From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:48976) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fUBTv-0003lR-1Z for guix-patches@gnu.org; Sat, 16 Jun 2018 09:43:08 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fUBTq-00086S-5X for guix-patches@gnu.org; Sat, 16 Jun 2018 09:43:07 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:43229) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fUBTp-00086I-VX for guix-patches@gnu.org; Sat, 16 Jun 2018 09:43:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1fUBTp-000067-Oh for guix-patches@gnu.org; Sat, 16 Jun 2018 09:43:01 -0400 Subject: [bug#31307] [PATCH] Add MAT, the Metadata Anonymisation Toolkit from Boum Resent-Message-ID: Date: Sat, 16 Jun 2018 13:42:49 +0000 From: Nils Gillmann Message-ID: <20180616134249.qvmysgxpl2o54u2r@abyayala> References: <87wowrj9kq.fsf@gmail.com> <877eohrgeu.fsf@gnu.org> <20180506194444.GB8038@jasmine.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20180506194444.GB8038@jasmine.lan> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Leo Famulari Cc: Chris Marusich , 31307@debbugs.gnu.org Leo Famulari transcribed 2.5K bytes: > On Sat, May 05, 2018 at 10:33:45PM +0200, Ludovic Courtès wrote: > > Chris Marusich skribis: > > > Should we refrain from adding this package simply because the author is > > > not maintaining it any more? I'm inclined to say "no", but one also has > > > to consider whether it is a a good idea to encourage people to use an > > > unmaintained tool for protecting their privacy/anonymity. I'm not sure. > > > > It’s risky, indeed. As time passes it’s likely to have more and more > > known-but-unfixed security issues, which isn’t great. Leo, thoughts on > > this situation? > > I see two different issues here: > > 1) The project is unmaintained (last release 2016) and the underlying > platform (Python 2) will become unmaintained in January 2020. > > I think these maintenance issues are not a blocker in this case. We > package lots of software that has been basically abandoned for longer > than MAT. Its source repo saw activity in March. On this subject, we > should think about building from HEAD since those new commits will > probably never be "released". > > 2) The software is not guaranteed to achieve its goals. > > I think the idea of "anonymizing" a file is always going to be > manifested as a goal rather than a full solution. No matter the level of > upstream maintenance, anonymity can never be guaranteed. > > So, I think it's okay to add the package with a big warning in the > description, maybe even saying something scary like "only recommended > for educational and research activity". I agree (and hope we won't just drop python-2 in 2020 because that would be unreasonable).