-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrading min Pillow requirement version to 6.1.0 #5358
Conversation
According to the discussion in #5340, where @jni says:
This way, we have:
So we could update Pillow to
... and other scary warnings. For now, I'll leave this open for discussion, if you'd like. Else, please close it 🙂 |
we mainly have PIL as a direct dependency for io collections, and indirectly from imageio. A way to attack this issue is to remove direct PIL imports. THis is something I investigated, with the help of @jni. It appears that we have a piece of code to load series of tiff images and series of animated gif images. Afaik, the main stopper is that imageio doesn't have the capability to read animated gif and we delegate this to PIL. I don't know how much reading animated gif is important. I believe this point of view can help in the debate as well. |
Yeah, I've always considered security "above my pay grade". This all just makes me think I was right. 😂 And also about delegating all io to imageio. At any rate: I think the NEP-29 guideline is just that — a guideline, and it can be overridden in cases where it makes sense. If pillow 8.1.2 is available on conda-forge, Anaconda defaults, etc, I'm happy to bump up the dependency. Another alternative is to defer our imports of pillow and raise a warning when it is imported if the version predates 8.1.2. I'm ok with either option, so I'm going to approve this and let the next person decide. ;) |
In the past, we decided to set a warning. |
How would be that warning? |
See #4861 ;) |
I did some research today on this:
It seems that imageio does this now — through PIL.
Maybe we could use imageio's alternative; they would deal with Pillow, then. How does that sound? |
requirements/default.txt
Outdated
@@ -2,7 +2,7 @@ numpy>=1.16.5 | |||
scipy>=1.2.3 | |||
matplotlib>=3.0.3 | |||
networkx>=2.2 | |||
pillow>=5.4.0,!=7.1.0,!=7.1.1 | |||
pillow>=8.1.2 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
THen, I guess you want to relax the min version
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
see above for the min req
THen, I guess you want to relax the min version
Sorry @sciunto, I didn't get it 🙂
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't you want to set >=6.1.0 or so? otherwise, the warning doesn't make sense anymore.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I expect it to be >=8.1.2, but I updated the CVE numbers on the warning to reflect the latest issues. Isn't it the way to do here?
What would you prefer? To set up >=6.1.0?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you choose > 8.1.2, no need to have the warning, because the users will be forced to upgrade. If we do not want to force the upgrade, then warning and >6.1.0. THat's my understanding.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sciunto got it. I thought the warning would check if the machine has that version, and would ask to update based on that.
Warning off, then? 🙂
Yes, I was reading imageio's doc and didn't see that support. But, if it works, then definitely yes. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
see above for the min req
We can try this in a different PR. |
I feel like security issues are for system integrators to worry about. Problems and bugs come and go (well they come and they come). security issues would bump us to bleeding edge. |
@hmaarrfk you have a point. I'll put 6.1.0 in this one, then, and leave the latest warnings; this way we'll get a full version up, at least |
Thank you @alexdesiqueira |
Description
Dependabot is showing some issues on Pillow < 8.1.1. Maybe upgrading won't hurt?
Checklist
./doc/examples
(new features only)./benchmarks
, if your changes aren't covered by anexisting benchmark
For reviewers
later.
__init__.py
.doc/release/release_dev.rst
.