Title: MAT2 0.7.0 Date: 2019-02-17 17:15 There is a new minor version of MAT2, the [0.7.0](https://0xacab.org/jvoisin/mat2/tags/0.7.0), with new features: more security, new fileformats, minor UX improvements, … I wanted to finish the epub support to do a new release, but apparently the Debian people are freezing things for [Buster](https://wiki.debian.org/DebianBuster) is happening soon™, so some people asked me to do a release before it. # Changelog - Add support for wmv files - Add support for gif files - Add support for html files - Sandbox external processes via bubblewrap - Simplify archive-based formats processing - The Nautilus extension now plays nicer with other extensions # Sandboxing via Bubblewrap Thanks to [intrigeri](https://gaffer.boum.org/intrigeri/) who was looking for a pretext to play with [bubblewrap](https://github.com/projectatomic/bubblewrap), calls to external processes (like [ffmpeg](https://ffmpeg.org/) when dealing with video formats, [exiftool](https://www.sno.phy.queensu.ca/~phil/exiftool/) for certain images formats, …) are now sandboxed with it. > Bubblewrap could be viewed as setuid implementation of a subset of user namespaces. `setuid`, `user namespaces`, … those aren't words that I like very much, because they often rhymes with "low hanging privilege escalation opportunities". Feel free to read bubblewrap's [source code](https://github.com/projectatomic/bubblewrap) to make your own opinion about it, it's an optional dependency, so no need to install it if you don't trust it. # About pypi mat2 is now [available on pypi](https://pypi.org/project/mat2/); because apparently everybody is using `pip install` in [virtualenv](https://virtualenv.pypa.io/en/stable/). The recommended way to install mat2 is via your package manager, because odds are that there is a cryptographic chain between the code that I have on my laptop and the package that you're installing: I'm [signing the releases](https://0xacab.org/jvoisin/mat2/tags), the package maintainer is verifying the signature, creating the package, signing it, uploading it to your favourite distribution repositories, where their signature is verified, and the package is finally signed by the release key of the distribution, which is finally verified on your machine before effectively installing the package. When you're doing a `pip install`, the archive is downloaded from pypi.org over https, and installed; usually in a virtualenv, sometimes system-wide. This is __bad__, you shouldn't be doing that, ever. Pypi [used to support](https://github.com/pypa/python-packaging-user-guide/pull/466) cryptographic signatures, but it kind of doesn't anymore, for [various](https://mail.python.org/pipermail/distutils-sig/2016-May/028933.html) [reasons](https://caremad.io/posts/2013/07/packaging-signing-not-holy-grail/). If you really want to use pypi, you can verify the package's signature by appending `.asc` at the end of the tgz/whl file. # Conclusion Yay for external contributors, hurray for new supported fileformats, and as usual, help is [more than welcome](https://0xacab.org/jvoisin/mat2/issues?label_name%5B%5D=good+first+issue).