Leo Famulari transcribed 2.5K bytes: > On Sat, May 05, 2018 at 10:33:45PM +0200, Ludovic Courtès wrote: > > Chris Marusich skribis: > > > Should we refrain from adding this package simply because the author is > > > not maintaining it any more? I'm inclined to say "no", but one also has > > > to consider whether it is a a good idea to encourage people to use an > > > unmaintained tool for protecting their privacy/anonymity. I'm not sure. > > > > It’s risky, indeed. As time passes it’s likely to have more and more > > known-but-unfixed security issues, which isn’t great. Leo, thoughts on > > this situation? > > I see two different issues here: > > 1) The project is unmaintained (last release 2016) and the underlying > platform (Python 2) will become unmaintained in January 2020. > > I think these maintenance issues are not a blocker in this case. We > package lots of software that has been basically abandoned for longer > than MAT. Its source repo saw activity in March. On this subject, we > should think about building from HEAD since those new commits will > probably never be "released". > > 2) The software is not guaranteed to achieve its goals. > > I think the idea of "anonymizing" a file is always going to be > manifested as a goal rather than a full solution. No matter the level of > upstream maintenance, anonymity can never be guaranteed. > > So, I think it's okay to add the package with a big warning in the > description, maybe even saying something scary like "only recommended > for educational and research activity". I agree (and hope we won't just drop python-2 in 2020 because that would be unreasonable).