1 |
Hello, everyone. |
2 |
|
3 |
Since there is apparently large interest in maintaining support |
4 |
for Python 2 in Gentoo for some more time, I would like to request help |
5 |
with Pillow. |
6 |
|
7 |
Recently a number of vulnerabilities [1] have been reported against this |
8 |
package. They're all fixed in 7.x which supports only Python 3. |
9 |
The last Python 2 version (6.2.2) is certainly vulnerable to at least |
10 |
some of them, and upstream doesn't seem to be actually maintaining it |
11 |
(no commits to 6.2.x branch since January). |
12 |
|
13 |
I've did a quick CI run [2] to determine how many packages still require |
14 |
py2 pillow. These seem to be: |
15 |
|
16 |
app-office/impressive (old version) |
17 |
app-office/scribus (all non-live ebuilds, USE=scripts) |
18 |
media-gfx/uniconvertor (all versions) |
19 |
media-plugins/mythplugins (old version + py2 removal from new) |
20 |
net-print/pkpgcounter (all versions) |
21 |
sci-libs/scipy (old versions) |
22 |
sci-libs/scipy-python2 (all versions) |
23 |
|
24 |
This means major trouble, as it would mean removing all scipy py2 |
25 |
revdeps. |
26 |
|
27 |
If you wish for these packages to stay, please help out, determine which |
28 |
CVEs affect pillow 6.x and prepare backports of relevant patches. TIA. |
29 |
|
30 |
|
31 |
[1] https://bugs.gentoo.org/729672 |
32 |
[2] https://github.com/gentoo/gentoo/pull/16520 |
33 |
|
34 |
-- |
35 |
Best regards, |
36 |
Michał Górny |