pillow v9.3.0

[regro-cf-autotick-bot]

It is very likely that the current package version for this feedstock is out of date.

Checklist before merging this PR:

• Dependencies have been updated if changed: see upstream
• Tests have passed
• Updated license if changed and license_file is packaged

Information about this PR:

1. Feel free to push to the bot's branch to update this PR if needed.
2. The bot will almost always only open one PR per version.
3. The bot will stop issuing PRs if more than 3 version bump PRs generated by the bot are open. If you don't want to package a particular version please close the PR.
4. If you want these PRs to be merged automatically, make an issue with @conda-forge-admin,please add bot automerge in the title and merge the resulting PR. This command will add our bot automerge feature to your feedstock.
5. If this PR was opened in error or needs to be updated please add the bot-rerun label to this PR. The bot will close this PR and schedule another one. If you do not have permissions to add this label, you can use the phrase @conda-forge-admin, please rerun bot in a PR comment to have the conda-forge-admin add it for you.

Pending Dependency Version Updates

Here is a list of all the pending dependency version updates for this repo. Please double check all dependencies before merging.

Name	Upstream Version	Current Version
lcms2	2.14

Dependency Analysis

Please note that this analysis is highly experimental. The aim here is to make maintenance easier by inspecting the package's dependencies. Importantly this analysis does not support optional dependencies, please double check those before making changes. If you do not want hinting of this kind ever please add bot: inspection: false to your conda-forge.yml. If you encounter issues with this feature please ping the bot team conda-forge/bot.

Analysis by source code inspection shows a discrepancy between it and the the package's stated requirements in the meta.yaml.

Packages found by source code inspection but not in the meta.yaml:

• arm_pyart
• pytest
• atheris
• olefile
• packaging

_{This PR was created by the regro-cf-autotick-bot. The regro-cf-autotick-bot is a service to automatically track the dependency graph, migrate packages, and propose package version updates for conda-forge. Feel free to drop us a line if there are any issues! This PR was generated by https://github.com/regro/autotick-bot/actions/runs/3371211158, please use this URL for debugging.}

[conda-forge-linter]

Hi! This is the friendly automated conda-forge-linting service.

I just wanted to let you know that I linted all conda-recipes in your PR (recipe) and found it was in an excellent condition.

[ocefpaf]

Looks like one tests is failing:

_______________________________ test_load_blp1 ________________________________

    def test_load_blp1():
        with Image.open("Tests/images/blp/blp1_jpeg.blp") as im:
>           assert_image_equal_tofile(im, "Tests/images/blp/blp1_jpeg.png")

tests\test_file_blp.py:15: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
tests\helper.py:105: in assert_image_equal_tofile
    assert_image_equal(a, img, msg)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

a = <PIL.BlpImagePlugin.BlpImageFile image mode=RGB size=256x256 at 0x28EB98C6040>
b = <PIL.PngImagePlugin.PngImageFile image mode=RGB size=256x256 at 0x28EB98C6850>
msg = None

    def assert_image_equal(a, b, msg=None):
        assert a.mode == b.mode, msg or f"got mode {repr(a.mode)}, expected {repr(b.mode)}"
        assert a.size == b.size, msg or f"got size {repr(a.size)}, expected {repr(b.size)}"
        if a.tobytes() != b.tobytes():
            if HAS_UPLOADER:
                try:
                    url = test_image_results.upload(a, b)
                    logger.error(f"Url for test images: {url}")
                except Exception:
                    pass
    
>           assert False, msg or "got different content"
E           AssertionError: got different content

[bollwyvl]

recommend skipping the test, perhaps, as this release contains the fix for: https://nvd.nist.gov/vuln/detail/CVE-2022-45199

[bollwyvl]

@conda-forge-admin please rerender

[bollwyvl]

python-pillow/Pillow#6741

[bollwyvl]

Upstream says

The reason that this wasn't detected sooner is that Pillow tests with libjpeg-turbo.

Is there a compelling reason not to do so?

[ocefpaf]

Is there a compelling reason not to do so?

Not really. We, conda-forge, have been planning to migrate to libjpeg-turbo for ages now. We need to figure out a way to do that safely ASAP.

[bollwyvl]

safely

what dangers lurk? please forgive my ignorance! i see some license-averse stuff in the feedstock... are there other concerns?

[bollwyvl]

🍿 #128

[bollwyvl]

That fails on a different test.

[h-vetinari]

@bollwyvl @ocefpaf

We now have a couple of passing PRs:

• pillow v9.3.0 #126 (using a backport for the failing test)
• pillow 9.3.0 with libjpeg-turbo #128 (using the same backport; skipping an irrelevant test failure)
• pillow v9.4.0 #132 (would merge one of the 9.3 PRs first and then rebase that one; currently content of that PR reflects the libjpeg-turbo changes)

Which one of #126 / #128 do you prefer? Could also go to 9.4 directly, but there the same question reappears anyway.

[ocefpaf]

Which one of #126 / #128 do you prefer? Could also go to 9.4 directly, but there the same question reappears anyway.

We need an ecosystem wide migration to drop jpeg in lieu of libjeg-turbo to merge #128. While that is, IMO the best path we cannot merge that right now until we start the migration.

[h-vetinari]

We need an ecosystem wide migration to drop jpeg in lieu of libjeg-turbo to merge #128. While that is, IMO the best path we cannot merge that right now until we start the migration.

You do realise that you merged the libjpeg-turbo version in #132? I had noted this above, and it's obviously also in the diff of that PR. Also, I explicitly asked to merge one of the 9.3 builds first - there was no reason to skip it, and then I would have rebased #132 correctly based on what we do for 9.3.

I spent a bunch of time preparing this yesterday, and such rash actions are really counterproductive.

[ocefpaf]

You do realise that you merged the libjpeg-turbo version in #132?

Yep. Kind of wanted to give it a go after thinking about it. I believe we can start updating the feedstocks wihtout a migration.

there was no reason to skip it, and then I would have rebased #132 correctly based on what we do for 9.3.

We can reopen and re-issue this one with your commits. If you don't want to do that I can do it for you.

I spent a bunch of time preparing this yesterday, and such rash actions are really counterproductive.

Sorry about that but your effort won't be wasted!

[h-vetinari]

Yep. Kind of wanted to give it a go after thinking about it. I believe we can start updating the feedstocks wihtout a migration.

OK, just wanted to make sure because it was not in line with your comment here

We can reopen and re-issue this one with your commits. If you don't want to do that I can do it for you.

Not sure if worth the effort to create a branch, but in general, I find it better to avoid skipping versions (esp. if CI is green already). If there's any issue with 9.4 (as it was just released, that possibility exists), then we need to fall back all the way to 9.2 (and 9.3 has a CVE fix as noted above, etc.)

Sorry about that but your effort won't be wasted!

All good. 🙃

[ocefpaf]

OK, just wanted to make sure because it was not in line with your comment here

To be honest I should've edited my comment above b/c I changed my mind as soon as I hit enter there.

If there's any issue with 9.4 (as it was just released, that possibility exists), then we need to fall back all the way to 9.2 (and 9.3 has a CVE fix as noted above, etc.)

👍

Not sure if worth the effort to create a branch,

I'll leave that up to you. If you want to do that route I can do that, no problem.

[h-vetinari]

I'll leave that up to you. If you want to do that route I can do that, no problem.

Let's 🤞 our fingers that no issues come up with either 9.4 or the change to libjpeg-turbo; as long as that's the case, I don't see the need to create a branch for 9.3