[PATCH] Add MAT, the Metadata Anonymisation Toolkit from Boum

  • Open
  • quality assurance status badge
Details
6 participants
  • Denis 'GNUtoo' Carikli
  • Chris Marusich
  • Sarah Morgensen
  • Leo Famulari
  • Ludovic Courtès
  • Nils Gillmann
Owner
unassigned
Submitted by
Chris Marusich
Severity
normal
C
C
Chris Marusich wrote on 28 Apr 2018 23:38
(address . guix-patches@gnu.org)
87wowrj9kq.fsf@gmail.com
Hi Guix,

This patch adds MAT, the Metadata Anonymisation Toolkit from Boum. I've
successfully used its CLI tool to purge metadata from JPEG image files;
I verified using exiftool that it works for this purpose. However, not
all of its features work (see the TODO for details), and more
importantly, the website says people shouldn't use it. For these
reasons, I'm not sure if we should add it, so I'd like to ask for your
opinion.

The author state on their website:


Current status

The MAT maintenance and development is currently on hold, mostly for
health reasons. I might go back to it at some point in the future.

The current version might have bugs, and doesn't work on Python3: Please
avoid using it.

However, packages exist for some distributions. For example, here's a
MAT package for Debian:


And like I said, the CLI tool does seem to work.

Should we refrain from adding this package simply because the author is
not maintaining it any more? I'm inclined to say "no", but one also has
to consider whether it is a a good idea to encourage people to use an
unmaintained tool for protecting their privacy/anonymity. I'm not sure.

In addition, I notice that the license is GPL 2, but it seems the author
did not specify whether "any later version" can be used. Therefore, I
have listed this as gpl2, instead of gpl2+.

What do you think?

--
Chris
From c30a26364fdf919deb9bc6bd907b75de58a17a7b Mon Sep 17 00:00:00 2001
From: Chris Marusich <cmmarusich@gmail.com>
Date: Sat, 28 Apr 2018 14:03:47 -0700
Subject: [PATCH] gnu: Add mat.

* gnu/packages/photo.scm (mat): New variable.
---
gnu/packages/photo.scm | 52 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 52 insertions(+)

Toggle diff (76 lines)
diff --git a/gnu/packages/photo.scm b/gnu/packages/photo.scm
index 2c0c2313f..a6380cc63 100644
--- a/gnu/packages/photo.scm
+++ b/gnu/packages/photo.scm
@@ -26,6 +26,7 @@
#:use-module (guix build-system cmake)
#:use-module (guix build-system gnu)
#:use-module (guix build-system perl)
+ #:use-module (guix build-system python)
#:use-module (guix download)
#:use-module ((guix licenses) #:prefix license:)
#:use-module (guix packages)
@@ -52,6 +53,7 @@
#:use-module (gnu packages llvm)
#:use-module (gnu packages man)
#:use-module (gnu packages maths)
+ #:use-module (gnu packages music)
#:use-module (gnu packages perl)
#:use-module (gnu packages pkg-config)
#:use-module (gnu packages popt)
@@ -521,3 +523,53 @@ workflow by facilitating the handling of large numbers of images. Most raw
formats are supported, including Pentax Pixel Shift, Canon Dual-Pixel, and those
from Foveon and X-Trans sensors.")
(license license:gpl3+)))
+
+;; TODO: Add inputs for PDF support (e.g., Poppler, python-pdfrw).
+;; TODO: Add inputs for GUI support (e.g., gi).
+;; TODO: Fix some hard-coded paths. For example, get_datafile_path embeds
+;; paths like "/usr/local/share/mat", which we should probably rewrite so that
+;; they point to mat's output directory in the store. This specific example
+;; causes "mat --list" to fail with an exception.
+(define-public python2-mat
+ (package
+ (name "python2-mat")
+ (version "0.6.1")
+ (source (origin
+ (method url-fetch)
+ (uri (string-append
+ "https://mat.boum.org/files/mat-" version ".tar.xz"))
+ (sha256
+ (base32
+ "1faiiq7cjspafjjf4kmm7bbn8m506qgcijbizpgdvlaaapdyg0h7"))))
+ (build-system python-build-system)
+ (arguments
+ `(#:python ,python-2
+ #:use-setuptools? #f))
+ (propagated-inputs
+ `(("python2-pycairo" ,python2-pycairo)
+ ("python2-mutagen" ,python2-mutagen)
+ ("perl-image-exiftool" ,perl-image-exiftool)))
+ (native-inputs
+ `(("python2-distutils-extra" ,python2-distutils-extra)
+ ("intltool" ,intltool)))
+ (synopsis "Anonymize/remove metadata from files")
+ (description
+ "MAT (Metadata Anonymisation Toolkit) is a toolbox composed of a GUI
+application, a CLI application and a library, to anonymize/remove metadata
+from files. It supports the following file formats:
+
+@itemize @bullet
+@item Portable Network Graphics (.png)
+@item Joint Photographic Experts Group (.jpg, .jpeg, etc.)
+@item Tagged Image File Format (.tif, tiff, etc.)
+@item Open Documents (.odt, .odx, .ods, etc.)
+@item Office OpenXml (.docx, .pptx, .xlsx, etc.)
+@item Portable Document Fileformat (.pdf)
+@item Tape Archives (.tar, .tar.bz2, etc.)
+@item Moving Picture Experts Group (MPEG) (.mp3, .mp2, .mp1, etc.)
+@item Ogg Vorbis (.ogg, etc.)
+@item Free Lossless Audio Codec (.flac)
+@item Torrent (.torrent)
+@end itemize")
+ (home-page "https://mat.boum.org")
+ (license license:gpl2)))
--
2.17.0
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAlrk6cUACgkQ3UCaFdgi
Rp0lfg//b0adAXOEapCB73mMutQNTgdSHZ/Mbume4pJPA1DOdL8t4S8u5aGA2WQP
LtI8M0A6tkmQ6BSo2/0+6OTT+MCHxSB5mYsIOzUfpzW+kJz7aspP8OqvCoFHQjfs
1BWSUYLein9Ah/GlY5krDTEAGdpaqVzQP3ue/6oNRU8H1ehGoG+0y/ibDYV2Kexb
nGv/B3vnBPkW7c/9Ni5tZC187sulgKl4Y23tCysFP1yGHvBFV85S7vYB/1xh8W8T
G7BPpPwTRGGmUj5nkxQq/Xkv375JBeFLDb6LKyZnW7TKNb2GWVbSXK2YSmWvc7yd
yqTE7fOMC/NXL7sjkSHLHE+VxQspUb4qSrlQqRkSNf5Md6VRHrDJe4e/mK6cA2s2
8Fts4scmylSJdgRn/8BmEKws3sTZSTU1iH7pH/s66usfjkv/RAWZm7nZv6GijcFx
w3bAJElt4i6y+CC//lsGVJrF7mFJGJ0MCynDBg45hK9hLTilW8QrwNl1etH8j5F1
8sMV3a7JZok6kfHL0HUBXxhNNkE4o3NccK7QxID0Xnl0P0l50ObCjcI9QA4TyZsX
CuYQrij0Un3vWzCwZxzojpK9QwN/y7HlbxjaQV6V1CtW7zMBmuVVLxFG5xyhRKsH
vZHP3joaQvJQ/SpjHh3dkAD+eLXR3RkA/s6fI2zB+g7P1rj8bjI=
=oMOX
-----END PGP SIGNATURE-----

N
N
Nils Gillmann wrote on 29 Apr 2018 00:11
(name . Chris Marusich)(address . cmmarusich@gmail.com)(address . 31307@debbugs.gnu.org)
20180428221104.dd4aoulvdk4zxhvu@abyayala
Attachment: file
C
C
Chris Marusich wrote on 29 Apr 2018 05:09
(name . Nils Gillmann)(address . ng0@n0.is)(address . 31307@debbugs.gnu.org)
87muxmzp1b.fsf@gmail.com
Nils Gillmann <ng0@n0.is> writes:

Toggle quote (11 lines)
>> In addition, I notice that the license is GPL 2, but it seems the author
>> did not specify whether "any later version" can be used. Therefore, I
>> have listed this as gpl2, instead of gpl2+.
>
> The tails people (iirc it is a tails project, who are hosted on boum.org infra)
> are generally okay with questions, I think you should ask about wether
> it's GPL2 or GPL2+.
>
> We could also ask them about the state of MAT, as once upon a time they used to
> include it in Tails. No idea if they stil do.

I've sent an email to tails-dev@boum.org. I Cc'd you on it. I wasn't
sure if the people of the tails-dev@boum.org email list would appreciate
it if I arranged for their replies to automatically be recorded in our
bug tracker, so I opted not to Cc this bug report on the email.

We'll see what they say!

Toggle quote (11 lines)
>> +;; TODO: Add inputs for PDF support (e.g., Poppler, python-pdfrw).
>> +;; TODO: Add inputs for GUI support (e.g., gi).
>> +;; TODO: Fix some hard-coded paths. For example, get_datafile_path embeds
>> +;; paths like "/usr/local/share/mat", which we should probably rewrite so that
>> +;; they point to mat's output directory in the store. This specific example
>> +;; causes "mat --list" to fail with an exception.
>
> I'm all for making it less hard for a package to get initially into Guix, but
> shouldn't at least hardcoded paths that make an often used function(?) be fixed
> first? On the other hand it is functional as you wrote.

I've fixed this in the latest patch version (see attached)!

While testing, I also discovered that the -b feature of the CLI tool
does not work because of what appears to be a simple bug in MAT. I
suppose I will report that upstream if they get back to me and they're
still maintaining it.

Toggle quote (7 lines)
>> +(define-public python2-mat
>> + (package
>> + (name "python2-mat")
>
> Since people will expect this as "MAT" or "mat" and not "python2-mat", and to my
> knowledge there is no python3 variant, we should name it just mat.

On this topic, the precedent goes both ways, and I haven't seen any
guidance yet on the email lists or in the manual. For example, see
packages like awscli, python2-s3cmd, jupyter, and python-ansi2html.

I think that if a package provides only an application, it makes sense
to give it a name without the "python" or "python2" prefix. However, if
the package provides a library, or it provides a library in addition to
an application, then I think it's better to refer to it using the
"python" or "python2" prefix, as described in the section titled "Python
Modules" in the Guix manual. I also think this aligns with Guix's trend
towards (usually) keeping libraries in the default "out" output of a
package, rather than putting libraries in a separate "lib" output or a
separate "devel" package.

--
Chris
From c34de8c711b9a61b43a003ebf44423a2af6138a4 Mon Sep 17 00:00:00 2001
From: Chris Marusich <cmmarusich@gmail.com>
Date: Sat, 28 Apr 2018 14:03:47 -0700
Subject: [PATCH] gnu: Add python2-mat.

* gnu/packages/photo.scm (python2-mat): New variable.
---
gnu/packages/photo.scm | 64 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 64 insertions(+)

Toggle diff (95 lines)
diff --git a/gnu/packages/photo.scm b/gnu/packages/photo.scm
index 2c0c2313f..79bb0f58b 100644
--- a/gnu/packages/photo.scm
+++ b/gnu/packages/photo.scm
@@ -6,6 +6,7 @@
;;; Copyright © 2017 Roel Janssen <roel@gnu.org>
;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
;;; Copyright © 2018 Leo Famulari <leo@famulari.name>
+;;; Copyright © 2018 Chris Marusich <cmmarusich@gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -26,6 +27,7 @@
#:use-module (guix build-system cmake)
#:use-module (guix build-system gnu)
#:use-module (guix build-system perl)
+ #:use-module (guix build-system python)
#:use-module (guix download)
#:use-module ((guix licenses) #:prefix license:)
#:use-module (guix packages)
@@ -52,6 +54,7 @@
#:use-module (gnu packages llvm)
#:use-module (gnu packages man)
#:use-module (gnu packages maths)
+ #:use-module (gnu packages music)
#:use-module (gnu packages perl)
#:use-module (gnu packages pkg-config)
#:use-module (gnu packages popt)
@@ -521,3 +524,64 @@ workflow by facilitating the handling of large numbers of images. Most raw
formats are supported, including Pentax Pixel Shift, Canon Dual-Pixel, and those
from Foveon and X-Trans sensors.")
(license license:gpl3+)))
+
+;; TODO: Add inputs for PDF support (e.g., Poppler, python-pdfrw).
+;; TODO: Add inputs for GUI support (e.g., gi).
+;; TODO: Fix some hard-coded paths. For example, get_datafile_path embeds
+;; paths like "/usr/local/share/mat", which we should probably rewrite so that
+;; they point to mat's output directory in the store. This specific example
+;; causes "mat --list" to fail with an exception.
+(define-public python2-mat
+ (package
+ (name "python2-mat")
+ (version "0.6.1")
+ (source (origin
+ (method url-fetch)
+ (uri (string-append
+ "https://mat.boum.org/files/mat-" version ".tar.xz"))
+ (sha256
+ (base32
+ "1faiiq7cjspafjjf4kmm7bbn8m506qgcijbizpgdvlaaapdyg0h7"))))
+ (build-system python-build-system)
+ (arguments
+ `(#:python ,python-2
+ #:use-setuptools? #f
+ #:phases
+ (modify-phases %standard-phases
+ (add-after 'patch-source-shebangs 'patch-absolute-paths
+ (lambda* (#:key outputs #:allow-other-keys)
+ ;; MAT tries to find things in /usr/local/share and /usr/share.
+ ;; However, the things it's looking for are actually in the
+ ;; /share directory of its output, instead.
+ (substitute* "libmat/mat.py"
+ (("(\"|')/usr(/local)?/share" _ quote-mark)
+ (string-append
+ quote-mark (assoc-ref outputs "out") "/share"))))))))
+ (propagated-inputs
+ `(("python2-pycairo" ,python2-pycairo)
+ ("python2-mutagen" ,python2-mutagen)
+ ("perl-image-exiftool" ,perl-image-exiftool)))
+ (native-inputs
+ `(("python2-distutils-extra" ,python2-distutils-extra)
+ ("intltool" ,intltool)))
+ (synopsis "Anonymize/remove metadata from files")
+ (description
+ "MAT (Metadata Anonymisation Toolkit) is a toolbox composed of a GUI
+application, a CLI application and a library, to anonymize/remove metadata
+from files. It supports the following file formats:
+
+@itemize @bullet
+@item Portable Network Graphics (.png)
+@item Joint Photographic Experts Group (.jpg, .jpeg, etc.)
+@item Tagged Image File Format (.tif, tiff, etc.)
+@item Open Documents (.odt, .odx, .ods, etc.)
+@item Office OpenXml (.docx, .pptx, .xlsx, etc.)
+@item Portable Document Fileformat (.pdf)
+@item Tape Archives (.tar, .tar.bz2, etc.)
+@item Moving Picture Experts Group (MPEG) (.mp3, .mp2, .mp1, etc.)
+@item Ogg Vorbis (.ogg, etc.)
+@item Free Lossless Audio Codec (.flac)
+@item Torrent (.torrent)
+@end itemize")
+ (home-page "https://mat.boum.org")
+ (license license:gpl2)))
--
2.17.0
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAlrlN4AACgkQ3UCaFdgi
Rp2nwA/9GZt8lX+00IC95CPBlC5JF9HR/OOndoG4Zgvmkax29Il+MgP2lJY1wJer
AicDV/w043BUt9sGX7Z9BrN/MgCYkRasKA7uuOlMF8jPZgpmkheuV/YhgaIThkm/
v+PTagrVHvxzygDCRAclfBuhDCs7ycJA9AJP0khEqT+Y3hmj8cv6y8W3M/3v2Dnp
0Y6xq8bvJXgIpgGJ1Qs3mEBKRNtrets8tbofsQtDR/qRL2K1kXlE/rZ0nUvQbiU3
OZlZRJKzPSPObzL3Lt1OAlL7NWOUUxLUx7L5WB/+lgxJL4E23KUxIPALQIzCcGkB
XczulI0HHD0ZLkI/HHt5LiZj7mAEsiGZ2uRWWs8d0CtRMyDzj1L519TpQbVty4K3
DwVODu1uaSZiYG3CwEdGW5jGZZosOtBhTrOgsAvIbycGew5EU/qr7k5hxT8ZAPEe
BKeMs4zij38wRayo2cHrxvMzCtQfAaXtRZWPRcmlJgTpWJLcK6N7KfQRemQOfV+U
BGj8mHWijSpGrbRkx0XADHdI5aHn1YbObjSXqN5laJid5zywtAw4gYtQMFiV+v7o
aavMqt0MeUAFiFcJgmSjnY1Cz/RjBtU91CzkW+QH8EiMpvW4SLgCg6VxmKl8f7Qj
IytRBtsYIP86dnQ0Gfq5QTNFAnD7dvH6cm+yk23RPmBmtmkzuUI=
=GDed
-----END PGP SIGNATURE-----

C
C
Chris Marusich wrote on 29 Apr 2018 10:18
(name . Nils Gillmann)(address . ng0@n0.is)(address . 31307@debbugs.gnu.org)
877eoqzarf.fsf@gmail.com
Chris Marusich <cmmarusich@gmail.com> writes:

Here's a new patch that fixes a few more things (but not the -b bug).

I noticed that when MAT's tests ran, out of 33 tests total, there were 3
failures, and 8 errors. Curiously, this did not cause the build to
fail. The 3 failures have something to do with not being able to
process a .docx file. The 8 errors seem to occur because a variable
"current_file" in the test has an unexpected value (None). If we decide
to add this package, we should probably fix or disable the tests and
find out why the test failures did not cause the build to fail.

I attempted to get MAT's GUI component working, but I was unsuccessful.
To build the GUI component, it seems we would first need to add Python
bindings for libpoppler, such as python-poppler [1], and python-poppler
can't be built without some extra love and patches [2][3].

Footnotes:



--
Chris
From 3060d99c1d23287f2090720c669f974cf9b451a5 Mon Sep 17 00:00:00 2001
From: Chris Marusich <cmmarusich@gmail.com>
Date: Sat, 28 Apr 2018 14:03:47 -0700
Subject: [PATCH] gnu: Add python2-mat.

* gnu/packages/photo.scm (python2-mat): New variable.
---
gnu/packages/photo.scm | 71 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 71 insertions(+)

Toggle diff (102 lines)
diff --git a/gnu/packages/photo.scm b/gnu/packages/photo.scm
index 2c0c2313f..18dce878e 100644
--- a/gnu/packages/photo.scm
+++ b/gnu/packages/photo.scm
@@ -6,6 +6,7 @@
;;; Copyright © 2017 Roel Janssen <roel@gnu.org>
;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
;;; Copyright © 2018 Leo Famulari <leo@famulari.name>
+;;; Copyright © 2018 Chris Marusich <cmmarusich@gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -26,6 +27,7 @@
#:use-module (guix build-system cmake)
#:use-module (guix build-system gnu)
#:use-module (guix build-system perl)
+ #:use-module (guix build-system python)
#:use-module (guix download)
#:use-module ((guix licenses) #:prefix license:)
#:use-module (guix packages)
@@ -52,6 +54,7 @@
#:use-module (gnu packages llvm)
#:use-module (gnu packages man)
#:use-module (gnu packages maths)
+ #:use-module (gnu packages music)
#:use-module (gnu packages perl)
#:use-module (gnu packages pkg-config)
#:use-module (gnu packages popt)
@@ -521,3 +524,71 @@ workflow by facilitating the handling of large numbers of images. Most raw
formats are supported, including Pentax Pixel Shift, Canon Dual-Pixel, and those
from Foveon and X-Trans sensors.")
(license license:gpl3+)))
+
+;; TODO: Add inputs for PDF support (e.g., Poppler bindings, python-pdfrw).
+;; TODO: Add inputs for GUI support (e.g., gi - maybe gi is python-gobject?).
+(define-public python2-mat
+ (package
+ (name "python2-mat")
+ (version "0.6.1")
+ (source (origin
+ (method url-fetch)
+ (uri (string-append
+ "https://mat.boum.org/files/mat-" version ".tar.xz"))
+ (sha256
+ (base32
+ "1faiiq7cjspafjjf4kmm7bbn8m506qgcijbizpgdvlaaapdyg0h7"))))
+ (build-system python-build-system)
+ (arguments
+ `(#:python ,python-2
+ #:use-setuptools? #f
+ #:phases
+ (modify-phases %standard-phases
+ (add-after 'patch-source-shebangs 'fix-paths
+ (lambda* (#:key inputs outputs #:allow-other-keys)
+ (let ((share (string-append
+ (assoc-ref outputs "out") "/share"))
+ (exiftool (string-append
+ (assoc-ref inputs "perl-image-exiftool")
+ "/bin/exiftool"))
+ (shred (string-append
+ (assoc-ref inputs "coreutils") "/bin/shred")))
+ (substitute* (find-files "." "\\.py$")
+ ;; MAT tries to find things in /usr/local/share and
+ ;; /usr/share. However, the things it's looking for are
+ ;; actually in the /share directory of its output, instead.
+ (("'/usr(/local)?/share")
+ (string-append "'" share))
+ (("'exiftool'")
+ (string-append "'" exiftool "'"))
+ (("'g?shred'")
+ (string-append "'" shred "'")))
+ #t))))))
+ (propagated-inputs
+ `(("python2-pycairo" ,python2-pycairo)
+ ("python2-mutagen" ,python2-mutagen)
+ ("perl-image-exiftool" ,perl-image-exiftool)))
+ (native-inputs
+ `(("python2-distutils-extra" ,python2-distutils-extra)
+ ("intltool" ,intltool)))
+ (synopsis "Anonymize/remove metadata from files")
+ (description
+ "MAT (Metadata Anonymisation Toolkit) is a toolbox composed of a GUI
+application, a CLI application and a library, to anonymize/remove metadata
+from files. It supports the following file formats:
+
+@itemize @bullet
+@item Portable Network Graphics (.png)
+@item Joint Photographic Experts Group (.jpg, .jpeg, etc.)
+@item Tagged Image File Format (.tif, tiff, etc.)
+@item Open Documents (.odt, .odx, .ods, etc.)
+@item Office OpenXml (.docx, .pptx, .xlsx, etc.)
+@item Portable Document Fileformat (.pdf)
+@item Tape Archives (.tar, .tar.bz2, etc.)
+@item Moving Picture Experts Group (MPEG) (.mp3, .mp2, .mp1, etc.)
+@item Ogg Vorbis (.ogg, etc.)
+@item Free Lossless Audio Codec (.flac)
+@item Torrent (.torrent)
+@end itemize")
+ (home-page "https://mat.boum.org")
+ (license license:gpl2)))
--
2.17.0
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAlrlf8QACgkQ3UCaFdgi
Rp0zlw//elnTcVyI+ckCYn2x94lqtVum83Lr2pSI7cUafuVGF8qQlNxo2Pbnohqx
ZDzH5LCMBqIThRAVkN9NMYbfrhZmj8piU5lSmBdZjKK4Kpuf4EtgZo5NpLb/RVQn
3JqiUSG+MJfn6hO9zImd8skNb36hjZFrbFOqMoU9TddbfxtXjmeS+QTe201ZKkHW
MCAxhjwWSErhAHgwxfO+AaBwENbzVnnpH2t0d/zlHHLC+rsotpc9/ZtdZ9NEoTlj
Z0XPyAswoqcDN4bui1fxerx+vbYX0dCxwG2bgVbCa/ruAJqoS0L4ZlVgpWTntoU2
5N7rs7GDdS5stKMgCxye6yKwm83b1DJGs0e0dsdLDRYQ9PFB85G7LlQUCGns6AuQ
7F1cg+eCrMZroqlUHwqYSAWPigG/XNVrVA9PFiAFC5ZP8Si2DhO8PAT2V5yO2hCR
1tckMzgbV/r++j/9gNCwYrkx4tmhVdgvGGa9LzwOnQPARds3u/HwWCIanxdq/H+r
XqwwkHYDi8Z847TvtZZkAj26v8I1C82eJkK40DGmjRGSS5mBGHg0UlTsBU8jxfhf
gYuXwZ9w3Ze7T8IxNwyoFfRqmiwDWapOTao9eaHIui4ZoX270aAwIoGIxIx4vM+O
08+ar3qiHBcZxk9qeXR5R9feYpoSKR8QDWopqnE7msdOHHphkiE=
=fahS
-----END PGP SIGNATURE-----

C
C
Chris Marusich wrote on 2 May 2018 08:00
(name . Nils Gillmann)(address . ng0@n0.is)(address . 31307@debbugs.gnu.org)
87lgd21trg.fsf@gmail.com
Chris Marusich <cmmarusich@gmail.com> writes:

Toggle quote (2 lines)
> We'll see what they say!

Upstream has confirmed that the license is GPLv2:


They also confirmed the following:

* MAT is not actively maintained and doesn't run under Python 3.

* MAT2 is under development.

* MAT has some known limitations, "like leaving metadata in file
embedded in PDF, like images."

That said, even upstream said that we should go with MAT, since there is
no known better alternative, and later we can switch to MAT2. I think
we should add it, without worrying about making the GUI work, and we
should add these warnings to the package description.

Thoughts?

--
Chris
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAlrpVBQACgkQ3UCaFdgi
Rp3HSw/8DY9tTAJMOpnjzTf3ONh+4mOGd/j5kXlB+YjG4kkKkemKKAqj5ctXFLOp
ejCLu2P0710GrLx8f7t4kU5D/A4NC0AyycccSDo6ENc7T33hphopUDAQCUFZFVqs
0jmmzCFflp8WsjRmi9OjyEwmqIBgZGuFf1/dmr7hODxg7TjF6bRmrHRiNwqIN2LX
LkyMQGoTIv7652vkUAOuOca8f95xmmC67AFOfdqiHU8YJIxp0ene6x9lo8tOTuOk
Vcj08gIvNTovuV1pRJOucmFoPdT9Q6jWPi+JRNkNp6p72I4cVicJfgx2dbB34v3i
mMwRnpXaoKYs6+b4s+TxZg7I/zPrVOH2cBTbng1g3UXAl9gZgSi2Bw0tHnH3Ncz5
RSzRDWk7Lnsyv4FBiRlCNoeuaLufIFl3eyEMGv+rKCOIi+XNagDmT5eklJOHz9U9
udTTQ9BrEKEA3JGsL5urpIMxQxEVdxTX39Xy6ETHR5FnVmun2PM9GwAqeZI4OFbm
gmR/AROxBhM7WdxyZrEUJGYyg9rwqFwkhB1gS8T0xd1boeKCMlV+C0iVKUZfjMO6
HEqpgmPEURm8RZM7G/1Jb7b/fH+yPmAJ2o4vtV1uj7ZBhv2UIBvoLe1JJXSp7FXk
PNzcBMBjBnwkIZGGD57TPDzPR4IrDl0QtZd+F/Ff98JbhmVxDUs=
=bQyW
-----END PGP SIGNATURE-----

N
N
Nils Gillmann wrote on 2 May 2018 08:12
(name . Chris Marusich)(address . cmmarusich@gmail.com)
20180502061224.ob4bjgbbme2jvrfc@abyayala
Chris Marusich transcribed 1.7K bytes:
Toggle quote (24 lines)
> Chris Marusich <cmmarusich@gmail.com> writes:
>
> > We'll see what they say!
>
> Upstream has confirmed that the license is GPLv2:
>
> https://mailman.boum.org/pipermail/mat-dev/2018-April/000158.html
>
> They also confirmed the following:
>
> * MAT is not actively maintained and doesn't run under Python 3.
>
> * MAT2 is under development.
>
> * MAT has some known limitations, "like leaving metadata in file
> embedded in PDF, like images."
>
> That said, even upstream said that we should go with MAT, since there is
> no known better alternative, and later we can switch to MAT2. I think
> we should add it, without worrying about making the GUI work, and we
> should add these warnings to the package description.
>
> Thoughts?

Okay for me.

Toggle quote (2 lines)
> --
> Chris
L
L
Ludovic Courtès wrote on 5 May 2018 22:33
(name . Chris Marusich)(address . cmmarusich@gmail.com)
877eohrgeu.fsf@gnu.org
Hello Chris,

Chris Marusich <cmmarusich@gmail.com> skribis:

Toggle quote (5 lines)
> Should we refrain from adding this package simply because the author is
> not maintaining it any more? I'm inclined to say "no", but one also has
> to consider whether it is a a good idea to encourage people to use an
> unmaintained tool for protecting their privacy/anonymity. I'm not sure.

It’s risky, indeed. As time passes it’s likely to have more and more
known-but-unfixed security issues, which isn’t great. Leo, thoughts on
this situation?

Toggle quote (4 lines)
> In addition, I notice that the license is GPL 2, but it seems the author
> did not specify whether "any later version" can be used. Therefore, I
> have listed this as gpl2, instead of gpl2+.

Note that unless authors explicitly removed the “or any later version”
phrase from license headers in source files, we write ‘gpl2+’;
specifically, Section 9 of GPLv2 reads:

If the Program does not specify a version number of this License, you
may choose any version ever published by the Free Software Foundation.

Thanks,
Ludo’.
C
C
Chris Marusich wrote on 5 May 2018 23:37
(name . Ludovic Courtès)(address . ludo@gnu.org)
87vac1eqch.fsf@gmail.com
ludo@gnu.org (Ludovic Courtès) writes:

Toggle quote (11 lines)
>> In addition, I notice that the license is GPL 2, but it seems the author
>> did not specify whether "any later version" can be used. Therefore, I
>> have listed this as gpl2, instead of gpl2+.
>
> Note that unless authors explicitly removed the “or any later version”
> phrase from license headers in source files, we write ‘gpl2+’;
> specifically, Section 9 of GPLv2 reads:
>
> If the Program does not specify a version number of this License, you
> may choose any version ever published by the Free Software Foundation.

Upstream clarified in an email [1] that the license is GPLv2. Also,
they did explicitly remove the "or any later version" part in the
README.md file; I just missed that detail at first. However, there is
no license embedded in the source files themselves. In this case, is is
correct to add this package as GPLv2?

Footnotes:

--
Chris
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAlruJB8ACgkQ3UCaFdgi
Rp3gMRAAlgPHMs+XcELzwaAbALs/Lc2XtswDtcMoXsbjVyYulNRzXcTlwYZZLTct
poVMVhe8rlkFnV5W0jMazeD5Xgb2lADKIANXupKR01wvmfStyMzFD/nMcKBfPbKl
194bBRGe31+EJBCascbhrCBF+fE4P8AYgRVdDL5cuemUBDtH9kLHZxhLch4MT+Xj
d/Twc9sPfqdZbEs0OZhg8S5Z5SjqGzKWAhOefcSGvgw0tELPDKJm5e7RR88PI/D9
g95rzvWG77pHCDflU1bdgZTb+kMjQdPpCNU/OS8/OB8kzrpk/IPktYvJQJXETuiw
2hM3wogbOaafLlHE+6t7JIN6ID0FY7/Vhi62hyKuWZ87OioUMvS9Ln8ewprPpJYu
iHzqeKJCkQ3IDmeGhFDmckSv0pbI5SgQDN+zqGEZ7KAqZCAtHSpLk5ATv/utvBvK
rOHRrU4Qe2GyUd5lZMs3EH3qH5+dffK20uHxa7F5c048JvlmXwBpgHVbRLqw8LnS
GJF2YZbqzgpbRKzQWj+KpdhstblIj7/lXcxew/opJBeJuo7Zbo+YpGhZv4WKHthZ
49mlXn5blndPMSLdPB9SNn7JcW95J/VoW9Jje80ZEXwEBmT41WAo9we9JPqZX7MU
jWTTRY+uo7qYad37LWWL7fE38xXEB7lJAts2lzw6g40ciHX12co=
=MCvH
-----END PGP SIGNATURE-----

L
L
Leo Famulari wrote on 6 May 2018 21:26
(name . Chris Marusich)(address . cmmarusich@gmail.com)
20180506192614.GA8038@jasmine.lan
On Sat, May 05, 2018 at 02:37:34PM -0700, Chris Marusich wrote:
Toggle quote (6 lines)
> Upstream clarified in an email [1] that the license is GPLv2. Also,
> they did explicitly remove the "or any later version" part in the
> README.md file; I just missed that detail at first. However, there is
> no license embedded in the source files themselves. In this case, is is
> correct to add this package as GPLv2?

My understanding as a non-expert is that the "or later" is always at the
discretion of the author. So GPLv2 without "or later" is GPLv2, and
that's how we can distribute it.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlrvVtYACgkQJkb6MLrK
fwhVPRAA38QTNpSacMH92ojyJY7cSi5P/V+KsaH1bUZM0QxaCoMbA9AFlkXat1a8
+p3liKiMkO3irAMK7p4SAUTXTK7vNWZAfVBHCewkKXlQQwdSv8DIayMM15Jv6AvJ
NsDp+D90JFm/GmJgQw9rntWE7IDMu0scLJ6UxtmAMdbvOcXQ8n69j5IS6SogMqvF
2PTQY4eqGwPfGZKlEsI4GDP/nch3Mnlk02qJ0U+YRQXM0TSLlAUuVF4MXAeW4wKE
m6R/fKMxi2vNLvQpkp0eyWyUXyxtuSMz/tyXa0h4xeZ6AivaW9TJZnSChbW8iyb8
cJVUbxdmmMlISzsv7gKIFkFAB1kgQWJAZdMZMzI+BQck6bppn3oPih+0eepX9yEV
62aLZBSReTNbgpb/7BKzZ1nrG1j1BQTzc2anZdxYY6pHEBLLEyoPw1+weusi8kdJ
rH7IpbKR4qIGqRgGrTi7idkEdypbGZFe2Bop4YsWSxtYcGPWM+Ype0P3z1rqeK0r
NPToBZZftLkRnT74PnY2HAHwE3zBsS/Wz5Ak5FDQB8IdehVyiY7wQDtFdQsAYWb+
dYGW/6yYnbohx1yAicTckWt9Hy3uf5j4tchLR0tTsmtTfs/BJ38K6OuboV2RNXRH
wE+k+qfBGDlMOA/ZlTk5DV4pR4CtLl0T5qAitbJf//8rGybOPOs=
=zQWF
-----END PGP SIGNATURE-----


L
L
Leo Famulari wrote on 6 May 2018 21:44
(name . Ludovic Courtès)(address . ludo@gnu.org)
20180506194444.GB8038@jasmine.lan
On Sat, May 05, 2018 at 10:33:45PM +0200, Ludovic Courtès wrote:
Toggle quote (10 lines)
> Chris Marusich <cmmarusich@gmail.com> skribis:
> > Should we refrain from adding this package simply because the author is
> > not maintaining it any more? I'm inclined to say "no", but one also has
> > to consider whether it is a a good idea to encourage people to use an
> > unmaintained tool for protecting their privacy/anonymity. I'm not sure.
>
> It’s risky, indeed. As time passes it’s likely to have more and more
> known-but-unfixed security issues, which isn’t great. Leo, thoughts on
> this situation?

I see two different issues here:

1) The project is unmaintained (last release 2016) and the underlying
platform (Python 2) will become unmaintained in January 2020.

I think these maintenance issues are not a blocker in this case. We
package lots of software that has been basically abandoned for longer
than MAT. Its source repo saw activity in March. On this subject, we
should think about building from HEAD since those new commits will
probably never be "released".

2) The software is not guaranteed to achieve its goals.

I think the idea of "anonymizing" a file is always going to be
manifested as a goal rather than a full solution. No matter the level of
upstream maintenance, anonymity can never be guaranteed.

So, I think it's okay to add the package with a big warning in the
description, maybe even saying something scary like "only recommended
for educational and research activity".
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlrvWywACgkQJkb6MLrK
fwjMXxAA3wxbd3p3YneqTzGeYg9kEBH7rbIPi5+3i1W8YASoXs0DAji6pA3mGxll
rhRAE20cn18zlenwyV1MU5mLjgmcgHCwDU+dMxqQFYYHB7++WpuvR3tvYc7ZHGLB
UIaEFkPzCfQ5ppIx9cI1vfIFUJJDkIsS6tI/kjiO2W/FdpHGWDwlSCvDHVeFNeKd
52jNp43K8gpmgsNtddcebkaIkG7Yct4eLUaXaL+aqH/OVmuR9PKMIDB7QlRA9a7z
9FBTfiGUO1ZGM7vAqlgSji4O3+45JlW+mFEELBx0gThFbLt8lfhWyI3QzsPH/i1G
IMKKwGZLXz5IOqdwnL7T0HefjS2BFvvYPDJz5qjTINA2aQuBnqsuZc0G+AeMqo+d
poz8KqAMatJQ9XKN0sqPHo27pGDvJTtYM2kTr6DVl+SugYGJ0Oriw0pzE6VKv3mf
BkleIynRfjUIB2WP0HfAie5bbEJmircDOXtVDVXo+OCafi7UEKaxbnq7ITMWLzto
xBI0WKoCFcZ7G+iOfAXUWvNM8ig65ZmI5RlGayDKiw1rAS6E/Am8RZ4BILAS1fco
JStJvF6FbFqz5x1bhMWNqYzwx7ipreIIBgVt8RfZ1ey4vXCse7CWa9+6JlqnWOWS
XZKAU5xD0L30kYtW5+4v/YggdnXDFn8Pl8VRA2t3KIHYHxP/ukQ=
=uFOO
-----END PGP SIGNATURE-----


L
L
Ludovic Courtès wrote on 15 Jun 2018 09:06
(name . Leo Famulari)(address . leo@famulari.name)
8736xoy1dz.fsf@gnu.org
Hello,

Leo Famulari <leo@famulari.name> skribis:

Toggle quote (21 lines)
> I see two different issues here:
>
> 1) The project is unmaintained (last release 2016) and the underlying
> platform (Python 2) will become unmaintained in January 2020.
>
> I think these maintenance issues are not a blocker in this case. We
> package lots of software that has been basically abandoned for longer
> than MAT. Its source repo saw activity in March. On this subject, we
> should think about building from HEAD since those new commits will
> probably never be "released".
>
> 2) The software is not guaranteed to achieve its goals.
>
> I think the idea of "anonymizing" a file is always going to be
> manifested as a goal rather than a full solution. No matter the level of
> upstream maintenance, anonymity can never be guaranteed.
>
> So, I think it's okay to add the package with a big warning in the
> description, maybe even saying something scary like "only recommended
> for educational and research activity".

Sounds reasonable to me.

Chris, what would you like to do with this package?

Ludo’.
N
N
Nils Gillmann wrote on 16 Jun 2018 15:42
(name . Leo Famulari)(address . leo@famulari.name)
20180616134249.qvmysgxpl2o54u2r@abyayala
Leo Famulari transcribed 2.5K bytes:
Toggle quote (32 lines)
> On Sat, May 05, 2018 at 10:33:45PM +0200, Ludovic Courtès wrote:
> > Chris Marusich <cmmarusich@gmail.com> skribis:
> > > Should we refrain from adding this package simply because the author is
> > > not maintaining it any more? I'm inclined to say "no", but one also has
> > > to consider whether it is a a good idea to encourage people to use an
> > > unmaintained tool for protecting their privacy/anonymity. I'm not sure.
> >
> > It’s risky, indeed. As time passes it’s likely to have more and more
> > known-but-unfixed security issues, which isn’t great. Leo, thoughts on
> > this situation?
>
> I see two different issues here:
>
> 1) The project is unmaintained (last release 2016) and the underlying
> platform (Python 2) will become unmaintained in January 2020.
>
> I think these maintenance issues are not a blocker in this case. We
> package lots of software that has been basically abandoned for longer
> than MAT. Its source repo saw activity in March. On this subject, we
> should think about building from HEAD since those new commits will
> probably never be "released".
>
> 2) The software is not guaranteed to achieve its goals.
>
> I think the idea of "anonymizing" a file is always going to be
> manifested as a goal rather than a full solution. No matter the level of
> upstream maintenance, anonymity can never be guaranteed.
>
> So, I think it's okay to add the package with a big warning in the
> description, maybe even saying something scary like "only recommended
> for educational and research activity".

I agree (and hope we won't just drop python-2 in 2020 because that would
be unreasonable).
C
C
Chris Marusich wrote on 5 Jul 2018 10:29
(name . Ludovic Courtès)(address . ludo@gnu.org)
87va9u2ihv.fsf@gmail.com
ludo@gnu.org (Ludovic Courtès) writes:

Toggle quote (29 lines)
> Hello,
>
> Leo Famulari <leo@famulari.name> skribis:
>
>> I see two different issues here:
>>
>> 1) The project is unmaintained (last release 2016) and the underlying
>> platform (Python 2) will become unmaintained in January 2020.
>>
>> I think these maintenance issues are not a blocker in this case. We
>> package lots of software that has been basically abandoned for longer
>> than MAT. Its source repo saw activity in March. On this subject, we
>> should think about building from HEAD since those new commits will
>> probably never be "released".
>>
>> 2) The software is not guaranteed to achieve its goals.
>>
>> I think the idea of "anonymizing" a file is always going to be
>> manifested as a goal rather than a full solution. No matter the level of
>> upstream maintenance, anonymity can never be guaranteed.
>>
>> So, I think it's okay to add the package with a big warning in the
>> description, maybe even saying something scary like "only recommended
>> for educational and research activity".
>
> Sounds reasonable to me.
>
> Chris, what would you like to do with this package?

If we can resolve the issue with the tests and add a warning to the
package description, I'd be OK with adding it. However, the tests
currently error out or fail, even though the package builds
successfully. That's concerning, and I don't feel comfortable adding
the package, even with a warning, until it's been addressed.

I don't have a lot of time to work on this right now. I will eventually
get around to it, but if somebody wants MAT sooner, please feel free to
take over and do it before I get around to it.

--
Chris
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAls91twACgkQ3UCaFdgi
Rp1MtQ//S1xF1wm70TPtPvvpg9DzzaAFxLAwQ2UXtGuv+JJuEZue0qsD5d98XM2C
tYn53rhJxaipe1s3GeFHbWCwlwMWSZnlK8dZu/BCco53AoTew3/C51wchHfqhvZf
ZPSetprCk3aw7WYG8JvDpL0HFQ1kFaSnRq4DZgqown6Lqruf2PdH3SMvGkppc8fS
cw6qzziW3cP03OBLhj57v0D6DzGwrUsiWc+IFihdkE1u9eojKPKC4dh35c12uG1A
WoFGhVdHp0eWzOxyoHWwKxKBuN9HM+e21/1EppefxrhIdldDZGa9P52Ow5QJcDuY
x2/Cv7Iar72VHCBzvTpFAPsd+qCJl4sAntKs+dPawBHXwoTEuwmE9NPWBzburGmf
HZQRNUUER+RrC07iX9OrHBYd+4tlvKasWvrFxbeNaV06k45GiorvuSqvGiAGyDjQ
SCp7mObVdCqSkfRIAO9vI7wBzZHe++CAVcbTXYP6LmB/dzHDW+xaTCB4Rs2qqw1n
YdrboD7nOoaOKs3O5xXX9rldx2pPjHfEt/qodgxnzRwbxSq153bxdi7YBAHEyfLz
4rKd1dVs+m5eUNRKiK72KxLo/QhEWqB2eEXwz4/GAl7FeRNQgTKr62Japtep6DTt
6Wqnzl+b0pvTFykqafkKCXogPNZxl0rWXgS5ieNvLfKMHouLBwA=
=3VAp
-----END PGP SIGNATURE-----

S
S
Sarah Morgensen wrote on 13 Sep 2021 04:26
(name . Chris Marusich)(address . cmmarusich@gmail.com)
86k0jljjm5.fsf@mgsn.dev
Hi all,

Nils Gillmann <ng0@n0.is> writes:

Toggle quote (36 lines)
> Leo Famulari transcribed 2.5K bytes:
>> On Sat, May 05, 2018 at 10:33:45PM +0200, Ludovic Courtès wrote:
>> > Chris Marusich <cmmarusich@gmail.com> skribis:
>> > > Should we refrain from adding this package simply because the author is
>> > > not maintaining it any more? I'm inclined to say "no", but one also has
>> > > to consider whether it is a a good idea to encourage people to use an
>> > > unmaintained tool for protecting their privacy/anonymity. I'm not sure.
>> >
>> > It’s risky, indeed. As time passes it’s likely to have more and more
>> > known-but-unfixed security issues, which isn’t great. Leo, thoughts on
>> > this situation?
>>
>> I see two different issues here:
>>
>> 1) The project is unmaintained (last release 2016) and the underlying
>> platform (Python 2) will become unmaintained in January 2020.
>>
>> I think these maintenance issues are not a blocker in this case. We
>> package lots of software that has been basically abandoned for longer
>> than MAT. Its source repo saw activity in March. On this subject, we
>> should think about building from HEAD since those new commits will
>> probably never be "released".
>>
>> 2) The software is not guaranteed to achieve its goals.
>>
>> I think the idea of "anonymizing" a file is always going to be
>> manifested as a goal rather than a full solution. No matter the level of
>> upstream maintenance, anonymity can never be guaranteed.
>>
>> So, I think it's okay to add the package with a big warning in the
>> description, maybe even saying something scary like "only recommended
>> for educational and research activity".
>
> I agree (and hope we won't just drop python-2 in 2020 because that would
> be unreasonable).

If someone wants to give this a try again, MAT 2 seems to be under
active development, and is based on python 3:


It looks slick, and is GPL3+.

--
Sarah
D
D
Denis 'GNUtoo' Carikli wrote on 8 Nov 2021 02:34
Re: [bug#31307][PATCH] Add MAT, the Metadata Anonymisation Toolkit
(address . 31307@debbugs.gnu.org)
20211108023416.6b7609f9@primary_laptop
Hi,

I found while browsing debbugs.gnu.org, and I've started working on
adding MAT2.

I've got it working, so I'm attaching my work as-is to avoid
duplication of work. Tests probably need to be disabled for it to work.

I didn't submit it yet because not only the package needs some cleanups
(that could have been fixed), but more importantly I also wanted to make
tests work as I was afraid that getting this package wrong could have
bad consequences for people if for some reasons it didn't cleanup the
metadata due to packaging issues.

Denis.
Attachment: mat2.scm
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEeC+d2+Nrp/PU3kkGX138wUF34mMFAmGIfpgACgkQX138wUF3
4mOWxBAAn16mNWQBIZgeF2IFLit1Y68Fnnr8HVEgDGjkqTUbXAw7ToRBHyIVzCaS
bm8K1IHGkP+yG1KCEZmY7H3Sle0/RFYTMEQUhYYlI4VlHgWMkTVOOloiYD7Z6r+d
WbeivZOsGBq8tDr20/crl24Gxo9HG41G5q6+fF1k8HBKQGgqsq0qbuk4epRoNehU
SSmfTNPy0lHKlJfHgSo87e3aJ9wpDz7jIyrp12BA5TwCnvDMoMtY3Yk+b/38yCF4
gLOuiRepxVN1rImeF/1165MC3Ko975cecYtn9t+RHt7+wFHZ3A8Z3UeAgjBrBCRz
GSbovM3NfEQm1vcgWsHiCRAOKDMIRKFtKw7bR2MXL6phT7ahghgPK+eoGxgL2lQ4
0N/yk/KIHU1x07v++3xx/Dd0ztU2sTMgDwnPGMtTQzfn4oOu8PmS0FEQ53dTuX4K
5cWYiNGSUY/t7ZBYz0AvnAoKFytoqOVJAyQaf/f7v3gdBIdLe31rvGNoh08qBumq
WgULl6SGKQdWZEl0V111y9EwE/oSer0HVn+VTSY/N51fbzDJjzfcz8+cFkeZhirm
m5DYpMQNZ5r4diFI6UILQePQrv9JpASIG965hz5icaxuFtVf5oO3qCcZj7gT/X8k
MIHnuXioX4dVxad4TGnb01PqyTnYJL2gAJPrqPAb6BOaO9RWFgc=
=dwdY
-----END PGP SIGNATURE-----


?