[PATCH] Add MAT, the Metadata Anonymisation Toolkit from Boum

Open

Details

6 participants

Denis 'GNUtoo' Carikli
Chris Marusich
Sarah Morgensen
Leo Famulari
Ludovic Courtès
Nils Gillmann

Owner: unassigned

Submitted by: Chris Marusich

Severity: normal

Chris Marusich wrote on 28 Apr 2018 23:38

Recipients:(address . guix-patches@gnu.org)

Message-ID:87wowrj9kq.fsf@gmail.com

Hi Guix,

This patch adds MAT, the Metadata Anonymisation Toolkit from Boum. I've

successfully used its CLI tool to purge metadata from JPEG image files;

I verified using exiftool that it works for this purpose. However, not

all of its features work (see the TODO for details), and more

importantly, the website says people shouldn't use it. For these

reasons, I'm not sure if we should add it, so I'd like to ask for your

opinion.

The author state on their website:

https://mat.boum.org/

Current status

The MAT maintenance and development is currently on hold, mostly for

health reasons. I might go back to it at some point in the future.

The current version might have bugs, and doesn't work on Python3: Please

avoid using it.

However, packages exist for some distributions. For example, here's a

MAT package for Debian:

https://packages.qa.debian.org/m/mat.html

And like I said, the CLI tool does seem to work.

Should we refrain from adding this package simply because the author is

not maintaining it any more? I'm inclined to say "no", but one also has

to consider whether it is a a good idea to encourage people to use an

unmaintained tool for protecting their privacy/anonymity. I'm not sure.

In addition, I notice that the license is GPL 2, but it seems the author

did not specify whether "any later version" can be used. Therefore, I

have listed this as gpl2, instead of gpl2+.

What do you think?

Chris

From c30a26364fdf919deb9bc6bd907b75de58a17a7b Mon Sep 17 00:00:00 2001

* gnu/packages/photo.scm (mat): New variable.

---

gnu/packages/photo.scm | 52 ++++++++++++++++++++++++++++++++++++++++++

1 file changed, 52 insertions(+)

Toggle diff (76 lines)diff --git a/gnu/packages/photo.scm b/gnu/packages/photo.scm
index 2c0c2313f..a6380cc63 100644
--- a/gnu/packages/photo.scm
+++ b/gnu/packages/photo.scm
@@ -26,6 +26,7 @@
   #:use-module (guix build-system cmake)
   #:use-module (guix build-system gnu)
   #:use-module (guix build-system perl)
+  #:use-module (guix build-system python)
   #:use-module (guix download)
   #:use-module ((guix licenses) #:prefix license:)
   #:use-module (guix packages)
@@ -52,6 +53,7 @@
   #:use-module (gnu packages llvm)
   #:use-module (gnu packages man)
   #:use-module (gnu packages maths)
+  #:use-module (gnu packages music)
   #:use-module (gnu packages perl)
   #:use-module (gnu packages pkg-config)
   #:use-module (gnu packages popt)
@@ -521,3 +523,53 @@ workflow by facilitating the handling of large numbers of images.  Most raw
 formats are supported, including Pentax Pixel Shift, Canon Dual-Pixel, and those
 from Foveon and X-Trans sensors.")
     (license license:gpl3+)))
+
+;; TODO: Add inputs for PDF support (e.g., Poppler, python-pdfrw).
+;; TODO: Add inputs for GUI support (e.g., gi).
+;; TODO: Fix some hard-coded paths.  For example, get_datafile_path embeds
+;; paths like "/usr/local/share/mat", which we should probably rewrite so that
+;; they point to mat's output directory in the store.  This specific example
+;; causes "mat --list" to fail with an exception.
+(define-public python2-mat
+  (package
+    (name "python2-mat")
+    (version "0.6.1")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append
+                    "https://mat.boum.org/files/mat-" version ".tar.xz"))
+              (sha256
+               (base32
+                "1faiiq7cjspafjjf4kmm7bbn8m506qgcijbizpgdvlaaapdyg0h7"))))
+    (build-system python-build-system)
+    (arguments
+     `(#:python ,python-2
+       #:use-setuptools? #f))
+    (propagated-inputs
+     `(("python2-pycairo" ,python2-pycairo)
+       ("python2-mutagen" ,python2-mutagen)
+       ("perl-image-exiftool" ,perl-image-exiftool)))
+    (native-inputs
+     `(("python2-distutils-extra" ,python2-distutils-extra)
+       ("intltool" ,intltool)))
+    (synopsis "Anonymize/remove metadata from files")
+    (description
+     "MAT (Metadata Anonymisation Toolkit) is a toolbox composed of a GUI
+application, a CLI application and a library, to anonymize/remove metadata
+from files.  It supports the following file formats:
+
+@itemize @bullet
+@item Portable Network Graphics (.png)
+@item Joint Photographic Experts Group (.jpg, .jpeg, etc.)
+@item Tagged Image File Format (.tif, tiff, etc.)
+@item Open Documents (.odt, .odx, .ods, etc.)
+@item Office OpenXml (.docx, .pptx, .xlsx, etc.)
+@item Portable Document Fileformat (.pdf)
+@item Tape Archives (.tar, .tar.bz2, etc.)
+@item Moving Picture Experts Group (MPEG) (.mp3, .mp2, .mp1, etc.)
+@item Ogg Vorbis (.ogg, etc.)
+@item Free Lossless Audio Codec (.flac)
+@item Torrent (.torrent)
+@end itemize")
+    (home-page "https://mat.boum.org")
+    (license license:gpl2)))
-- 
2.17.0

Nils Gillmann wrote on 29 Apr 2018 00:11

Recipients:(name . Chris Marusich)(address . cmmarusich@gmail.com)(address . 31307@debbugs.gnu.org)

Message-ID:20180428221104.dd4aoulvdk4zxhvu@abyayala

Attachment: file

Chris Marusich wrote on 29 Apr 2018 05:09

Recipients:(name . Nils Gillmann)(address . ng0@n0.is)(address . 31307@debbugs.gnu.org)

Message-ID:87muxmzp1b.fsf@gmail.com

Nils Gillmann <ng0@n0.is> writes:

Toggle quote (11 lines)>> In addition, I notice that the license is GPL 2, but it seems the author
>> did not specify whether "any later version" can be used.  Therefore, I
>> have listed this as gpl2, instead of gpl2+.
>
> The tails people (iirc it is a tails project, who are hosted on boum.org infra)
> are generally okay with questions, I think you should ask about wether
> it's GPL2 or GPL2+.
>
> We could also ask them about the state of MAT, as once upon a time they used to
> include it in Tails. No idea if they stil do.

I've sent an email to tails-dev@boum.org. I Cc'd you on it. I wasn't

sure if the people of the tails-dev@boum.org email list would appreciate

it if I arranged for their replies to automatically be recorded in our

bug tracker, so I opted not to Cc this bug report on the email.

We'll see what they say!

Toggle quote (11 lines)>> +;; TODO: Add inputs for PDF support (e.g., Poppler, python-pdfrw).
>> +;; TODO: Add inputs for GUI support (e.g., gi).
>> +;; TODO: Fix some hard-coded paths.  For example, get_datafile_path embeds
>> +;; paths like "/usr/local/share/mat", which we should probably rewrite so that
>> +;; they point to mat's output directory in the store.  This specific example
>> +;; causes "mat --list" to fail with an exception.
>
> I'm all for making it less hard for a package to get initially into Guix, but
> shouldn't at least hardcoded paths that make an often used function(?) be fixed
> first? On the other hand it is functional as you wrote.

I've fixed this in the latest patch version (see attached)!

While testing, I also discovered that the -b feature of the CLI tool

does not work because of what appears to be a simple bug in MAT. I

suppose I will report that upstream if they get back to me and they're

still maintaining it.

Toggle quote (7 lines)

>> +(define-public python2-mat

>> + (package

>> + (name "python2-mat")

> Since people will expect this as "MAT" or "mat" and not "python2-mat", and to my

> knowledge there is no python3 variant, we should name it just mat.

On this topic, the precedent goes both ways, and I haven't seen any
guidance yet on the email lists or in the manual.  For example, see
packages like awscli, python2-s3cmd, jupyter, and python-ansi2html.

I think that if a package provides only an application, it makes sense
to give it a name without the "python" or "python2" prefix.  However, if
the package provides a library, or it provides a library in addition to
an application, then I think it's better to refer to it using the
"python" or "python2" prefix, as described in the section titled "Python
Modules" in the Guix manual.  I also think this aligns with Guix's trend
towards (usually) keeping libraries in the default "out" output of a
package, rather than putting libraries in a separate "lib" output or a
separate "devel" package.

-- 
Chris

From c34de8c711b9a61b43a003ebf44423a2af6138a4 Mon Sep 17 00:00:00 2001

* gnu/packages/photo.scm (python2-mat): New variable.

---

gnu/packages/photo.scm | 64 ++++++++++++++++++++++++++++++++++++++++++

1 file changed, 64 insertions(+)

Toggle diff (95 lines)diff --git a/gnu/packages/photo.scm b/gnu/packages/photo.scm
index 2c0c2313f..79bb0f58b 100644
--- a/gnu/packages/photo.scm
+++ b/gnu/packages/photo.scm
@@ -6,6 +6,7 @@
 ;;; Copyright © 2017 Roel Janssen <roel@gnu.org>
 ;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright © 2018 Leo Famulari <leo@famulari.name>
+;;; Copyright © 2018 Chris Marusich <cmmarusich@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -26,6 +27,7 @@
   #:use-module (guix build-system cmake)
   #:use-module (guix build-system gnu)
   #:use-module (guix build-system perl)
+  #:use-module (guix build-system python)
   #:use-module (guix download)
   #:use-module ((guix licenses) #:prefix license:)
   #:use-module (guix packages)
@@ -52,6 +54,7 @@
   #:use-module (gnu packages llvm)
   #:use-module (gnu packages man)
   #:use-module (gnu packages maths)
+  #:use-module (gnu packages music)
   #:use-module (gnu packages perl)
   #:use-module (gnu packages pkg-config)
   #:use-module (gnu packages popt)
@@ -521,3 +524,64 @@ workflow by facilitating the handling of large numbers of images.  Most raw
 formats are supported, including Pentax Pixel Shift, Canon Dual-Pixel, and those
 from Foveon and X-Trans sensors.")
     (license license:gpl3+)))
+
+;; TODO: Add inputs for PDF support (e.g., Poppler, python-pdfrw).
+;; TODO: Add inputs for GUI support (e.g., gi).
+;; TODO: Fix some hard-coded paths.  For example, get_datafile_path embeds
+;; paths like "/usr/local/share/mat", which we should probably rewrite so that
+;; they point to mat's output directory in the store.  This specific example
+;; causes "mat --list" to fail with an exception.
+(define-public python2-mat
+  (package
+    (name "python2-mat")
+    (version "0.6.1")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append
+                    "https://mat.boum.org/files/mat-" version ".tar.xz"))
+              (sha256
+               (base32
+                "1faiiq7cjspafjjf4kmm7bbn8m506qgcijbizpgdvlaaapdyg0h7"))))
+    (build-system python-build-system)
+    (arguments
+     `(#:python ,python-2
+       #:use-setuptools? #f
+       #:phases
+       (modify-phases %standard-phases
+         (add-after 'patch-source-shebangs 'patch-absolute-paths
+           (lambda* (#:key outputs #:allow-other-keys)
+             ;; MAT tries to find things in /usr/local/share and /usr/share.
+             ;; However, the things it's looking for are actually in the
+             ;; /share directory of its output, instead.
+             (substitute* "libmat/mat.py"
+               (("(\"|')/usr(/local)?/share" _ quote-mark)
+                (string-append
+                 quote-mark (assoc-ref outputs "out") "/share"))))))))
+    (propagated-inputs
+     `(("python2-pycairo" ,python2-pycairo)
+       ("python2-mutagen" ,python2-mutagen)
+       ("perl-image-exiftool" ,perl-image-exiftool)))
+    (native-inputs
+     `(("python2-distutils-extra" ,python2-distutils-extra)
+       ("intltool" ,intltool)))
+    (synopsis "Anonymize/remove metadata from files")
+    (description
+     "MAT (Metadata Anonymisation Toolkit) is a toolbox composed of a GUI
+application, a CLI application and a library, to anonymize/remove metadata
+from files.  It supports the following file formats:
+
+@itemize @bullet
+@item Portable Network Graphics (.png)
+@item Joint Photographic Experts Group (.jpg, .jpeg, etc.)
+@item Tagged Image File Format (.tif, tiff, etc.)
+@item Open Documents (.odt, .odx, .ods, etc.)
+@item Office OpenXml (.docx, .pptx, .xlsx, etc.)
+@item Portable Document Fileformat (.pdf)
+@item Tape Archives (.tar, .tar.bz2, etc.)
+@item Moving Picture Experts Group (MPEG) (.mp3, .mp2, .mp1, etc.)
+@item Ogg Vorbis (.ogg, etc.)
+@item Free Lossless Audio Codec (.flac)
+@item Torrent (.torrent)
+@end itemize")
+    (home-page "https://mat.boum.org")
+    (license license:gpl2)))
-- 
2.17.0

Chris Marusich wrote on 29 Apr 2018 10:18

Recipients:(name . Nils Gillmann)(address . ng0@n0.is)(address . 31307@debbugs.gnu.org)

Message-ID:877eoqzarf.fsf@gmail.com

Chris Marusich <cmmarusich@gmail.com> writes:

Here's a new patch that fixes a few more things (but not the -b bug).

I noticed that when MAT's tests ran, out of 33 tests total, there were 3

failures, and 8 errors. Curiously, this did not cause the build to

fail. The 3 failures have something to do with not being able to

process a .docx file. The 8 errors seem to occur because a variable

"current_file" in the test has an unexpected value (None). If we decide

to add this package, we should probably fix or disable the tests and

find out why the test failures did not cause the build to fail.

I attempted to get MAT's GUI component working, but I was unsuccessful.

To build the GUI component, it seems we would first need to add Python

bindings for libpoppler, such as python-poppler [1], and python-poppler

can't be built without some extra love and patches [2][3].

Footnotes:

[1] https://launchpad.net/poppler-python

[2] https://bugs.launchpad.net/poppler-python/+bug/1528489

[3] https://gitweb.gentoo.org/repo/gentoo.git/tree/dev-python/python-poppler

Chris

From 3060d99c1d23287f2090720c669f974cf9b451a5 Mon Sep 17 00:00:00 2001

* gnu/packages/photo.scm (python2-mat): New variable.

---

gnu/packages/photo.scm | 71 ++++++++++++++++++++++++++++++++++++++++++

1 file changed, 71 insertions(+)

Toggle diff (102 lines)diff --git a/gnu/packages/photo.scm b/gnu/packages/photo.scm
index 2c0c2313f..18dce878e 100644
--- a/gnu/packages/photo.scm
+++ b/gnu/packages/photo.scm
@@ -6,6 +6,7 @@
 ;;; Copyright © 2017 Roel Janssen <roel@gnu.org>
 ;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright © 2018 Leo Famulari <leo@famulari.name>
+;;; Copyright © 2018 Chris Marusich <cmmarusich@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -26,6 +27,7 @@
   #:use-module (guix build-system cmake)
   #:use-module (guix build-system gnu)
   #:use-module (guix build-system perl)
+  #:use-module (guix build-system python)
   #:use-module (guix download)
   #:use-module ((guix licenses) #:prefix license:)
   #:use-module (guix packages)
@@ -52,6 +54,7 @@
   #:use-module (gnu packages llvm)
   #:use-module (gnu packages man)
   #:use-module (gnu packages maths)
+  #:use-module (gnu packages music)
   #:use-module (gnu packages perl)
   #:use-module (gnu packages pkg-config)
   #:use-module (gnu packages popt)
@@ -521,3 +524,71 @@ workflow by facilitating the handling of large numbers of images.  Most raw
 formats are supported, including Pentax Pixel Shift, Canon Dual-Pixel, and those
 from Foveon and X-Trans sensors.")
     (license license:gpl3+)))
+
+;; TODO: Add inputs for PDF support (e.g., Poppler bindings, python-pdfrw).
+;; TODO: Add inputs for GUI support (e.g., gi - maybe gi is python-gobject?).
+(define-public python2-mat
+  (package
+    (name "python2-mat")
+    (version "0.6.1")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append
+                    "https://mat.boum.org/files/mat-" version ".tar.xz"))
+              (sha256
+               (base32
+                "1faiiq7cjspafjjf4kmm7bbn8m506qgcijbizpgdvlaaapdyg0h7"))))
+    (build-system python-build-system)
+    (arguments
+     `(#:python ,python-2
+       #:use-setuptools? #f
+       #:phases
+       (modify-phases %standard-phases
+         (add-after 'patch-source-shebangs 'fix-paths
+           (lambda* (#:key inputs outputs #:allow-other-keys)
+             (let ((share (string-append
+                           (assoc-ref outputs "out") "/share"))
+                   (exiftool (string-append
+                              (assoc-ref inputs "perl-image-exiftool")
+                              "/bin/exiftool"))
+                   (shred (string-append
+                           (assoc-ref inputs "coreutils") "/bin/shred")))
+               (substitute* (find-files "." "\\.py$")
+                 ;; MAT tries to find things in /usr/local/share and
+                 ;; /usr/share.  However, the things it's looking for are
+                 ;; actually in the /share directory of its output, instead.
+                 (("'/usr(/local)?/share")
+                  (string-append "'" share))
+                 (("'exiftool'")
+                  (string-append "'" exiftool "'"))
+                 (("'g?shred'")
+                  (string-append "'" shred "'")))
+               #t))))))
+    (propagated-inputs
+     `(("python2-pycairo" ,python2-pycairo)
+       ("python2-mutagen" ,python2-mutagen)
+       ("perl-image-exiftool" ,perl-image-exiftool)))
+    (native-inputs
+     `(("python2-distutils-extra" ,python2-distutils-extra)
+       ("intltool" ,intltool)))
+    (synopsis "Anonymize/remove metadata from files")
+    (description
+     "MAT (Metadata Anonymisation Toolkit) is a toolbox composed of a GUI
+application, a CLI application and a library, to anonymize/remove metadata
+from files.  It supports the following file formats:
+
+@itemize @bullet
+@item Portable Network Graphics (.png)
+@item Joint Photographic Experts Group (.jpg, .jpeg, etc.)
+@item Tagged Image File Format (.tif, tiff, etc.)
+@item Open Documents (.odt, .odx, .ods, etc.)
+@item Office OpenXml (.docx, .pptx, .xlsx, etc.)
+@item Portable Document Fileformat (.pdf)
+@item Tape Archives (.tar, .tar.bz2, etc.)
+@item Moving Picture Experts Group (MPEG) (.mp3, .mp2, .mp1, etc.)
+@item Ogg Vorbis (.ogg, etc.)
+@item Free Lossless Audio Codec (.flac)
+@item Torrent (.torrent)
+@end itemize")
+    (home-page "https://mat.boum.org")
+    (license license:gpl2)))
-- 
2.17.0

Chris Marusich wrote on 2 May 2018 08:00

Recipients:(name . Nils Gillmann)(address . ng0@n0.is)(address . 31307@debbugs.gnu.org)

Message-ID:87lgd21trg.fsf@gmail.com

Chris Marusich <cmmarusich@gmail.com> writes:

Toggle quote (2 lines)

> We'll see what they say!

Upstream has confirmed that the license is GPLv2:

https://mailman.boum.org/pipermail/mat-dev/2018-April/000158.html

They also confirmed the following:

* MAT is not actively maintained and doesn't run under Python 3.

* MAT2 is under development.

* MAT has some known limitations, "like leaving metadata in file

embedded in PDF, like images."

That said, even upstream said that we should go with MAT, since there is

no known better alternative, and later we can switch to MAT2. I think

we should add it, without worrying about making the GUI work, and we

should add these warnings to the package description.

Thoughts?

Chris

Nils Gillmann wrote on 2 May 2018 08:12

Recipients:(name . Chris Marusich)(address . cmmarusich@gmail.com)

Message-ID:20180502061224.ob4bjgbbme2jvrfc@abyayala

Chris Marusich transcribed 1.7K bytes:

Toggle quote (24 lines)> Chris Marusich <cmmarusich@gmail.com> writes:
> 
> > We'll see what they say!
> 
> Upstream has confirmed that the license is GPLv2:
> 
> https://mailman.boum.org/pipermail/mat-dev/2018-April/000158.html
> 
> They also confirmed the following:
> 
> * MAT is not actively maintained and doesn't run under Python 3.
> 
> * MAT2 is under development.
> 
> * MAT has some known limitations, "like leaving metadata in file
> embedded in PDF, like images."
> 
> That said, even upstream said that we should go with MAT, since there is
> no known better alternative, and later we can switch to MAT2.  I think
> we should add it, without worrying about making the GUI work, and we
> should add these warnings to the package description.
> 
> Thoughts?

Okay for me.

Toggle quote (2 lines)

> --

> Chris

Ludovic Courtès wrote on 5 May 2018 22:33

Recipients:(name . Chris Marusich)(address . cmmarusich@gmail.com)

Message-ID:877eohrgeu.fsf@gnu.org

Hello Chris,

Chris Marusich <cmmarusich@gmail.com> skribis:

Toggle quote (5 lines)

> Should we refrain from adding this package simply because the author is

> not maintaining it any more? I'm inclined to say "no", but one also has

> to consider whether it is a a good idea to encourage people to use an

> unmaintained tool for protecting their privacy/anonymity. I'm not sure.

It’s risky, indeed. As time passes it’s likely to have more and more

known-but-unfixed security issues, which isn’t great. Leo, thoughts on

this situation?

Toggle quote (4 lines)

> In addition, I notice that the license is GPL 2, but it seems the author

> did not specify whether "any later version" can be used. Therefore, I

> have listed this as gpl2, instead of gpl2+.

Note that unless authors explicitly removed the “or any later version”

phrase from license headers in source files, we write ‘gpl2+’;

specifically, Section 9 of GPLv2 reads:

If the Program does not specify a version number of this License, you

may choose any version ever published by the Free Software Foundation.

Thanks,

Ludo’.

Chris Marusich wrote on 5 May 2018 23:37

Recipients:(name . Ludovic Courtès)(address . ludo@gnu.org)

Message-ID:87vac1eqch.fsf@gmail.com

ludo@gnu.org (Ludovic Courtès) writes:

Toggle quote (11 lines)>> In addition, I notice that the license is GPL 2, but it seems the author
>> did not specify whether "any later version" can be used.  Therefore, I
>> have listed this as gpl2, instead of gpl2+.
>
> Note that unless authors explicitly removed the “or any later version”
> phrase from license headers in source files, we write ‘gpl2+’;
> specifically, Section 9 of GPLv2 reads:
>
>   If the Program does not specify a version number of this License, you
>   may choose any version ever published by the Free Software Foundation.

Upstream clarified in an email [1] that the license is GPLv2.  Also,
they did explicitly remove the "or any later version" part in the
README.md file; I just missed that detail at first.  However, there is
no license embedded in the source files themselves.  In this case, is is
correct to add this package as GPLv2?

Footnotes: 
[1]  https://mailman.boum.org/pipermail/mat-dev/2018-April/000158.html

-- 
Chris

Leo Famulari wrote on 6 May 2018 21:26

Recipients:(name . Chris Marusich)(address . cmmarusich@gmail.com)

Message-ID:20180506192614.GA8038@jasmine.lan

On Sat, May 05, 2018 at 02:37:34PM -0700, Chris Marusich wrote:

Toggle quote (6 lines)

> Upstream clarified in an email [1] that the license is GPLv2. Also,

> they did explicitly remove the "or any later version" part in the

> README.md file; I just missed that detail at first. However, there is

> no license embedded in the source files themselves. In this case, is is

> correct to add this package as GPLv2?

My understanding as a non-expert is that the "or later" is always at the
discretion of the author. So GPLv2 without "or later" is GPLv2, and
that's how we can distribute it.

Leo Famulari wrote on 6 May 2018 21:44

Recipients:(name . Ludovic Courtès)(address . ludo@gnu.org)

Message-ID:20180506194444.GB8038@jasmine.lan

On Sat, May 05, 2018 at 10:33:45PM +0200, Ludovic Courtès wrote:

Toggle quote (10 lines)> Chris Marusich <cmmarusich@gmail.com> skribis:
> > Should we refrain from adding this package simply because the author is
> > not maintaining it any more?  I'm inclined to say "no", but one also has
> > to consider whether it is a a good idea to encourage people to use an
> > unmaintained tool for protecting their privacy/anonymity.  I'm not sure.
> 
> It’s risky, indeed.  As time passes it’s likely to have more and more
> known-but-unfixed security issues, which isn’t great.  Leo, thoughts on
> this situation?

I see two different issues here:

1) The project is unmaintained (last release 2016) and the underlying

platform (Python 2) will become unmaintained in January 2020.

I think these maintenance issues are not a blocker in this case. We

package lots of software that has been basically abandoned for longer

than MAT. Its source repo saw activity in March. On this subject, we

should think about building from HEAD since those new commits will

probably never be "released".

2) The software is not guaranteed to achieve its goals.

I think the idea of "anonymizing" a file is always going to be

manifested as a goal rather than a full solution. No matter the level of

upstream maintenance, anonymity can never be guaranteed.

So, I think it's okay to add the package with a big warning in the

description, maybe even saying something scary like "only recommended

for educational and research activity".

Ludovic Courtès wrote on 15 Jun 2018 09:06

Recipients:(name . Leo Famulari)(address . leo@famulari.name)

Message-ID:8736xoy1dz.fsf@gnu.org

Hello,

Leo Famulari <leo@famulari.name> skribis:

Toggle quote (21 lines)> I see two different issues here:
>
> 1) The project is unmaintained (last release 2016) and the underlying
> platform (Python 2) will become unmaintained in January 2020.
>
> I think these maintenance issues are not a blocker in this case. We
> package lots of software that has been basically abandoned for longer
> than MAT. Its source repo saw activity in March. On this subject, we
> should think about building from HEAD since those new commits will
> probably never be "released".
>
> 2) The software is not guaranteed to achieve its goals.
>
> I think the idea of "anonymizing" a file is always going to be
> manifested as a goal rather than a full solution. No matter the level of
> upstream maintenance, anonymity can never be guaranteed.
>
> So, I think it's okay to add the package with a big warning in the
> description, maybe even saying something scary like "only recommended
> for educational and research activity".

Sounds reasonable to me.

Chris, what would you like to do with this package?

Ludo’.

Nils Gillmann wrote on 16 Jun 2018 15:42

Recipients:(name . Leo Famulari)(address . leo@famulari.name)

Message-ID:20180616134249.qvmysgxpl2o54u2r@abyayala

Leo Famulari transcribed 2.5K bytes:

Toggle quote (32 lines)> On Sat, May 05, 2018 at 10:33:45PM +0200, Ludovic Courtès wrote:
> > Chris Marusich <cmmarusich@gmail.com> skribis:
> > > Should we refrain from adding this package simply because the author is
> > > not maintaining it any more?  I'm inclined to say "no", but one also has
> > > to consider whether it is a a good idea to encourage people to use an
> > > unmaintained tool for protecting their privacy/anonymity.  I'm not sure.
> > 
> > It’s risky, indeed.  As time passes it’s likely to have more and more
> > known-but-unfixed security issues, which isn’t great.  Leo, thoughts on
> > this situation?
> 
> I see two different issues here:
> 
> 1) The project is unmaintained (last release 2016) and the underlying
> platform (Python 2) will become unmaintained in January 2020.
> 
> I think these maintenance issues are not a blocker in this case. We
> package lots of software that has been basically abandoned for longer
> than MAT. Its source repo saw activity in March. On this subject, we
> should think about building from HEAD since those new commits will
> probably never be "released".
> 
> 2) The software is not guaranteed to achieve its goals.
> 
> I think the idea of "anonymizing" a file is always going to be
> manifested as a goal rather than a full solution. No matter the level of
> upstream maintenance, anonymity can never be guaranteed.
> 
> So, I think it's okay to add the package with a big warning in the
> description, maybe even saying something scary like "only recommended
> for educational and research activity".

I agree (and hope we won't just drop python-2 in 2020 because that would

be unreasonable).

Chris Marusich wrote on 5 Jul 2018 10:29

Recipients:(name . Ludovic Courtès)(address . ludo@gnu.org)

Message-ID:87va9u2ihv.fsf@gmail.com

ludo@gnu.org (Ludovic Courtès) writes:

Toggle quote (29 lines)> Hello,
>
> Leo Famulari <leo@famulari.name> skribis:
>
>> I see two different issues here:
>>
>> 1) The project is unmaintained (last release 2016) and the underlying
>> platform (Python 2) will become unmaintained in January 2020.
>>
>> I think these maintenance issues are not a blocker in this case. We
>> package lots of software that has been basically abandoned for longer
>> than MAT. Its source repo saw activity in March. On this subject, we
>> should think about building from HEAD since those new commits will
>> probably never be "released".
>>
>> 2) The software is not guaranteed to achieve its goals.
>>
>> I think the idea of "anonymizing" a file is always going to be
>> manifested as a goal rather than a full solution. No matter the level of
>> upstream maintenance, anonymity can never be guaranteed.
>>
>> So, I think it's okay to add the package with a big warning in the
>> description, maybe even saying something scary like "only recommended
>> for educational and research activity".
>
> Sounds reasonable to me.
>
> Chris, what would you like to do with this package?

If we can resolve the issue with the tests and add a warning to the
package description, I'd be OK with adding it.  However, the tests
currently error out or fail, even though the package builds
successfully.  That's concerning, and I don't feel comfortable adding
the package, even with a warning, until it's been addressed.

I don't have a lot of time to work on this right now.  I will eventually
get around to it, but if somebody wants MAT sooner, please feel free to
take over and do it before I get around to it.

-- 
Chris

Sarah Morgensen wrote on 13 Sep 2021 04:26

Recipients:(name . Chris Marusich)(address . cmmarusich@gmail.com)

Message-ID:86k0jljjm5.fsf@mgsn.dev

Hi all,

Nils Gillmann <ng0@n0.is> writes:

Toggle quote (36 lines)> Leo Famulari transcribed 2.5K bytes:
>> On Sat, May 05, 2018 at 10:33:45PM +0200, Ludovic Courtès wrote:
>> > Chris Marusich <cmmarusich@gmail.com> skribis:
>> > > Should we refrain from adding this package simply because the author is
>> > > not maintaining it any more?  I'm inclined to say "no", but one also has
>> > > to consider whether it is a a good idea to encourage people to use an
>> > > unmaintained tool for protecting their privacy/anonymity.  I'm not sure.
>> > 
>> > It’s risky, indeed.  As time passes it’s likely to have more and more
>> > known-but-unfixed security issues, which isn’t great.  Leo, thoughts on
>> > this situation?
>> 
>> I see two different issues here:
>> 
>> 1) The project is unmaintained (last release 2016) and the underlying
>> platform (Python 2) will become unmaintained in January 2020.
>> 
>> I think these maintenance issues are not a blocker in this case. We
>> package lots of software that has been basically abandoned for longer
>> than MAT. Its source repo saw activity in March. On this subject, we
>> should think about building from HEAD since those new commits will
>> probably never be "released".
>> 
>> 2) The software is not guaranteed to achieve its goals.
>> 
>> I think the idea of "anonymizing" a file is always going to be
>> manifested as a goal rather than a full solution. No matter the level of
>> upstream maintenance, anonymity can never be guaranteed.
>> 
>> So, I think it's okay to add the package with a big warning in the
>> description, maybe even saying something scary like "only recommended
>> for educational and research activity".
>
> I agree (and hope we won't just drop python-2 in 2020 because that would
> be unreasonable).

If someone wants to give this a try again, MAT 2 seems to be under

active development, and is based on python 3:

https://0xacab.org/jvoisin/mat2

It looks slick, and is GPL3+.

Sarah

Denis 'GNUtoo' Carikli wrote on 8 Nov 2021 02:34

Re: [bug#31307][PATCH] Add MAT, the Metadata Anonymisation Toolkit

Recipients:(address . 31307@debbugs.gnu.org)

Message-ID:20211108023416.6b7609f9@primary_laptop

Hi,

I found while browsing debbugs.gnu.org, and I've started working on

adding MAT2.

I've got it working, so I'm attaching my work as-is to avoid

duplication of work. Tests probably need to be disabled for it to work.

I didn't submit it yet because not only the package needs some cleanups

(that could have been fixed), but more importantly I also wanted to make

tests work as I was afraid that getting this package wrong could have

bad consequences for people if for some reasons it didn't cleanup the

metadata due to packaging issues.

Denis.

Attachment: mat2.scm

Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 31307@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it

mumi current 31307

Then, you may apply the latest patchset in this issue (with sign off)

mumi am -- -s

Or, compose a reply to this issue

mumi compose

Or, send patches to this issue

mumi send-email *.patch

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date