Artificial truth

The more you see, the less you believe.

[archives] [latest] | [homepage] | [atom/rss]

MAT2 0.7.0
Sun 17 February 2019 — download

There is a new minor version of MAT2, the 0.7.0, with new features: more security, new fileformats, minor UX improvements, … I wanted to finish the epub support to do a new release, but apparently the Debian people are freezing things for Buster is happening soon™, so some people asked me to do a release before it.

Changelog

  • Add support for wmv files
  • Add support for gif files
  • Add support for html files
  • Sandbox external processes via bubblewrap
  • Simplify archive-based formats processing
  • The Nautilus extension now plays nicer with other extensions

Sandboxing via Bubblewrap

Thanks to intigeri who was looking for a pretext to play with bubblewrap, calls to external processes (like ffmpeg when dealing with video formats, exiftool for certain images formats, …) are now sandboxed with it.

Bubblewrap could be viewed as setuid implementation of a subset of user namespaces.

setuid, user namespaces, … those aren't words that I like very much, because they often rhymes with "low hanging privilege escalation opportunities". Feel free to read bubblewrap's source code to make your own opinion about it, it's an optional dependency, so no need to install it if you don't trust it.

About pypi

mat2 is now available on pypi; because apparently everybody is using pip install in virtualenv.

The recommended way to install mat2 is via your package manager, because odds are that there is a cryptographic chain between the code that I have on my laptop and the package that you're installing: I'm signing the releases, the package maintainer is verifying the signature, creating the package, signing it, uploading it to your favourite distribution repositories, where their signature is verified, and the package is finally signed by the release key of the distribution, which is finally verified on your machine before effectively installing the package.

When you're doing a pip install, the archive is downloaded from pypi.org over https, and installed; usually in a virtualenv, sometimes system-wide. This is bad, you shouldn't be doing that, ever.

Pypi used to support cryptographic signatures, but it kind of doesn't anymore, for various reasons.

If you really want to use pypi, you can verify the package's signature by appending .asc at the end of the tgz/whl file.

Conclusion

Yay for external contributors, hurray for new supported fileformats, and as usual, help is more than welcome.