Hello, everyone.

Since there is apparently large interest in maintaining support
for Python 2 in Gentoo for some more time, I would like to request help
with Pillow.

Recently a number of vulnerabilities [1] have been reported against this
package.  They're all fixed in 7.x which supports only Python 3.
The last Python 2 version (6.2.2) is certainly vulnerable to at least
some of them, and upstream doesn't seem to be actually maintaining it
(no commits to 6.2.x branch since January).

I've did a quick CI run [2] to determine how many packages still require
py2 pillow.  These seem to be:

app-office/impressive (old version)
app-office/scribus (all non-live ebuilds, USE=scripts)
media-gfx/uniconvertor (all versions)
media-plugins/mythplugins (old version + py2 removal from new)
net-print/pkpgcounter (all versions)
sci-libs/scipy (old versions)
sci-libs/scipy-python2 (all versions)

This means major trouble, as it would mean removing all scipy py2
revdeps.

If you wish for these packages to stay, please help out, determine which
CVEs affect pillow 6.x and prepare backports of relevant patches.  TIA.


[1] https://bugs.gentoo.org/729672
[2] https://github.com/gentoo/gentoo/pull/16520

-- 
Best regards,
Michał Górny

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to