| 1 |
Hello, everyone. |
| 2 |
|
| 3 |
Since there is apparently large interest in maintaining support |
| 4 |
for Python 2 in Gentoo for some more time, I would like to request help |
| 5 |
with Pillow. |
| 6 |
|
| 7 |
Recently a number of vulnerabilities [1] have been reported against this |
| 8 |
package. They're all fixed in 7.x which supports only Python 3. |
| 9 |
The last Python 2 version (6.2.2) is certainly vulnerable to at least |
| 10 |
some of them, and upstream doesn't seem to be actually maintaining it |
| 11 |
(no commits to 6.2.x branch since January). |
| 12 |
|
| 13 |
I've did a quick CI run [2] to determine how many packages still require |
| 14 |
py2 pillow. These seem to be: |
| 15 |
|
| 16 |
app-office/impressive (old version) |
| 17 |
app-office/scribus (all non-live ebuilds, USE=scripts) |
| 18 |
media-gfx/uniconvertor (all versions) |
| 19 |
media-plugins/mythplugins (old version + py2 removal from new) |
| 20 |
net-print/pkpgcounter (all versions) |
| 21 |
sci-libs/scipy (old versions) |
| 22 |
sci-libs/scipy-python2 (all versions) |
| 23 |
|
| 24 |
This means major trouble, as it would mean removing all scipy py2 |
| 25 |
revdeps. |
| 26 |
|
| 27 |
If you wish for these packages to stay, please help out, determine which |
| 28 |
CVEs affect pillow 6.x and prepare backports of relevant patches. TIA. |
| 29 |
|
| 30 |
|
| 31 |
[1] https://bugs.gentoo.org/729672 |
| 32 |
[2] https://github.com/gentoo/gentoo/pull/16520 |
| 33 |
|
| 34 |
-- |
| 35 |
Best regards, |
| 36 |
Michał Górny |
Archives