From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:45272) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fFPaj-0001nM-SE for guix-patches@gnu.org; Sun, 06 May 2018 15:45:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fFPag-0007W8-NS for guix-patches@gnu.org; Sun, 06 May 2018 15:45:05 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:43770) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fFPag-0007W0-JG for guix-patches@gnu.org; Sun, 06 May 2018 15:45:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1fFPag-0004YP-4o for guix-patches@gnu.org; Sun, 06 May 2018 15:45:02 -0400 Subject: [bug#31307] [PATCH] Add MAT, the Metadata Anonymisation Toolkit from Boum Resent-Message-ID: Date: Sun, 6 May 2018 15:44:44 -0400 From: Leo Famulari Message-ID: <20180506194444.GB8038@jasmine.lan> References: <87wowrj9kq.fsf@gmail.com> <877eohrgeu.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="dTy3Mrz/UPE2dbVg" Content-Disposition: inline In-Reply-To: <877eohrgeu.fsf@gnu.org> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: Chris Marusich , 31307@debbugs.gnu.org --dTy3Mrz/UPE2dbVg Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, May 05, 2018 at 10:33:45PM +0200, Ludovic Court=C3=A8s wrote: > Chris Marusich skribis: > > Should we refrain from adding this package simply because the author is > > not maintaining it any more? I'm inclined to say "no", but one also has > > to consider whether it is a a good idea to encourage people to use an > > unmaintained tool for protecting their privacy/anonymity. I'm not sure. >=20 > It=E2=80=99s risky, indeed. As time passes it=E2=80=99s likely to have m= ore and more > known-but-unfixed security issues, which isn=E2=80=99t great. Leo, thoug= hts on > this situation? I see two different issues here: 1) The project is unmaintained (last release 2016) and the underlying platform (Python 2) will become unmaintained in January 2020. I think these maintenance issues are not a blocker in this case. We package lots of software that has been basically abandoned for longer than MAT. Its source repo saw activity in March. On this subject, we should think about building from HEAD since those new commits will probably never be "released". 2) The software is not guaranteed to achieve its goals. I think the idea of "anonymizing" a file is always going to be manifested as a goal rather than a full solution. No matter the level of upstream maintenance, anonymity can never be guaranteed. So, I think it's okay to add the package with a big warning in the description, maybe even saying something scary like "only recommended for educational and research activity". --dTy3Mrz/UPE2dbVg Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlrvWywACgkQJkb6MLrK fwjMXxAA3wxbd3p3YneqTzGeYg9kEBH7rbIPi5+3i1W8YASoXs0DAji6pA3mGxll rhRAE20cn18zlenwyV1MU5mLjgmcgHCwDU+dMxqQFYYHB7++WpuvR3tvYc7ZHGLB UIaEFkPzCfQ5ppIx9cI1vfIFUJJDkIsS6tI/kjiO2W/FdpHGWDwlSCvDHVeFNeKd 52jNp43K8gpmgsNtddcebkaIkG7Yct4eLUaXaL+aqH/OVmuR9PKMIDB7QlRA9a7z 9FBTfiGUO1ZGM7vAqlgSji4O3+45JlW+mFEELBx0gThFbLt8lfhWyI3QzsPH/i1G IMKKwGZLXz5IOqdwnL7T0HefjS2BFvvYPDJz5qjTINA2aQuBnqsuZc0G+AeMqo+d poz8KqAMatJQ9XKN0sqPHo27pGDvJTtYM2kTr6DVl+SugYGJ0Oriw0pzE6VKv3mf BkleIynRfjUIB2WP0HfAie5bbEJmircDOXtVDVXo+OCafi7UEKaxbnq7ITMWLzto xBI0WKoCFcZ7G+iOfAXUWvNM8ig65ZmI5RlGayDKiw1rAS6E/Am8RZ4BILAS1fco JStJvF6FbFqz5x1bhMWNqYzwx7ipreIIBgVt8RfZ1ey4vXCse7CWa9+6JlqnWOWS XZKAU5xD0L30kYtW5+4v/YggdnXDFn8Pl8VRA2t3KIHYHxP/ukQ= =uFOO -----END PGP SIGNATURE----- --dTy3Mrz/UPE2dbVg--