Hello, everyone. Since there is apparently large interest in maintaining support for Python 2 in Gentoo for some more time, I would like to request help with Pillow.
Recently a number of vulnerabilities [1] have been reported against this package. They're all fixed in 7.x which supports only Python 3. The last Python 2 version (6.2.2) is certainly vulnerable to at least some of them, and upstream doesn't seem to be actually maintaining it (no commits to 6.2.x branch since January). I've did a quick CI run [2] to determine how many packages still require py2 pillow. These seem to be: app-office/impressive (old version) app-office/scribus (all non-live ebuilds, USE=scripts) media-gfx/uniconvertor (all versions) media-plugins/mythplugins (old version + py2 removal from new) net-print/pkpgcounter (all versions) sci-libs/scipy (old versions) sci-libs/scipy-python2 (all versions) This means major trouble, as it would mean removing all scipy py2 revdeps. If you wish for these packages to stay, please help out, determine which CVEs affect pillow 6.x and prepare backports of relevant patches. TIA. [1] https://bugs.gentoo.org/729672 [2] https://github.com/gentoo/gentoo/pull/16520 -- Best regards, Michał Górny
signature.asc
Description: This is a digitally signed message part