as once upon a time they used to
> include it in Tails. No idea if they stil do.
I've sent an email to tails-dev <at> boum.org. I Cc'd you on it. I wasn't
sure if the people of the tails-dev <at> boum.org email list would appreciate
it if I arranged for their replies to automatically be recorded in our
bug tracker, so I opted not to Cc this bug report on the email.
We'll see what they say!
>> +;; TODO: Add inputs for PDF support (e.g., Poppler, python-pdfrw).
>> +;; TODO: Add inputs for GUI support (e.g., gi).
>> +;; TODO: Fix some hard-coded paths. For example, get_datafile_path embeds
>> +;; paths like "/usr/local/share/mat", which we should probably rewrite so that
>> +;; they point to mat's output directory in the store. This specific example
>> +;; causes "mat --list" to fail with an exception.
>
> I'm all for making it less hard for a package to get initially into Guix, but
> shouldn't at least hardcoded paths that make an often used function(?) be fixed
> first? On the other hand it is functional as you wrote.
I've fixed this in the latest patch version (see attached)!
While testing, I also discovered that the -b feature of the CLI tool
does not work because of what appears to be a simple bug in MAT. I
suppose I will report that upstream if they get back to me and they're
still maintaining it.
>> +(define-public python2-mat
>> + (package
>> + (name "python2-mat")
>
> Since people will expect this as "MAT" or "mat" and not "python2-mat", and to my
> knowledge there is no python3 variant, we should name it just mat.
On this topic, the precedent goes both ways, and I haven't seen any
guidance yet on the email lists or in the manual. For example, see
packages like awscli, python2-s3cmd, jupyter, and python-ansi2html.
I think that if a package provides only an application, it makes sense
to give it a name without the "python" or "python2" prefix. However, if
the package provides a library, or it provides a library in addition to
an application, then I think it's better to refer to it using the
"python" or "python2" prefix, as described in the section titled "Python
Modules" in the Guix manual. I also think this aligns with Guix's trend
towards (usually) keeping libraries in the default "out" output of a
package, rather than putting libraries in a separate "lib" output or a
separate "devel" package.
--
Chris
[0001-gnu-Add-python2-mat.patch (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#31307; Package
guix-patches.
(Sun, 29 Apr 2018 08:19:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 31307 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Chris Marusich <cmmarusich <at> gmail.com> writes:
Here's a new patch that fixes a few more things (but not the -b bug).
I noticed that when MAT's tests ran, out of 33 tests total, there were 3
failures, and 8 errors. Curiously, this did not cause the build to
fail. The 3 failures have something to do with not being able to
process a .docx file. The 8 errors seem to occur because a variable
"current_file" in the test has an unexpected value (None). If we decide
to add this package, we should probably fix or disable the tests and
find out why the test failures did not cause the build to fail.
I attempted to get MAT's GUI component working, but I was unsuccessful.
To build the GUI component, it seems we would first need to add Python
bindings for libpoppler, such as python-poppler [1], and python-poppler
can't be built without some extra love and patches [2][3].
Footnotes:
[1] https://launchpad.net/poppler-python
[2] https://bugs.launchpad.net/poppler-python/+bug/1528489
[3] https://gitweb.gentoo.org/repo/gentoo.git/tree/dev-python/python-poppler
--
Chris
[0001-gnu-Add-python2-mat.patch (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#31307; Package
guix-patches.
(Wed, 02 May 2018 06:02:01 GMT)
Full text and
rfc822 format available.
Message #17 received at 31307 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Chris Marusich <cmmarusich <at> gmail.com> writes:
> We'll see what they say!
Upstream has confirmed that the license is GPLv2:
https://mailman.boum.org/pipermail/mat-dev/2018-April/000158.html
They also confirmed the following:
* MAT is not actively maintained and doesn't run under Python 3.
* MAT2 is under development.
* MAT has some known limitations, "like leaving metadata in file
embedded in PDF, like images."
That said, even upstream said that we should go with MAT, since there is
no known better alternative, and later we can switch to MAT2. I think
we should add it, without worrying about making the GUI work, and we
should add these warnings to the package description.
Thoughts?
--
Chris
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#31307; Package
guix-patches.
(Wed, 02 May 2018 06:12:02 GMT)
Full text and
rfc822 format available.
Message #20 received at 31307 <at> debbugs.gnu.org (full text, mbox):
Chris Marusich transcribed 1.7K bytes:
> Chris Marusich <cmmarusich <at> gmail.com> writes:
>
> > We'll see what they say!
>
> Upstream has confirmed that the license is GPLv2:
>
> https://mailman.boum.org/pipermail/mat-dev/2018-April/000158.html
>
> They also confirmed the following:
>
> * MAT is not actively maintained and doesn't run under Python 3.
>
> * MAT2 is under development.
>
> * MAT has some known limitations, "like leaving metadata in file
> embedded in PDF, like images."
>
> That said, even upstream said that we should go with MAT, since there is
> no known better alternative, and later we can switch to MAT2. I think
> we should add it, without worrying about making the GUI work, and we
> should add these warnings to the package description.
>
> Thoughts?
Okay for me.
> --
> Chris
Information forwarded
to
guix-patches <at> gnu.org:
bug#31307; Package
guix-patches.
(Sat, 05 May 2018 20:34:01 GMT)
Full text and
rfc822 format available.
Message #23 received at 31307 <at> debbugs.gnu.org (full text, mbox):
Hello Chris,
Chris Marusich <cmmarusich <at> gmail.com> skribis:
> Should we refrain from adding this package simply because the author is
> not maintaining it any more? I'm inclined to say "no", but one also has
> to consider whether it is a a good idea to encourage people to use an
> unmaintained tool for protecting their privacy/anonymity. I'm not sure.
It’s risky, indeed. As time passes it’s likely to have more and more
known-but-unfixed security issues, which isn’t great. Leo, thoughts on
this situation?
> In addition, I notice that the license is GPL 2, but it seems the author
> did not specify whether "any later version" can be used. Therefore, I
> have listed this as gpl2, instead of gpl2+.
Note that unless authors explicitly removed the “or any later version”
phrase from license headers in source files, we write ‘gpl2+’;
specifically, Section 9 of GPLv2 reads:
If the Program does not specify a version number of this License, you
may choose any version ever published by the Free Software Foundation.
Thanks,
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#31307; Package
guix-patches.
(Sat, 05 May 2018 21:38:02 GMT)
Full text and
rfc822 format available.
Message #26 received at 31307 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
ludo <at> gnu.org (Ludovic Courtès) writes:
>> In addition, I notice that the license is GPL 2, but it seems the author
>> did not specify whether "any later version" can be used. Therefore, I
>> have listed this as gpl2, instead of gpl2+.
>
> Note that unless authors explicitly removed the “or any later version”
> phrase from license headers in source files, we write ‘gpl2+’;
> specifically, Section 9 of GPLv2 reads:
>
> If the Program does not specify a version number of this License, you
> may choose any version ever published by the Free Software Foundation.
Upstream clarified in an email [1] that the license is GPLv2. Also,
they did explicitly remove the "or any later version" part in the
README.md file; I just missed that detail at first. However, there is
no license embedded in the source files themselves. In this case, is is
correct to add this package as GPLv2?
Footnotes:
[1] https://mailman.boum.org/pipermail/mat-dev/2018-April/000158.html
--
Chris
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#31307; Package
guix-patches.
(Sun, 06 May 2018 19:27:02 GMT)
Full text and
rfc822 format available.
Message #29 received at 31307 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Sat, May 05, 2018 at 02:37:34PM -0700, Chris Marusich wrote:
> Upstream clarified in an email [1] that the license is GPLv2. Also,
> they did explicitly remove the "or any later version" part in the
> README.md file; I just missed that detail at first. However, there is
> no license embedded in the source files themselves. In this case, is is
> correct to add this package as GPLv2?
My understanding as a non-expert is that the "or later" is always at the
discretion of the author. So GPLv2 without "or later" is GPLv2, and
that's how we can distribute it.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#31307; Package
guix-patches.
(Sun, 06 May 2018 19:45:02 GMT)
Full text and
rfc822 format available.
Message #32 received at 31307 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Sat, May 05, 2018 at 10:33:45PM +0200, Ludovic Courtès wrote:
> Chris Marusich <cmmarusich <at> gmail.com> skribis:
> > Should we refrain from adding this package simply because the author is
> > not maintaining it any more? I'm inclined to say "no", but one also has
> > to consider whether it is a a good idea to encourage people to use an
> > unmaintained tool for protecting their privacy/anonymity. I'm not sure.
>
> It’s risky, indeed. As time passes it’s likely to have more and more
> known-but-unfixed security issues, which isn’t great. Leo, thoughts on
> this situation?
I see two different issues here:
1) The project is unmaintained (last release 2016) and the underlying
platform (Python 2) will become unmaintained in January 2020.
I think these maintenance issues are not a blocker in this case. We
package lots of software that has been basically abandoned for longer
than MAT. Its source repo saw activity in March. On this subject, we
should think about building from HEAD since those new commits will
probably never be "released".
2) The software is not guaranteed to achieve its goals.
I think the idea of "anonymizing" a file is always going to be
manifested as a goal rather than a full solution. No matter the level of
upstream maintenance, anonymity can never be guaranteed.
So, I think it's okay to add the package with a big warning in the
description, maybe even saying something scary like "only recommended
for educational and research activity".
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#31307; Package
guix-patches.
(Fri, 15 Jun 2018 07:07:01 GMT)
Full text and
rfc822 format available.
Message #35 received at 31307 <at> debbugs.gnu.org (full text, mbox):
Hello,
Leo Famulari <leo <at> famulari.name> skribis:
> I see two different issues here:
>
> 1) The project is unmaintained (last release 2016) and the underlying
> platform (Python 2) will become unmaintained in January 2020.
>
> I think these maintenance issues are not a blocker in this case. We
> package lots of software that has been basically abandoned for longer
> than MAT. Its source repo saw activity in March. On this subject, we
> should think about building from HEAD since those new commits will
> probably never be "released".
>
> 2) The software is not guaranteed to achieve its goals.
>
> I think the idea of "anonymizing" a file is always going to be
> manifested as a goal rather than a full solution. No matter the level of
> upstream maintenance, anonymity can never be guaranteed.
>
> So, I think it's okay to add the package with a big warning in the
> description, maybe even saying something scary like "only recommended
> for educational and research activity".
Sounds reasonable to me.
Chris, what would you like to do with this package?
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#31307; Package
guix-patches.
(Sat, 16 Jun 2018 13:43:01 GMT)
Full text and
rfc822 format available.
Message #38 received at 31307 <at> debbugs.gnu.org (full text, mbox):
Leo Famulari transcribed 2.5K bytes:
> On Sat, May 05, 2018 at 10:33:45PM +0200, Ludovic Courtès wrote:
> > Chris Marusich <cmmarusich <at> gmail.com> skribis:
> > > Should we refrain from adding this package simply because the author is
> > > not maintaining it any more? I'm inclined to say "no", but one also has
> > > to consider whether it is a a good idea to encourage people to use an
> > > unmaintained tool for protecting their privacy/anonymity. I'm not sure.
> >
> > It’s risky, indeed. As time passes it’s likely to have more and more
> > known-but-unfixed security issues, which isn’t great. Leo, thoughts on
> > this situation?
>
> I see two different issues here:
>
> 1) The project is unmaintained (last release 2016) and the underlying
> platform (Python 2) will become unmaintained in January 2020.
>
> I think these maintenance issues are not a blocker in this case. We
> package lots of software that has been basically abandoned for longer
> than MAT. Its source repo saw activity in March. On this subject, we
> should think about building from HEAD since those new commits will
> probably never be "released".
>
> 2) The software is not guaranteed to achieve its goals.
>
> I think the idea of "anonymizing" a file is always going to be
> manifested as a goal rather than a full solution. No matter the level of
> upstream maintenance, anonymity can never be guaranteed.
>
> So, I think it's okay to add the package with a big warning in the
> description, maybe even saying something scary like "only recommended
> for educational and research activity".
I agree (and hope we won't just drop python-2 in 2020 because that would
be unreasonable).
Information forwarded
to
guix-patches <at> gnu.org:
bug#31307; Package
guix-patches.
(Thu, 05 Jul 2018 08:30:01 GMT)
Full text and
rfc822 format available.
Message #41 received at 31307 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
ludo <at> gnu.org (Ludovic Courtès) writes:
> Hello,
>
> Leo Famulari <leo <at> famulari.name> skribis:
>
>> I see two different issues here:
>>
>> 1) The project is unmaintained (last release 2016) and the underlying
>> platform (Python 2) will become unmaintained in January 2020.
>>
>> I think these maintenance issues are not a blocker in this case. We
>> package lots of software that has been basically abandoned for longer
>> than MAT. Its source repo saw activity in March. On this subject, we
>> should think about building from HEAD since those new commits will
>> probably never be "released".
>>
>> 2) The software is not guaranteed to achieve its goals.
>>
>> I think the idea of "anonymizing" a file is always going to be
>> manifested as a goal rather than a full solution. No matter the level of
>> upstream maintenance, anonymity can never be guaranteed.
>>
>> So, I think it's okay to add the package with a big warning in the
>> description, maybe even saying something scary like "only recommended
>> for educational and research activity".
>
> Sounds reasonable to me.
>
> Chris, what would you like to do with this package?
If we can resolve the issue with the tests and add a warning to the
package description, I'd be OK with adding it. However, the tests
currently error out or fail, even though the package builds
successfully. That's concerning, and I don't feel comfortable adding
the package, even with a warning, until it's been addressed.
I don't have a lot of time to work on this right now. I will eventually
get around to it, but if somebody wants MAT sooner, please feel free to
take over and do it before I get around to it.
--
Chris
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#31307; Package
guix-patches.
(Mon, 13 Sep 2021 02:28:02 GMT)
Full text and
rfc822 format available.
Message #44 received at 31307 <at> debbugs.gnu.org (full text, mbox):
Hi all,
Nils Gillmann <ng0 <at> n0.is> writes:
> Leo Famulari transcribed 2.5K bytes:
>> On Sat, May 05, 2018 at 10:33:45PM +0200, Ludovic Courtès wrote:
>> > Chris Marusich <cmmarusich <at> gmail.com> skribis:
>> > > Should we refrain from adding this package simply because the author is
>> > > not maintaining it any more? I'm inclined to say "no", but one also has
>> > > to consider whether it is a a good idea to encourage people to use an
>> > > unmaintained tool for protecting their privacy/anonymity. I'm not sure.
>> >
>> > It’s risky, indeed. As time passes it’s likely to have more and more
>> > known-but-unfixed security issues, which isn’t great. Leo, thoughts on
>> > this situation?
>>
>> I see two different issues here:
>>
>> 1) The project is unmaintained (last release 2016) and the underlying
>> platform (Python 2) will become unmaintained in January 2020.
>>
>> I think these maintenance issues are not a blocker in this case. We
>> package lots of software that has been basically abandoned for longer
>> than MAT. Its source repo saw activity in March. On this subject, we
>> should think about building from HEAD since those new commits will
>> probably never be "released".
>>
>> 2) The software is not guaranteed to achieve its goals.
>>
>> I think the idea of "anonymizing" a file is always going to be
>> manifested as a goal rather than a full solution. No matter the level of
>> upstream maintenance, anonymity can never be guaranteed.
>>
>> So, I think it's okay to add the package with a big warning in the
>> description, maybe even saying something scary like "only recommended
>> for educational and research activity".
>
> I agree (and hope we won't just drop python-2 in 2020 because that would
> be unreasonable).
If someone wants to give this a try again, MAT 2 seems to be under
active development, and is based on python 3:
https://0xacab.org/jvoisin/mat2
It looks slick, and is GPL3+.
--
Sarah
Information forwarded
to
guix-patches <at> gnu.org:
bug#31307; Package
guix-patches.
(Mon, 08 Nov 2021 01:38:01 GMT)
Full text and
rfc822 format available.
Message #47 received at 31307 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi,
I found while browsing debbugs.gnu.org, and I've started working on
adding MAT2.
I've got it working, so I'm attaching my work as-is to avoid
duplication of work. Tests probably need to be disabled for it to work.
I didn't submit it yet because not only the package needs some cleanups
(that could have been fixed), but more importantly I also wanted to make
tests work as I was afraid that getting this package wrong could have
bad consequences for people if for some reasons it didn't cleanup the
metadata due to packaging issues.
Denis.
[mat2.scm (text/x-scheme, attachment)]
[Message part 3 (application/pgp-signature, inline)]
This bug report was last modified 3 years and 217 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.