Upgrading min Pillow requirement version to 6.1.0 #5358
Conversation
alexdesiqueira
added
the
🔧 type: Maintenance
|
According to the discussion in #5340, where @jni says:
This way, we have: So we could update Pillow to
... and other scary warnings. For now, I'll leave this open for discussion, if you'd like. Else, please close it 🙂 |
alexdesiqueira
changed the title
|
we mainly have PIL as a direct dependency for io collections, and indirectly from imageio. A way to attack this issue is to remove direct PIL imports. THis is something I investigated, with the help of @jni. It appears that we have a piece of code to load series of tiff images and series of animated gif images. Afaik, the main stopper is that imageio doesn't have the capability to read animated gif and we delegate this to PIL. I don't know how much reading animated gif is important. I believe this point of view can help in the debate as well. |
|
Yeah, I've always considered security "above my pay grade". This all just makes me think I was right. 😂 And also about delegating all io to imageio. At any rate: I think the NEP-29 guideline is just that — a guideline, and it can be overridden in cases where it makes sense. If pillow 8.1.2 is available on conda-forge, Anaconda defaults, etc, I'm happy to bump up the dependency. Another alternative is to defer our imports of pillow and raise a warning when it is imported if the version predates 8.1.2. I'm ok with either option, so I'm going to approve this and let the next person decide. ;) |
|
In the past, we decided to set a warning. |
How would be that warning? |
|
See #4861 ;) |
|
I did some research today on this:
It seems that imageio does this now — through PIL.
Maybe we could use imageio's alternative; they would deal with Pillow, then. How does that sound? |
requirements/default.txt
Outdated
| @@ -2,7 +2,7 @@ numpy>=1.16.5 | |||
| scipy>=1.2.3 | |||
| matplotlib>=3.0.3 | |||
| networkx>=2.2 | |||
| pillow>=5.4.0,!=7.1.0,!=7.1.1 | |||
| pillow>=8.1.2 | |||
There was a problem hiding this comment.
THen, I guess you want to relax the min version
There was a problem hiding this comment.
see above for the min req
THen, I guess you want to relax the min version
Sorry @sciunto, I didn't get it 🙂
There was a problem hiding this comment.
Don't you want to set >=6.1.0 or so? otherwise, the warning doesn't make sense anymore.
There was a problem hiding this comment.
I expect it to be >=8.1.2, but I updated the CVE numbers on the warning to reflect the latest issues. Isn't it the way to do here?
What would you prefer? To set up >=6.1.0?
There was a problem hiding this comment.
If you choose > 8.1.2, no need to have the warning, because the users will be forced to upgrade. If we do not want to force the upgrade, then warning and >6.1.0. THat's my understanding.
There was a problem hiding this comment.
@sciunto got it. I thought the warning would check if the machine has that version, and would ask to update based on that.
Warning off, then? 🙂
Yes, I was reading imageio's doc and didn't see that support. But, if it works, then definitely yes. |
We can try this in a different PR. |
|
I feel like security issues are for system integrators to worry about. Problems and bugs come and go (well they come and they come). security issues would bump us to bleeding edge. |
|
@hmaarrfk you have a point. I'll put 6.1.0 in this one, then, and leave the latest warnings; this way we'll get a full version up, at least |
alexdesiqueira
changed the title
|
Thank you @alexdesiqueira |
sciunto
changed the title
Description
Dependabot is showing some issues on Pillow < 8.1.1. Maybe upgrading won't hurt?
Checklist
./doc/examples(new features only)./benchmarks, if your changes aren't covered by anexisting benchmark
For reviewers
later.
__init__.py.doc/release/release_dev.rst.