-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Release Pillow 8.0.0 on October 15, 2020 #4764
Comments
Review of deprecations:
|
Will begin the release process a bit later this evening so we're ready to release later tonight or tomorrow morning. |
@cgohlke Please could we have Windows binaries for 8.0.0? |
Here you go. |
Thanks! Release is out!
Misc. notes: The Travis wheel builder took ages, there are meant to be 5 parallel jobs but there were only 2 or 4 running. Other accounts I checked on https://travis-ci.org/ only had 4 parallel. It took 1 hr 42 min 52 sec (tag). The last I downloaded wheels from https://github.com/python-pillow/pillow-wheels/releases/tag/8.0.0 with: # brew install fetch
mkdir /tmp/assets
fetch --repo https://github.com/python-pillow/pillow-wheels --release-asset="\.whl" --progress --tag 8.0.0 /tmp/assets |
Travis has been running at almost full capacity the last few days. There was a large uptick in the queue length just before the release started: https://www.traviscistatus.com#system-metrics |
True, I don't think I've seen 5 concurrent jobs on my repo at all this week. |
Can you pin the new tweet (and maybe update the release checklist)? The 7.2.0 release is still pinned on Twitter. |
I can't pin via TweetDeck, @aclark4life please could you do it? ^ |
Done! Thanks all ❤️ |
Hi, I see the following in our CI that uses Ubuntu Xenial:
I guess Xenial is no longer supported? |
Xenial is supported but Python 3.5 and lower are not: What Python do you have? Are you using pip older than version 9? If you update pip to 9+, it should fetch the correct version of Pillow for you. python3 -m pip install --upgrade pip
python3 -m pip install --upgrade Pillow |
I recommend upgrading pip to make sure you have the latest security updates (here's one), and to use the latest features of pip, notably the Anyway, you can still use old pip by pinning, for example: |
I am not insisting on using the old
but this is a minor problem. I guess these users are a small circle by now and hopefully won't open too many duplicate issues. |
Looks like the Windows wheels do not have CBDT support enabled: #4998 (comment)
|
Cross-posting @nulano's #4998 (comment):
Does this affect Pillow wheels and do we need an 8.0.1 release? |
Here is the FreeType discussion about the CVE: https://savannah.nongnu.org/bugs/?59308 The report has an attached test font file; I think the following snippet should trigger the exploit. Running it in a build with address sanitization enabled should report an issue, but I can't test that on Windows. Just enabling heap verification with >>> from PIL import ImageFile
# font.ttf from the FreeType report
>>> ImageFile.truetype("font.ttf", 150).getmask("ABC")
# heap corruption happens here
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "c:\git\pillow\src\PIL\ImageFont.py", line 572, in getmask
ink=ink,
File "c:\git\pillow\src\PIL\ImageFont.py", line 652, in getmask2
text, mode, direction, features, language, anchor
OSError: broken file
# I think this exception is raised after the heap corruption It is not necessary to pass As I mentioned in the comment above, the Travis log suggests that Linux and macOS wheels are exploitable (the It sounds to me like an 8.0.1 release is needed, ideally before the Chrome exploit details are made public on 2020-10-26. |
I think we should ship a new version, and if we do one binary release, we have to do all of them. |
Okay, I'll do 8.0.1. We've already updated FreeType to 2.10.4 in the Mac/Linux wheel builder. It's not need for Windows wheels, but let's include #4998 for consistency. Will also include #4992 to help with the release process. Anything else we need (other than release notes etc.)? |
Is there the potential that any older releases are affected, or is this something that got enabled with the color font support? We should have a list of potentially vulnerable releases, and specifically mention the last python 2 release. |
Before #4955 bitmap fonts were disabled with
Other than that, it is sufficient for FreeType to be compiled with libpng enabled. I do not see any changes specific to colour font support in the git blame of |
It would be nice to actually add libpng / CBDT font support to the Windows wheels, but it is obviously not necessary. This requires |
Feedback welcome on release notes: #5000 |
Release ChecklistPoint ReleaseReleased as needed for security, installation or critical bug fixes.
Binary DistributionsWindows
Mac and Linux
Publicize Release
Documentation
Docker Images
|
Cherry picked these:
GHA Window CI failed with "Overwrite D:\a\Pillow\Pillow\Tests\images\string_dimension.tiff (Yes/No/All)?", will be because of #4993 / python-pillow/pillow-depends#34, so will include that too: f886bc9. Edit: passing now 👍 |
See #5001 to avoid this in the future. |
The Mac and Linux wheel builder is running, currently with one "parallel" job, so it's going to take a long time. @cgohlke Please could you make Windows binaries for Pillow 8.0.1, making sure to first update to FreeType 2.10.4 to include the security fix? Thank you! |
Here you go. |
Thank you! Travis CI only had 0-3 parallel jobs and took 3.5 hours instead of the usual 5 parallel jobs and half an hour. Released!
Thanks all! |
A major bump because the next release will drop EOL Python 3.5 (#4746). Will also be the first version to support Python 3.9.
Needs release notes:
Release Checklist
Main Release
Released quarterly on January 2nd, April 1st, July 1st and October 15th.
master
branch.Travis CI and
AppVeyor to confirm
passing tests in
master
branch.src/PIL/_version.py
CHANGES.rst
.make release-test
in a freshly cloned repo.twine upload dist/Pillow-5.2.0*
.dev0
to version identifier insrc/PIL/_version.py
Binary Distributions
Windows
@cgohlke
for Windows binaries via release ticket e.g. Release 2.9.0 on July 1, 2015 #1174.@cgohlke
andtwine upload *
.Mac and Linux
git clone https://github.com/python-pillow/pillow-wheels cd pillow-wheels ./update-pillow-tag.sh [[release tag]]
Publicize Release
Documentation
Docker Images
git clone https://github.com/python-pillow/docker-images cd docker-images ./update-pillow-tag.sh [[release tag]]
The text was updated successfully, but these errors were encountered: